Using shiro's native and the default http session

Currently I've been working on a project that uses shiro for authentication and authorization. I can say that aside from the fact that it doesn't support jsf, it's a very useful tool.

This page contains codes that will help you in configuring your project to enable both the default http  and shiro's native session.

1.) web.xml - enable shiro filter:

<listener>
 <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>

<filter>
 <filter-name>ShiroFilter</filter-name>
 <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>

<filter-mapping>
 <filter-name>ShiroFilter</filter-name>
 <url-pattern>/*</url-pattern>
 <dispatcher>REQUEST</dispatcher>
 <dispatcher>FORWARD</dispatcher>
 <dispatcher>INCLUDE</dispatcher>
 <dispatcher>ERROR</dispatcher>
</filter-mapping>

2.) Enable default Http session in shiro.ini:
[main]
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl

# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName = dropshipDS 

# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled = true

# If not filled, subclasses of JdbcRealm assume "select password from users where username  =  ?"
# first result column is password, second result column is salt 
saltedJdbcRealm.authenticationQuery  =  SELECT password, salt FROM crm_users WHERE disabled = false AND username = ?

# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username  =  ?"
saltedJdbcRealm.userRolesQuery  =  SELECT name FROM crm_roles a INNER JOIN crm_user_roles b ON a.id = b.role_id INNER JOIN crm_users c ON c.id = b.user_id WHERE c.username = ?

# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name  =  ?"
saltedJdbcRealm.permissionsQuery  =  SELECT action FROM crm_permissions WHERE role = ?

# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
sha256Matcher.hashIterations = 1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
securityManager.realms = $saltedJdbcRealm

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager 
cacheManager.cacheManagerConfigFile = classpath:ehcache.xml
securityManager.cacheManager = $cacheManager

dsFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
dsFilter.loginUrl = /login.xhtml

roles = com.czetsuya.commons.web.security.shiro.RolesAuthorizationFilter

[urls]
/login.xhtml = dsFilter
/backend/** = dsFilter, roles[backend]
/affiliate/** = dsFilter, roles[affiliate]
/api/** = noSessionCreation, dsFilter
/logout = logout

3.) Enable shiro's native session:
[main]
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl

# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName = dummyDS 

# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled = true

# If not filled, subclasses of JdbcRealm assume "select password from users where username  =  ?"
# first result column is password, second result column is salt 
saltedJdbcRealm.authenticationQuery  =  SELECT password, salt FROM crm_users WHERE disabled = false AND username = ?

# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username  =  ?"
saltedJdbcRealm.userRolesQuery  =  SELECT name FROM crm_roles a INNER JOIN crm_user_roles b ON a.id = b.role_id INNER JOIN crm_users c ON c.id = b.user_id WHERE c.username = ?

# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name  =  ?"
saltedJdbcRealm.permissionsQuery  =  SELECT action FROM crm_permissions WHERE role = ?

# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
sha256Matcher.hashIterations = 1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
securityManager.realms = $saltedJdbcRealm

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionDAO.activeSessionsCacheName = dropship-activeSessionCache

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionDAO = $sessionDAO
#sessionManager.sessionIdCookie.domain = com.sido
# 1,800,000 milliseconds = 30 mins
#sessionManager.globalSessionTimeout = 1800000

sessionValidationScheduler = org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
# 1,800,000 milliseconds = 30 mins
sessionValidationScheduler.interval = 1800000
sessionManager.sessionValidationScheduler = $sessionValidationScheduler

securityManager.sessionManager = $sessionManager 

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager 
cacheManager.cacheManagerConfigFile = classpath:ehcache.xml
securityManager.cacheManager = $cacheManager

sidoFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
sidoFilter.loginUrl = /login.xhtml
# logout.redirectUrl = /login.xhtml

[urls]
/login.xhtml = sidoFilter
/secure/** = sidoFilter
/api/** = noSessionCreation, sidoFilter
# /logout = logout
Using shiro's native and the default http session Using shiro's native and the default http session Reviewed by Edward Legaspi on Monday, January 07, 2013 Rating: 5

6 comments:

Tara Pledge said...

Why do you say Shiro doesn't support jsf?

Anonymous said...

It doesn't out of the box. But you can use 3rd party library like the one developed by De Luan to help you with JSF.

Gulam Samdani said...

I am trying to use Shiro for securing my JSF app. After having a brief look at Shiro I am confused whether JSF applications really need the sessions management facility provided by Shiro. Since JSF2 already creates sessions when responding to sets of requests received, will using Shiro create (extra!?) I am worried that if I am configuring Shiro for a jsf app then does it create the extra session instances?


can give me a description , why shiro not support JSF2 ?

Gulam Samdani said...

I am trying to use Shiro for securing my JSF app. After having a brief look at Shiro I am confused whether JSF applications really need the sessions management facility provided by Shiro. Since JSF already creates sessions when responding to sets of requests received . I am worried that if I am configuring Shiro for a jsf app .

Anonymous said...

I am trying to use Shiro for securing my JSF app. After having a brief look at Shiro I am confused whether JSF applications really need the sessions management facility provided by Shiro. Since JSF already creates sessions when responding to sets of requests received, will using Shiro create (extra!?) session instances for the authenticated users ?? I am worried that if I am configuring Shiro for a jsf app then does it create the extra session instances.

can you give a description why shiro not support JSF ?

Edward Legaspi said...

Hi, As far as I remember I'm not able to use shiro to check the permission in jsf pages. Meaning in .xhtml.

Powered by Blogger.