I'm porting some code from Glassfish 4.1 to Wildfly 10 and am having problems somewhere between Shiro / CDI and java.security.Principal.
import java.security.Principal;
import javax.enterprise.context.SessionScoped;
import javax.inject.Inject;
import javax.inject.Named;
// simple user interface
public interface User {
public String getId();
}
// user bean
@Named("user")
@SessionScoped
public class UserBean implements User, Serializable {
private Principal principal;
@Inject
private void initialise(Principal principal) {
this.principal = principal;
}
@Override
public String getId() {
return principal.getName();
}
}
// auth filter runs after shiro filters
public class AuthFilter implements javax.servlet.Filter {
@Inject
private User user;
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
log.debug("doFilter: user={}", user.getId());
...
}
}
What happens is:
- The user requests a secure page.
- Shiro intercepts and redirects to the login page.
- User enters credentials (username = admin) and submits page.
- Shiro authenticates and redirects to original page.
- Auth filter is invoked, and logs user principal name.
The problem is that in Glassfish, the principal name logged is the (correct) name submitted from the login page. Wildfly however still appears to have the anonymous user. Looking at the logs, they are identical for both systems, including the 4th line where Shiro validates the user id: Authentication successful for token ... admin. Only the last line is different:
-- both
[org.apache.shiro.realm.AuthenticatingRealm] AuthenticationInfo caching is disabled for info [admin]. Submitted token: [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false (127.0.0.1)].
[org.apache.shiro.authc.credential.SimpleCredentialsMatcher] Performing credentials equality check for tokenCredentials of type [[C and accountCredentials of type [java.lang.String]
[org.apache.shiro.authc.credential.SimpleCredentialsMatcher] Both credentials arguments can be easily converted to byte arrays. Performing array equals comparison
[org.apache.shiro.authc.AbstractAuthenticator] Authentication successful for token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false (127.0.0.1)]. Returned account [admin]
[org.apache.shiro.subject.support.DefaultSubjectContext] No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
[org.apache.shiro.mgt.DefaultSecurityManager] Context already contains a session. Returning.
[org.apache.shiro.subject.support.DefaultSubjectContext] No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
[org.apache.shiro.web.servlet.SimpleCookie] Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/tools; Max-Age=0; Expires=Sun, 01-May-2016 10:24:02 GMT]
[org.apache.shiro.mgt.AbstractRememberMeManager] AuthenticationToken did not indicate RememberMe is requested. RememberMe functionality will not be executed for corresponding account.
-- glassfish
[com.example.servlet.AuthFilter] doFilter: user=admin
-- wildfly
[com.example.servlet.AuthFilter] doFilter: user=anonymous
The Java EE 7 Tutorial seems to say what I'm trying to do is valid:
Whenever the injected principal is accessed, it always represents the identity of the current caller.
So I'm a bit lost as to what is failing here.
Thanks,
