4

Before I explain the issue I should say that we only need Apache Shiro for authorization and athentication is already enabled with OAuth2.

So my code to enable Shiro is exactly as the code in this link here. I have also checked this issue. But for me if I enable LifecycleBeanPostProcessor almost most beans will be null. I made that create method in config class static as it suggests in the second link but no luck.

So my question is, is there any way to only enable authorization without registering shiro filter? If not, how to get around this issue? Because it seems ShiroFilterFactoryBean requires LifecycleBeanPostProcessor and that breaks the whole application.

We are using latest version of Spring Boot and Shiro 1.2.4

Community
  • 1
  • 1
xbmono
  • 2,084
  • 2
  • 30
  • 50
  • Without the filter you would have to do everything it does yourself - you could look at the source for the `LifecycleBeanPostProcessor` and the Filter to see what you need to implement. It might not be all that bad if it's just authorization you need. – cjstehno Feb 24 '16 at 14:46
  • Well.. I checked the code so it seems it looks at AuthorizingRealm and I have created my own AuthorizingRealm to avoid authentication but the problem is that Lifecycle processor when enabled, is breaking Spring and I get NPE. Looks like it's not compatible with Spring boot... I'm still trying to debug every thing here – xbmono Feb 24 '16 at 23:39
  • I use shiro with boot using the life cycle processor. What is the stack trace? – cjstehno Feb 24 '16 at 23:54
  • There is no error from Shiro or even Spring... the problem is while starting up I get NPE on classes annotated with @ConfigurationProperties. They are all null – xbmono Feb 25 '16 at 00:32
  • Are you using Gradle or Maven? Did you add the extra plugin required for working with ConfigurationProperties (org.springframework.build.gradle:propdeps-plugin:0.0.7)? – cjstehno Feb 25 '16 at 12:28
  • No. we're using maven. The application is working fine if I remove the Shiro's filter and LifecycleBeanPostProcessor – xbmono Feb 25 '16 at 22:39
  • did you advance into it? @xbmono – Deep Jul 03 '19 at 14:07

1 Answers1

0

As outlined in an issue in the comments, you would need to set an already authenticated identity in the subject, which can be done with the Subject.Builder() (I'm using version 1.5.2 here).

Subject user = new Subject.Builder()
    .principals(new SimplePrincipalCollection("bud", "myRealm"))
    .authenticated(true)
    .buildSubject();

if (user.hasRole("admin")) {
    // do some authorized stuff
}

When implementing a custom realm the authentication ability can be disabled by returning false from the Realm’s supports method as described here .

aemaem
  • 935
  • 10
  • 20