The basic way that I understand Shiro's SecurityUtils.getSubject() to work is that it returns the subject which is bound to the currently executing thread. However, this just seems at odds with a servlet container like Tomcat which is using a thread pool to service requests.
If Tomcat is say using ThreadA to handle requests, any calls to SecurityUtils.getSubject() should work fine. But, as soon as ThreadB is selected, the user is lost, getSubject returns null and isAuthenticated is now false. This is even though the user is still logged in.
I have confirmed this in my application. I am using Shiro Core 1.2 and notice that my user is just miraculously being inauthenticated when I navigate through my app. If I look at the logs, the problem happens as soon as a different thread is used to service the request.
So, do I have Shiro configured incorrectly? It seems like the 'current user' should be bound to something a bit more longer-lasting than the current thread. I would expect it to be session-based. I know that Shiro has session management, but in all examples I've found, it says to get the current user by calling getSubject, which looks at the ThreadContext. Am I missing something?
So, it turns out that I just didn't have Shiro configured correctly. I have a web app, yet I was setting up the Security Manager in code. This resulted in the Security Manager being set up on a certain thread only. As long as requests were serviced by that same thread, it worked fine. But as soon as Tomcat chose a different thread, the user appeared inauthenticated.
Shiro has a filter for web apps that handles this scenario and binds the user to each incoming request. You should have your app configured as follows instead of doing the security manager in code:
<context-param>
<param-name>shiroConfigLocations</param-name>
<param-value>classpath:auth.ini</param-value>
</context-param>
<!-- Shiro Environment Listener -->
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<!-- Shiro Filter Configuration -->
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Related
Developed application using GWT which contains lot of static files(javascript,css,images) which i want to cache for 30 days. I read lot of blogs but didn't get any clue.
- How to cache static files?
- What are the possible option to achieve caching (do i need to configure in server or GWT application, here i am using glassfish/payara server for deployment)
Any idea?
Note: I want do achieve this with minimal code changes, even i read this Client side caching in GWT
but don't want to go with dispatcher approach
You will need to add something like the ExpiresFilter to your servlet container.
I'm adding the details for the configuration from the link mentioned above just in case the content of the link goes away:
You will need to edit web.xml to add a filter and a filter mapping:
<filter>
<filter-name>ExpiresFilter</filter-name>
<filter-class>server.ExpiresFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ExpiresFilter</filter-name>
<url-pattern>/images/\*</url-pattern> <!-- these patterns should match cached resources -->
<url-pattern>/resources/\*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
If you need a more portable approach for use in different application servers, you might end up writing a generic servlet Filter like I did.
After all that is no big deal as you just have set the Expires and Cache-Control: max-age headers for HttpServletRequests on your given paths.
As a starter, I stumpled upon this implementation and how Tomcat does it.
I am not able to monitor spring application through java-melody.
Can some one help me on java-melody with spring configuration?
when I pass the URL of spring application in java-melody then I should be able to see the monitoring window.
If your application is maven managed then just add javamelody dependency to you pom
<dependency>
<groupId>net.bull.javamelody</groupId>
<artifactId>javamelody-core</artifactId>
<version>1.55.0</version>
</dependency>
If its not maven managed, then you can simply download and copy javamelody.jar and jrobin-x.jar to your WEB-INF/lib directory.
Once you have this, make sure you've defined java meleody filters in your web.xml
<filter>
<filter-name>monitoring</filter-name>
<filter-class>net.bull.javamelody.MonitoringFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>monitoring</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>net.bull.javamelody.SessionListener</listener-class>
</listener>
Above should give you basic monitoring at http://<host>:<port>/<context_root>/monitoring
For batch and business facaded you can follow the links as posted by #Pantelis. If you want to monitor SQLs executed, you can follow this link on the User guide - https://code.google.com/p/javamelody/wiki/UserGuide#7._JDBC
Hope this helps
JavaMelody user guide: https://code.google.com/p/javamelody/wiki/UserGuide
Basic configuration steps that you need:
Add javamelody.jar and jrobin-x.jar in your classpath
Add in your web.xml the monitoring filter and session listener as defined there: https://code.google.com/p/javamelody/wiki/UserGuide#2._web.xml_file
You can define the business facades (eg service layer) in the Spring application context: https://code.google.com/p/javamelody/wiki/UserGuide#9._Business_facades_(if_Spring)
You can also configure any batch jobs in the Spring application context: https://code.google.com/p/javamelody/wiki/UserGuide#13._Batch_jobs_(if_Quartz)
With steps 1 and 2 you will have a very basic performance report. I suggest that you read the user guide first.
I am trying to implement WSO2 SSO in my app. I tried the example app successfully.
I have created a small example with spring mvc. My problem is now, that the request goes to WSO2 server and is redirected back, but without success. I am checking the result in the returning url, but the SSOAgentSessionBean is always null.
SSOAgentSessionBean bean = (SSOAgentSessionBean)request.getSession().getAttribute(SSOAgentConfigs.getSessionBeanName());
I added the filter (which also forces the redirect). That works:
<filter>
<filter-name>SSOFilter</filter-name>
<filter-class>org.wso2.carbon.identity.sso.agent.SSOAgentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SSOFilter</filter-name>
<url-pattern>/loginarea/*</url-pattern>
</filter-mapping>
So my question is:
how do I see why the result of the back-redirect is failing? Are there any logs I can enable?
regards
Leon
Try this..
goto log4j.properties on /repository/conf folder change
log4j.logger.org.wso2=INFO to DEBUG
You can get more details on below article
http://soasecurity.org/2014/02/26/how-to-wso2is-troubleshooting-wso2-identity-server-1/
I'm using JAAS to authenticate a client for a web app running on Tomcat.
I have a filter setup at that does some initialization of a user on the session at login. Nothing too overly complicated a simple is if user is not null type thing.
My understanding is JAAS will be called first, then my filter will be checked and then my JSP will be rendered
My question is, is there a way to match a url-pattern in a filter-mapping, to only run after a successful JAAS login?
<filter-mapping>
<filter-name>MyFilter</filter-name>
<url-pattern>/some/url/pattern/*</url-pattern>
</filter-mapping>
So in the above fileter-mapping what would go in the url-pattern? Or is this not possible?
A LoginModule placed at the end of your JAAS configuration) would allow you to execute extra actions on a successful login. The only drawback is that the way to retrieve the session from a LoginModule is not standard and depends on your application server.
Or you could simply make a test at the beginning of your filter to check if your user is connected and if your setup has already been done.
This question already has answers here:
What is recommended way for spawning threads from a servlet in Tomcat
(5 answers)
Closed 8 years ago.
I'm building a statistics apps for an online game, built using the servlet API in Java (to be deployed on Tomcat). It's easy enough to let the game send a message to the stats server every time a user logs in, because handling requests is what Servlets/Tomcat are for.
I also need to periodically initiate requests on the stats server though, for example to retrieve the number of online users from the game server or the number of fans from our Facebook page.
It would be easy to just start a thread in the app's main servlet and let that do the data retrieval once in a while, but it feels a bit strange because all other threads are created by Tomcat.
Is doing it like that ok?
If not, what is the recommended way of doing this?
Is it even correct to use servlets for something like this? What's the alternative?
Note after first answers: I'm not looking for a solution to the problem of timing or concurrency, because I can easily handle both. I just need to know how to properly start a pro-active process in a servlet container.
Quartz is your best bet, and most highly configurable. It has CRON based interface or a more dynamic way to generate jobs that are relative from a specific event, if your use case calls for it Quartz can do it. It has the ability to persist jobs to the database so they can survive restarts.
http://www.quartz-scheduler.org/
Make configurations in web.xml like this to auto-start it:
<servlet>
<servlet-name>QuartzInitializer</servlet-name>
<display-name>Quartz Initializer Servlet</display-name>
<servlet-class>org.quartz.ee.servlet.QuartzInitializerServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<init-param>
<param-name>shutdown-on-unload</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>start-scheduler-on-load</param-name>
<param-value>true</param-value>
</init-param>
</servlet>
You should consider:
Quartz
The "regular" TimerTask
If you're using spring on your webapp, there is a dedicated part for it
Don't bother reinventing the wheel, Quartz and other products already handle Threads/timeouts/concurrency issues for you!