3

I can't seem to find an example to load the [users] AND [urls] from my JPA objects. I want to use shiro.ini for [main] section only.

The source code of what I achieved so far is this: Unable to @Inject my DAO in a Custom Apache Shiro AuthorizingRealm

Is there any example where [users] (user/pass) AND [urls] (roles, permissions) are FULLY loaded from database? I can't seem to find that anywhere. I'm looking for it for 1 week now.

Community
  • 1
  • 1
BBacon
  • 2,456
  • 5
  • 32
  • 52
  • are you using the org.apache.shiro.web.env.EnvironmentLoaderListener in your web.xml? – dom farr Mar 20 '14 at 16:31
  • I'm using my own CustomEnvironmentLoaderListener that extends EnvironmentLoaderListener. It is being declared at web.xml. – BBacon Mar 21 '14 at 23:20

1 Answers1

1

After some long research, the "best" solution I came up with was this:

shiro.ini

[main]
jsfFilter = com.test.security.CustomAuthorizationFilter
jsfFilter.loginUrl = /login.jsf

[urls]
/** = jsfFilter

// You can add the methods to filter Ajax requests described by BalusC inside this filter. CustomAuthorizationFilter.java

public class CustomAuthorizationFilter extends AuthorizationFilter {

@Override
    public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {

        HttpServletRequest httpRequest = (HttpServletRequest) request;

        if (!httpRequest.getRequestURI().startsWith(httpRequest.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) {

            Subject subject = SecurityUtils.getSubject();

            AuthenticatingSecurityManager authenticatingSecurityManager = ((AuthenticatingSecurityManager) SecurityUtils.getSecurityManager());

            PrincipalCollection principals = subject.getPrincipals();
            JPARealm jpaRealm = (JPARealm) authenticatingSecurityManager.getRealms().iterator().next();
            AuthorizationInfo authorizationInfo = jpaRealm.getAuthorizationInfo(principals);

            for (String permission : authorizationInfo.getStringPermissions()) {
                if (pathsMatch(permission, request)) {
                    return true;
                }
            }

        } else {
            return true;
        }
        return false;
    }
}

The pathsMatch(permission, request) method will try to validate/compare the received string permission with the path the user is trying to access. This filter relies on ALWAYS having an authenticated user. If the subject.getPrincipal() is null, more coding is necessary. If anyone needs the whole code, let me know.

BBacon
  • 2,456
  • 5
  • 32
  • 52
  • Hi MBarni, I'm also having similar kind of requirement to save and load URL authorizations on database so can you please share the whole code. So I can understand the way it can be implement. – Coder Oct 20 '16 at 02:16