Furthermore, in my servlet method,
This WORKS: WebSubject subject = new WebSubject.Builder(mgr,
getThreadLocalRequest(), getThreadLocalResponse()).buildWebSubject();
but this does NOT:
Subject subj = SecurityUtils.getSubject();
I traced down into this (SecurityConfiguration.java)
boolean handled = (Boolean) subject.execute(new Callable() {...
is that supposed to bind the subject in SecurityUtils.getSubject()?
If yes, that doesn't work for some reason
On Sep 8, 2011, at 2:16 AM, Lenny Primak wrote:
> This is really simple to reproduce:
> In any tap-security enabled Tapestry application, and any servlet
> 3.0-compliant container,
> put this new file, and try to access it,
>
> the console log will show that getSubject() is not working properly,
> even though the app is logged in and has a proper session.
>
> Here is a sample code for this problem:
>
> ---------------------------
> /*
> * To change this template, choose Tools | Templates
> * and open the template in the editor.
> */
> package com.baw.website.gwt.server;
>
> import java.io.IOException;
> import java.io.PrintWriter;
> import javax.servlet.ServletException;
> import javax.servlet.annotation.WebServlet;
> import javax.servlet.http.HttpServlet;
> import javax.servlet.http.HttpServletRequest;
> import javax.servlet.http.HttpServletResponse;
> import org.apache.shiro.SecurityUtils;
>
> /**
> *
> * @author lprimak
> */
> @WebServlet(urlPatterns={"/NewServlet"})
> public class NewServlet extends HttpServlet
> {
>
> /**
> * Processes requests for both HTTP <code>GET</code> and <code>POST</code>
> methods.
> * @param request servlet request
> * @param response servlet response
> * @throws ServletException if a servlet-specific error occurs
> * @throws IOException if an I/O error occurs
> */
> protected void processRequest(HttpServletRequest request,
> HttpServletResponse response)
> throws ServletException, IOException
> {
> response.setContentType("text/html;charset=UTF-8");
> PrintWriter out = response.getWriter();
> try
> {
> System.err.println("Principal: " +
> SecurityUtils.getSubject().getPrincipal());
> System.err.println("Auth: " +
> SecurityUtils.getSubject().isAuthenticated());
> System.err.println("Remembered: " +
> SecurityUtils.getSubject().isRemembered());
>
> out.println("<html>");
> out.println("<head>");
> out.println("<title>Servlet NewServlet</title>");
> out.println("</head>");
> out.println("<body>");
> out.println("<h1>Servlet NewServlet at " + request.getContextPath
> () + "</h1>");
> out.println("</body>");
> out.println("</html>");
> } finally
> {
> out.close();
> }
> }
>
> // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click
> on the + sign on the left to edit the code.">
> /**
> * Handles the HTTP <code>GET</code> method.
> * @param request servlet request
> * @param response servlet response
> * @throws ServletException if a servlet-specific error occurs
> * @throws IOException if an I/O error occurs
> */
> @Override
> protected void doGet(HttpServletRequest request, HttpServletResponse
> response)
> throws ServletException, IOException
> {
> processRequest(request, response);
> }
>
> /**
> * Handles the HTTP <code>POST</code> method.
> * @param request servlet request
> * @param response servlet response
> * @throws ServletException if a servlet-specific error occurs
> * @throws IOException if an I/O error occurs
> */
> @Override
> protected void doPost(HttpServletRequest request, HttpServletResponse
> response)
> throws ServletException, IOException
> {
> processRequest(request, response);
> }
>
> /**
> * Returns a short description of the servlet.
> * @return a String containing servlet description
> */
> @Override
> public String getServletInfo()
> {
> return "Short description";
> }// </editor-fold>
> }
>
> On Sep 8, 2011, at 1:42 AM, Lenny Primak wrote:
>
>> Ok, I am getting a bit more of a handle on this problem...
>> No matter what I do, my servlet is not getting filtered by tapestry filter.
>> I tried it all in web.xml, to no avail. Tapestry & JSP pages do work
>> perfectly.
>>
>> On Sep 8, 2011, at 1:15 AM, Kalle Korhonen wrote:
>>
>>> On Wed, Sep 7, 2011 at 9:55 PM, Lenny Primak <lpri...@hope.nyc.ny.us> wrote:
>>>> What I found out that Servlet 3.0 objects (annotated with @WebServlet and
>>>> their derivatives)
>>>> do not get the Shiro filter that's instantiated via tapestry-security.
>>>> SecurityUtils.getSubject() does not work therefore.
>>>
>>> Hey Lenny, can you clarify what you mean by servlets "do not get the
>>> Shiro filter"? What's the url pattern you are using for your servlet?
>>> Are any Tapestry filters handling the request?
>>>
>>>> So the question becomes how do I get an instance of whatever's initialized
>>>> by tapestry-security?
>>>> If I have a handle on that perhaps I can put it into web.xml to work with
>>>> the servlet 3.0 servlets,
>>>> and by extension, Web services, REST objects, etc.
>>>
>>> I'm not sure I follow. @WebServlet is an alternative to declaring the
>>> same servlet in web.xml, no?
>>>
>>> Kalle
>>>
>>>
>>>> On Sep 2, 2011, at 12:13 AM, Lenny Primak wrote:
>>>>
>>>>> I think I am running into a more general problem with this. Security is
>>>>> just not getting invoked.
>>>>> Perhaps I have to declare shiro filter separately in web-inf? Would that
>>>>> interfere with tap security?
>>>>>
>>>>>
>>>>> On Aug 29, 2011, at 12:42 PM, Lenny Primak wrote:
>>>>>
>>>>>> Great! I'll try 1.2 and will do the shiro mailing list as well.
>>>>>> I tried the @RequiresRole on a stateless Rest service,
>>>>>> and it didn't work, I guess now I know why now :)
>>>>>>
>>>>>>
>>>>>> On Aug 29, 2011, at 12:28 PM, Kalle Korhonen wrote:
>>>>>>
>>>>>>> Thanks Lenny. Yes, it's the wrong list but the discussion's likely
>>>>>>> relevant to a number of other people as well. The most appropriate
>>>>>>> list is Shiro users and incidentally, there was a discussion on the
>>>>>>> same topic some time ago
>>>>>>> (http://shiro-user.582556.n2.nabble.com/Using-Shiro-in-a-Web-EJB-environment-td3773528.html).
>>>>>>> Your title says EJB container objects but mostly you seem to be
>>>>>>> looking at securing the front-end servers. I've done stateful
>>>>>>> (session-based) web services before and that'll work just fine using
>>>>>>> exactly the same configuration and annotations. Stateless security
>>>>>>> support was added/enhanced in shiro 1.2 trunk (with the release in
>>>>>>> sight in the near future) - basically making it easier to configure
>>>>>>> the framework (or some paths) so that each request is authenticated
>>>>>>> and authorized separately. If you have a multi-tiered architecture
>>>>>>> where your EJB container is running in a separate JVM, you'll have do
>>>>>>> more integration work yourself, to maintain keys or some access tokens
>>>>>>> to secure user requests / executions between multiple JVMs. There's no
>>>>>>> standard way worked for it as one size rarely fits all. It's an
>>>>>>> interesting topic nevertheless, and you should join the discussion on
>>>>>>> Shiro users list (see http://shiro.apache.org/mailing-lists.html) to
>>>>>>> keep up-to-date and make your opinions heard.
>>>>>>>
>>>>>>> Kalle
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Aug 29, 2011 at 8:51 AM, Lenny Primak <lpri...@hope.nyc.ny.us>
>>>>>>> wrote:
>>>>>>>> Hi guys,
>>>>>>>> perhaps this is the wrong list to post this to, but
>>>>>>>> tynamo list still doesn't work for me, and I may post this on the
>>>>>>>> Shiro list as well.
>>>>>>>>
>>>>>>>> I just started using tapestry-security, and it works great!
>>>>>>>> My application is a Tapestry front-end to a bunch of EJBs, Web
>>>>>>>> services, and Rest objects.
>>>>>>>> It runs in Glassfish 3.1, and J2EE 6 compliant.
>>>>>>>>
>>>>>>>> This application is on an intranet, and we need to secure it and put
>>>>>>>> it out on the internet.
>>>>>>>>
>>>>>>>> I was wondering if/how we can use the same T-Security/Shiro
>>>>>>>> configuration/annotation/etc.
>>>>>>>> on the Jax-WS Web Services, and Jax-RS REST Web Services, it at all
>>>>>>>> possible,
>>>>>>>> with a minimum of fuss.
>>>>>>>>
>>>>>>>> Thanks a lot.
>>>>>>>>
>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>>>>>>>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>>>>>>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>>>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
