Introduction to shiro's native and the default http session
Currently I've been working on a project that uses shiro for authentication and authorization. I can say that aside from the fact that i...
https://www.czetsuyatech.com/2013/01/java-apache-shiro-http-session.html
Currently I've been working on a project that uses shiro for authentication and authorization. I can say that aside from the fact that it doesn't support jsf, it's a very useful tool.
This page contains codes that will help you in configuring your project to enable both the default http and shiro's native session.
1.) web.xml - enable shiro filter:
2.) Enable default Http session in shiro.ini:
3.) Enable shiro's native session:
This page contains codes that will help you in configuring your project to enable both the default http and shiro's native session.
1.) web.xml - enable shiro filter:
<listener> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> </listener> <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping>
2.) Enable default Http session in shiro.ini:
[main] saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl # any object property is automatically configurable in Shiro.ini file saltedJdbcRealm.jndiDataSourceName = dropshipDS # the realm should handle also authorization saltedJdbcRealm.permissionsLookupEnabled = true # If not filled, subclasses of JdbcRealm assume "select password from users where username = ?" # first result column is password, second result column is salt saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM crm_users WHERE disabled = false AND username = ? # If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?" saltedJdbcRealm.userRolesQuery = SELECT name FROM crm_roles a INNER JOIN crm_user_roles b ON a.id = b.role_id INNER JOIN crm_users c ON c.id = b.user_id WHERE c.username = ? # If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?" saltedJdbcRealm.permissionsQuery = SELECT action FROM crm_permissions WHERE role = ? # password hashing specification, put something big for hasIterations sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher sha256Matcher.hashAlgorithmName = SHA-256 sha256Matcher.hashIterations = 1 saltedJdbcRealm.credentialsMatcher = $sha256Matcher securityManager.realms = $saltedJdbcRealm cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager cacheManager.cacheManagerConfigFile = classpath:ehcache.xml securityManager.cacheManager = $cacheManager dsFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter dsFilter.loginUrl = /login.xhtml roles = com.czetsuya.commons.web.security.shiro.RolesAuthorizationFilter [urls] /login.xhtml = dsFilter /backend/** = dsFilter, roles[backend] /affiliate/** = dsFilter, roles[affiliate] /api/** = noSessionCreation, dsFilter /logout = logout
3.) Enable shiro's native session:
[main] saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl # any object property is automatically configurable in Shiro.ini file saltedJdbcRealm.jndiDataSourceName = dummyDS # the realm should handle also authorization saltedJdbcRealm.permissionsLookupEnabled = true # If not filled, subclasses of JdbcRealm assume "select password from users where username = ?" # first result column is password, second result column is salt saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM crm_users WHERE disabled = false AND username = ? # If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?" saltedJdbcRealm.userRolesQuery = SELECT name FROM crm_roles a INNER JOIN crm_user_roles b ON a.id = b.role_id INNER JOIN crm_users c ON c.id = b.user_id WHERE c.username = ? # If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?" saltedJdbcRealm.permissionsQuery = SELECT action FROM crm_permissions WHERE role = ? # password hashing specification, put something big for hasIterations sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher sha256Matcher.hashAlgorithmName = SHA-256 sha256Matcher.hashIterations = 1 saltedJdbcRealm.credentialsMatcher = $sha256Matcher securityManager.realms = $saltedJdbcRealm sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO sessionDAO.activeSessionsCacheName = dropship-activeSessionCache sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager sessionManager.sessionDAO = $sessionDAO #sessionManager.sessionIdCookie.domain = com.sido # 1,800,000 milliseconds = 30 mins #sessionManager.globalSessionTimeout = 1800000 sessionValidationScheduler = org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler # 1,800,000 milliseconds = 30 mins sessionValidationScheduler.interval = 1800000 sessionManager.sessionValidationScheduler = $sessionValidationScheduler securityManager.sessionManager = $sessionManager cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager cacheManager.cacheManagerConfigFile = classpath:ehcache.xml securityManager.cacheManager = $cacheManager sidoFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter sidoFilter.loginUrl = /login.xhtml # logout.redirectUrl = /login.xhtml [urls] /login.xhtml = sidoFilter /secure/** = sidoFilter /api/** = noSessionCreation, sidoFilter # /logout = logout
6 comments
Why do you say Shiro doesn't support jsf?
It doesn't out of the box. But you can use 3rd party library like the one developed by De Luan to help you with JSF.
I am trying to use Shiro for securing my JSF app. After having a brief look at Shiro I am confused whether JSF applications really need the sessions management facility provided by Shiro. Since JSF2 already creates sessions when responding to sets of requests received, will using Shiro create (extra!?) I am worried that if I am configuring Shiro for a jsf app then does it create the extra session instances?
can give me a description , why shiro not support JSF2 ?
I am trying to use Shiro for securing my JSF app. After having a brief look at Shiro I am confused whether JSF applications really need the sessions management facility provided by Shiro. Since JSF already creates sessions when responding to sets of requests received . I am worried that if I am configuring Shiro for a jsf app .
I am trying to use Shiro for securing my JSF app. After having a brief look at Shiro I am confused whether JSF applications really need the sessions management facility provided by Shiro. Since JSF already creates sessions when responding to sets of requests received, will using Shiro create (extra!?) session instances for the authenticated users ?? I am worried that if I am configuring Shiro for a jsf app then does it create the extra session instances.
can you give a description why shiro not support JSF ?
Hi, As far as I remember I'm not able to use shiro to check the permission in jsf pages. Meaning in .xhtml.
Post a Comment