How to make RMI work with Apache Shiro

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

How to make RMI work with Apache Shiro

yoann159
How to make RMI work with Apache Shiro?

Each calls on a method with @RequireRoles("..") execute on different thread shared by multiple clients.

Is there a way to intercept this AOP, set the current Subject for this thread (threadLocal), then unset it at the end of the method?

Thank you for your help
Reply | Threaded
Open this post in threaded view
|

Re: How to make RMI work with Apache Shiro

Brian Demers

Most of the Spring samples also include a remoting example: https://github.com/apache/shiro/tree/master/samples

There is also an aspectj example

On Tue, Jan 24, 2017 at 11:24 PM, yoann159 <[hidden email]> wrote:
How to make RMI work with Apache Shiro?

Each calls on a method with @RequireRoles("..") execute on different thread
shared by multiple clients.

Is there a way to intercept this AOP, set the current Subject for this
thread (threadLocal), then unset it at the end of the method?

Thank you for your help



--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467.html
Sent from the Shiro User mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

RE: How to make RMI work with Apache Shiro

yoann159

Hi,

 

I tried the aspect example (https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/org/apache/shiro/samples/aspectj/bank)

It works for the tests but I do not see how I can intercept the RequiresPermissions or RequiresRoles or etc to get the jointpoint called, get the reference of subject stored in the service instantiated for that client and simply call set method to set Subject to current executing thread.

 

Also https://github.com/apache/shiro/blob/master/samples/spring-boot/ is good simple example but like I said I do not use Spring context, I do desktop app with a server and clients.

 

 

Unless it is possible to use Spring without a web context? Spring boot is good but it is more like: @GetMapping() @RequestMapping(…)

 

I maybe have a solution with:
pointcut allow(): execution(@org.apache.shiro.authz.annotation.RequiresPermissions * *(..)) || execution(@org.apache.shiro.authz.annotation.RequiresRoles * *(..));

With that I can have before advice and do:

((Service) thisJoinPoint.getThis()).getSubject();
ThreadState threadState = new SubjectThreadState(subject);
threadState.bind();

 

Not sure if I need to add a after advice to unbind the threadState but it seems to work, and anyway any method will override the current subject. What would you suggest?

 

Thank you.

 

From: Brian Demers [via Shiro User] [mailto:[hidden email]]
Sent: 2017
125 22:32
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro

 

 

Most of the Spring samples also include a remoting example: https://github.com/apache/shiro/tree/master/samples

 

There is also an aspectj example

 

On Tue, Jan 24, 2017 at 11:24 PM, yoann159 <[hidden email]> wrote:

How to make RMI work with Apache Shiro?

Each calls on a method with @RequireRoles("..") execute on different thread
shared by multiple clients.

Is there a way to intercept this AOP, set the current Subject for this
thread (threadLocal), then unset it at the end of the method?

Thank you for your help



--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467.html
Sent from the Shiro User mailing list archive at Nabble.com.

 

 


If you reply to this email, your message will be added to the discussion below:

http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581468.html

To unsubscribe from How to make RMI work with Apache Shiro, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: How to make RMI work with Apache Shiro

Brian Demers
I'm not sure I'm fully following anymore, lets take a step back, tell us about your stack. And we can point you in the right direction. (there are a few ways to process the Shiro annotations, Spring, Guice, JAX-RS, aop, (and CDI on a branch).


On Wed, Jan 25, 2017 at 10:47 PM, yoann159 <[hidden email]> wrote:
Hi,



I tried the aspect example ( <https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/org/apache/shiro/samples/aspectj/bank> https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/org/apache/shiro/samples/aspectj/bank)

It works for the tests but I do not see how I can intercept the RequiresPermissions or RequiresRoles or etc to get the jointpoint called, get the reference of subject stored in the service instantiated for that client and simply call set method to set Subject to current executing thread.



Also  <https://github.com/apache/shiro/blob/master/samples/spring-boot/> https://github.com/apache/shiro/blob/master/samples/spring-boot/ is good simple example but like I said I do not use Spring context, I do desktop app with a server and clients.





Unless it is possible to use Spring without a web context? Spring boot is good but it is more like: @GetMapping() @RequestMapping(…)



I maybe have a solution with:
pointcut allow(): execution(@org.apache.shiro.authz.annotation.RequiresPermissions * *(..)) || execution(@org.apache.shiro.authz.annotation.RequiresRoles * *(..));

With that I can have before advice and do:



((Service) thisJoinPoint.getThis()).getSubject();
ThreadState threadState = new SubjectThreadState(subject);
threadState.bind();



Not sure if I need to add a after advice to unbind the threadState but it seems to work, and anyway any method will override the current subject. What would you suggest?



Thank you.



From: Brian Demers [via Shiro User] [mailto:[hidden email]]
Sent: 2017年1月25日 22:32
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro



Take a look at: https://shiro.apache.org/spring.html#secure-spring-remoting



Most of the Spring samples also include a remoting example:Â https://github.com/apache/shiro/tree/master/samples



There is also an aspectj example



On Tue, Jan 24, 2017 at 11:24 PM, yoann159 <[hidden email]> wrote:

How to make RMI work with Apache Shiro?

Each calls on a method with @RequireRoles("..") execute on different thread
shared by multiple clients.

Is there a way to intercept this AOP, set the current Subject for this
thread (threadLocal), then unset it at the end of the method?

Thank you for your help



--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467.html
Sent from the Shiro User mailing list archive at Nabble.com.





  _____

If you reply to this email, your message will be added to the discussion below:

http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581468.html

To unsubscribe from How to make RMI work with Apache Shiro, click here <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTgxNDY3fDYzMDk5NjIyOQ==> .
 <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML





--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581473.html
Sent from the Shiro User mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

RE: How to make RMI work with Apache Shiro

yoann159
Hi,

 

So far I decided to use RMI, JUnit 5, Mockito, Guava, JOOQ, AspectJ, Apache
IO/imaging/Configuration/Net for my project and Apache Shiro (but why not
use Spring Security? See later explication).

 

My application is a standalone app, for desktop. A server app, a client app
and GUI made with JavaFx.

 

I tried to intercept Shiro annotations with Before and Around advice with
AspectJ, it works and I can do what I wanted (see link to stackoverflow for
code). Around advice is the good solution, it set and unset the Subject,
what I did not show in my code is that we need to store in the thread
context one more info that we are already in an intercepted call so we do
not need to get the Subject from the Service otherwise it would remove the
subject in nested calls.

 

I know I am going to need to do caching, transactions, metrics for my app
therefore I started to look for Spring Boot to not code everything ->
@Transactional, @Cacheable, @Count, etc.

So far I came with different dependencies: Spring boot 2.0.0, Spring
Security, Spring AOP and AspectJ, Spring Cache, Spring Mail, Spring JOOQ/
Spring  H2 (for tests and dev)/ Spring MySQL driver, Spring Actuator (and
above framework except Apache Shiro).

So maybe if I use Spring security I do not need Apache Shiro but now I need
to see how to configure Spring Security with AspectJ.

 

If you know what I said above, do you see any incoherence in the different
technologies I decided to use. All of the one (from Spring) I quoted are
standalone compatible (not only for web)?

 

I suggest we could continue on
http://stackoverflow.com/questions/41849439/apache-shiro-annotation-aop-and-
rmi as it would reach more people searching on stackoverflow.

 

Thank you.

 

From: Brian Demers [via Shiro User]
[mailto:[hidden email]]
Sent: 2017年1月26日 22:49
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro

 

I'm not sure I'm fully following anymore, lets take a step back, tell us
about your stack. And we can point you in the right direction. (there are a
few ways to process the Shiro annotations, Spring, Guice, JAX-RS, aop, (and
CDI on a branch).

 

Take a look at this as well:
https://shiro.apache.org/subject.html#thread-association

 

On Wed, Jan 25, 2017 at 10:47 PM, yoann159 <[hidden email]> wrote:

Hi,



I tried the aspect example (
<https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o
rg/apache/shiro/samples/aspectj/bank>
https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or
g/apache/shiro/samples/aspectj/bank)

It works for the tests but I do not see how I can intercept the
RequiresPermissions or RequiresRoles or etc to get the jointpoint called,
get the reference of subject stored in the service instantiated for that
client and simply call set method to set Subject to current executing
thread.



Also  <https://github.com/apache/shiro/blob/master/samples/spring-boot/>
https://github.com/apache/shiro/blob/master/samples/spring-boot/ is good
simple example but like I said I do not use Spring context, I do desktop app
with a server and clients.





Unless it is possible to use Spring without a web context? Spring boot is
good but it is more like: @GetMapping() @RequestMapping(…)



I maybe have a solution with:
pointcut allow():
execution(@org.apache.shiro.authz.annotation.RequiresPermissions * *(..)) ||
execution(@org.apache.shiro.authz.annotation.RequiresRoles * *(..));

With that I can have before advice and do:



((Service) thisJoinPoint.getThis()).getSubject();
ThreadState threadState = new SubjectThreadState(subject);
threadState.bind();



Not sure if I need to add a after advice to unbind the threadState but it
seems to work, and anyway any method will override the current subject. What
would you suggest?



Thank you.



From: Brian Demers [via Shiro User] [mailto:[hidden email]]
Sent: 2017年1月25日 22:32
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro



Take a look at: https://shiro.apache.org/spring.html#secure-spring-remoting



Most of the Spring samples also include a remoting example:Â
https://github.com/apache/shiro/tree/master/samples



There is also an aspectj example



On Tue, Jan 24, 2017 at 11:24 PM, yoann159 <[hidden email]> wrote:

How to make RMI work with Apache Shiro?

Each calls on a method with @RequireRoles("..") execute on different thread
shared by multiple clients.

Is there a way to intercept this AOP, set the current Subject for this
thread (threadLocal), then unset it at the end of the method?

Thank you for your help



--
View this message in context:
http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir
o-tp7581467.html
Sent from the Shiro User mailing list archive at Nabble.com.





  _____

If you reply to this email, your message will be added to the discussion
below:

http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi
ro-tp7581467p7581468.html

To unsubscribe from How to make RMI work with Apache Shiro, click here
<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub
scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg
xNDY3fDYzMDk5NjIyOQ==> .

<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer
<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba
sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa
te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan
t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicName
space-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.Node
Namespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_email
s%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML





--
View this message in context:
http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir
o-tp7581467p7581473.html

Sent from the Shiro User mailing list archive at Nabble.com.

 

 

  _____  

If you reply to this email, your message will be added to the discussion
below:

http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi
ro-tp7581467p7581474.html

To unsubscribe from How to make RMI work with Apache Shiro, click here
<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub
scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg
xNDY3fDYzMDk5NjIyOQ==> .

<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba
sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa
te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan
t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
NAML


winmail.dat (15K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to make RMI work with Apache Shiro

Brian Demers
I'm not sure i understand this part, the solution you proposed on stackoverflow seems like your best bet, use an 'around' and subject.execute(). This will allow any other shiro call to function, and unbind the thread when complete.  Feel free to answer respond back on stack overflow

I tried to intercept Shiro annotations with Before and Around advice with
AspectJ, it works and I can do what I wanted (see link to stackoverflow for
code). Around advice is the good solution, it set and unset the Subject,
what I did not show in my code is that we need to store in the thread
context one more info that we are already in an intercepted call so we do
not need to get the Subject from the Service otherwise it would remove the
subject in nested calls.


On Mon, Jan 30, 2017 at 5:35 AM, yoann159 <[hidden email]> wrote:
Hi,



So far I decided to use RMI, JUnit 5, Mockito, Guava, JOOQ, AspectJ, Apache
IO/imaging/Configuration/Net for my project and Apache Shiro (but why not
use Spring Security? See later explication).



My application is a standalone app, for desktop. A server app, a client app
and GUI made with JavaFx.



I tried to intercept Shiro annotations with Before and Around advice with
AspectJ, it works and I can do what I wanted (see link to stackoverflow for
code). Around advice is the good solution, it set and unset the Subject,
what I did not show in my code is that we need to store in the thread
context one more info that we are already in an intercepted call so we do
not need to get the Subject from the Service otherwise it would remove the
subject in nested calls.



I know I am going to need to do caching, transactions, metrics for my app
therefore I started to look for Spring Boot to not code everything ->
@Transactional, @Cacheable, @Count, etc.

So far I came with different dependencies: Spring boot 2.0.0, Spring
Security, Spring AOP and AspectJ, Spring Cache, Spring Mail, Spring JOOQ/
Spring  H2 (for tests and dev)/ Spring MySQL driver, Spring Actuator (and
above framework except Apache Shiro).

So maybe if I use Spring security I do not need Apache Shiro but now I need
to see how to configure Spring Security with AspectJ.



If you know what I said above, do you see any incoherence in the different
technologies I decided to use. All of the one (from Spring) I quoted are
standalone compatible (not only for web)?



I suggest we could continue on
http://stackoverflow.com/questions/41849439/apache-shiro-annotation-aop-and-
rmi as it would reach more people searching on stackoverflow.



Thank you.



From: Brian Demers [via Shiro User]
[mailto:[hidden email]]
Sent: 2017年1月26日 22:49
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro



I'm not sure I'm fully following anymore, lets take a step back, tell us
about your stack. And we can point you in the right direction. (there are a
few ways to process the Shiro annotations, Spring, Guice, JAX-RS, aop, (and
CDI on a branch).



Take a look at this as well:
https://shiro.apache.org/subject.html#thread-association



On Wed, Jan 25, 2017 at 10:47 PM, yoann159 <[hidden email]> wrote:

Hi,



I tried the aspect example (
<<a href="https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o rg/apache/shiro/samples/aspectj/bank" rel="noreferrer" target="_blank">https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o
rg/apache/shiro/samples/aspectj/bank>
<a href="https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or g/apache/shiro/samples/aspectj/bank" rel="noreferrer" target="_blank">https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or
g/apache/shiro/samples/aspectj/bank)

It works for the tests but I do not see how I can intercept the
RequiresPermissions or RequiresRoles or etc to get the jointpoint called,
get the reference of subject stored in the service instantiated for that
client and simply call set method to set Subject to current executing
thread.



Also  <https://github.com/apache/shiro/blob/master/samples/spring-boot/>
https://github.com/apache/shiro/blob/master/samples/spring-boot/ is good
simple example but like I said I do not use Spring context, I do desktop app
with a server and clients.





Unless it is possible to use Spring without a web context? Spring boot is
good but it is more like: @GetMapping() @RequestMapping(…)



I maybe have a solution with:
pointcut allow():
execution(@org.apache.shiro.authz.annotation.RequiresPermissions * *(..)) ||
execution(@org.apache.shiro.authz.annotation.RequiresRoles * *(..));

With that I can have before advice and do:



((Service) thisJoinPoint.getThis()).getSubject();
ThreadState threadState = new SubjectThreadState(subject);
threadState.bind();



Not sure if I need to add a after advice to unbind the threadState but it
seems to work, and anyway any method will override the current subject. What
would you suggest?



Thank you.



From: Brian Demers [via Shiro User] [mailto:[hidden email]]
Sent: 2017年1月25日 22:32
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro



Take a look at: https://shiro.apache.org/spring.html#secure-spring-remoting



Most of the Spring samples also include a remoting example:Â
https://github.com/apache/shiro/tree/master/samples



There is also an aspectj example



On Tue, Jan 24, 2017 at 11:24 PM, yoann159 <[hidden email]> wrote:

How to make RMI work with Apache Shiro?

Each calls on a method with @RequireRoles("..") execute on different thread
shared by multiple clients.

Is there a way to intercept this AOP, set the current Subject for this
thread (threadLocal), then unset it at the end of the method?

Thank you for your help



--
View this message in context:
<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir o-tp7581467.html" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir
o-tp7581467.html
Sent from the Shiro User mailing list archive at Nabble.com.





  _____

If you reply to this email, your message will be added to the discussion
below:

<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi ro-tp7581467p7581468.html" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi
ro-tp7581467p7581468.html

To unsubscribe from How to make RMI work with Apache Shiro, click here
<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code&amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub
scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg
xNDY3fDYzMDk5NjIyOQ==> .

<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer
<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro _viewer&amp;id=instant_html%21nabble%3Aemail.naml&amp;base=nabble.naml.namespaces.Ba sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa te.NodeNamespace&amp;breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba
sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa
te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan
t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicName
space-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.Node
Namespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_email
s%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML





--
View this message in context:
<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir o-tp7581467p7581473.html" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir
o-tp7581467p7581473.html

Sent from the Shiro User mailing list archive at Nabble.com.





  _____

If you reply to this email, your message will be added to the discussion
below:

http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi
ro-tp7581467p7581474.html

To unsubscribe from How to make RMI work with Apache Shiro, click here
<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code&amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub
scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg
xNDY3fDYzMDk5NjIyOQ==> .

<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro _viewer&amp;id=instant_html%21nabble%3Aemail.naml&amp;base=nabble.naml.namespaces.Ba sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa te.NodeNamespace&amp;breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba
sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa
te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan
t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
NAML



winmail.dat (15K) <http://shiro-user.582556.n2.nabble.com/attachment/7581479/0/winmail.dat>




--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581479.html
Sent from the Shiro User mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

RE: How to make RMI work with Apache Shiro

yoann159

Hi,

 

Yes around is the best solution.

 

I will try to clarify the part you did not understand:

With the AspectJ around I catch all method execution (and call if I configure that also) annotated with @RequireRoles/Permissions/etc (could of course only change the pointcut to intercept only when annotations are within a class that implements my interface Service), so I need to add in the thread context the first time it reaches one of these methods a Boolean to know if the subject was already got from a service class (RMI endpoint clients call) (or from another context I might do later), if it is True then only proceed is called and I do not rebind the subject with execute().

If I was rebinding the subject would be removed from current context/thread and any call to another method annotated with @RequireRoles/Permissions/etc would throw an exception if not in a service class and also I could also try to get the subject within a method later on (outside a service class) and I would receive an empty Subject.

 

Hope I was clear enough on that point.

 

Now I am including Spring in my project because it adds many features that I require, @transactional, @Cacheable and simple integration with JOOQ.

 

From: Brian Demers [via Shiro User] [mailto:[hidden email]]
Sent: 2017
131 1:53
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro

 

I'm not sure i understand this part, the solution you proposed on stackoverflow seems like your best bet, use an 'around' and subject.execute(). This will allow any other shiro call to function, and unbind the thread when complete.  Feel free to answer respond back on stack overflow

 

I tried to intercept Shiro annotations with Before and Around advice with

AspectJ, it works and I can do what I wanted (see link to stackoverflow for

code). Around advice is the good solution, it set and unset the Subject,

what I did not show in my code is that we need to store in the thread

context one more info that we are already in an intercepted call so we do

not need to get the Subject from the Service otherwise it would remove the

subject in nested calls.

 

 

On Mon, Jan 30, 2017 at 5:35 AM, yoann159 <[hidden email]> wrote:

Hi,



So far I decided to use RMI, JUnit 5, Mockito, Guava, JOOQ, AspectJ, Apache
IO/imaging/Configuration/Net for my project and Apache Shiro (but why not
use Spring Security? See later explication).



My application is a standalone app, for desktop. A server app, a client app
and GUI made with JavaFx.



I tried to intercept Shiro annotations with Before and Around advice with
AspectJ, it works and I can do what I wanted (see link to stackoverflow for
code). Around advice is the good solution, it set and unset the Subject,
what I did not show in my code is that we need to store in the thread
context one more info that we are already in an intercepted call so we do
not need to get the Subject from the Service otherwise it would remove the
subject in nested calls.



I know I am going to need to do caching, transactions, metrics for my app
therefore I started to look for Spring Boot to not code everything ->
@Transactional, @Cacheable, @Count, etc.

So far I came with different dependencies: Spring boot 2.0.0, Spring
Security, Spring AOP and AspectJ, Spring Cache, Spring Mail, Spring JOOQ/
Spring  H2 (for tests and dev)/ Spring MySQL driver, Spring Actuator (and
above framework except Apache Shiro).

So maybe if I use Spring security I do not need Apache Shiro but now I need
to see how to configure Spring Security with AspectJ.



If you know what I said above, do you see any incoherence in the different
technologies I decided to use. All of the one (from Spring) I quoted are
standalone compatible (not only for web)?



I suggest we could continue on
http://stackoverflow.com/questions/41849439/apache-shiro-annotation-aop-and-
rmi as it would reach more people searching on stackoverflow.



Thank you.



From: Brian Demers [via Shiro User]
[mailto:[hidden email]]
Sent: 2017126 22:49
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro



I'm not sure I'm fully following anymore, lets take a step back, tell us
about your stack. And we can point you in the right direction. (there are a
few ways to process the Shiro annotations, Spring, Guice, JAX-RS, aop, (and
CDI on a branch).



Take a look at this as well:
https://shiro.apache.org/subject.html#thread-association


On Wed, Jan 25, 2017 at 10:47 PM, yoann159 <[hidden email]> wrote:

Hi,



I tried the aspect example (
<<a href="https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o rg/apache/shiro/samples/aspectj/bank" rel="noreferrer" target="_blank">https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o
rg/apache/shiro/samples/aspectj/bank>
<a href="https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or g/apache/shiro/samples/aspectj/bank" rel="noreferrer" target="_blank">https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or
g/apache/shiro/samples/aspectj/bank)

It works for the tests but I do not see how I can intercept the
RequiresPermissions or RequiresRoles or etc to get the jointpoint called,
get the reference of subject stored in the service instantiated for that
client and simply call set method to set Subject to current executing
thread.



Also  <https://github.com/apache/shiro/blob/master/samples/spring-boot/>
https://github.com/apache/shiro/blob/master/samples/spring-boot/ is good
simple example but like I said I do not use Spring context, I do desktop app
with a server and clients.





Unless it is possible to use Spring without a web context? Spring boot is
good but it is more like: @GetMapping() @RequestMapping(…)



I maybe have a solution with:
pointcut allow():
execution(@org.apache.shiro.authz.annotation.RequiresPermissions * *(..)) ||
execution(@org.apache.shiro.authz.annotation.RequiresRoles * *(..));

With that I can have before advice and do:



((Service) thisJoinPoint.getThis()).getSubject();
ThreadState threadState = new SubjectThreadState(subject);
threadState.bind();



Not sure if I need to add a after advice to unbind the threadState but it
seems to work, and anyway any method will override the current subject. What
would you suggest?



Thank you.


From: Brian Demers [via Shiro User] [mailto:[hidden email]]

Sent: 2017125 22:32
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro



Take a look at: https://shiro.apache.org/spring.html#secure-spring-remoting



Most of the Spring samples also include a remoting example:Â
https://github.com/apache/shiro/tree/master/samples



There is also an aspectj example



On Tue, Jan 24, 2017 at 11:24 PM, yoann159 <[hidden email]> wrote:

How to make RMI work with Apache Shiro?

Each calls on a method with @RequireRoles("..") execute on different thread
shared by multiple clients.

Is there a way to intercept this AOP, set the current Subject for this
thread (threadLocal), then unset it at the end of the method?

Thank you for your help



--
View this message in context:
<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir o-tp7581467.html" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir
o-tp7581467.html
Sent from the Shiro User mailing list archive at Nabble.com.





  _____

If you reply to this email, your message will be added to the discussion
below:

<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi ro-tp7581467p7581468.html" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi
ro-tp7581467p7581468.html

To unsubscribe from How to make RMI work with Apache Shiro, click here
<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code&amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub
scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg
xNDY3fDYzMDk5NjIyOQ==> .

<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer

<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro _viewer&amp;id=instant_html%21nabble%3Aemail.naml&amp;base=nabble.naml.namespaces.Ba sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa te.NodeNamespace&amp;breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba
sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa
te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan
t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicName
space-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.Node
Namespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_email
s%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML





--
View this message in context:
<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir o-tp7581467p7581473.html" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir
o-tp7581467p7581473.html

Sent from the Shiro User mailing list archive at Nabble.com.





  _____

If you reply to this email, your message will be added to the discussion
below:

http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi
ro-tp7581467p7581474.html

To unsubscribe from How to make RMI work with Apache Shiro, click here
<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code&amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub
scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg
xNDY3fDYzMDk5NjIyOQ==> .

<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro _viewer&amp;id=instant_html%21nabble%3Aemail.naml&amp;base=nabble.naml.namespaces.Ba sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa te.NodeNamespace&amp;breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba
sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa
te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan
t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
NAML



winmail.dat (15K) <http://shiro-user.582556.n2.nabble.com/attachment/7581479/0/winmail.dat>




--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581479.html

Sent from the Shiro User mailing list archive at Nabble.com.

 

 


If you reply to this email, your message will be added to the discussion below:

http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581480.html

To unsubscribe from How to make RMI work with Apache Shiro, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: How to make RMI work with Apache Shiro

Brian Demers
It sounds like you have nested calls of annotated methods?  The initial RMI call to
 myServiceA.securedMethod1() ->
    myServiceB.securedMethod2()

It sounds like you could just use a subject.execute() from the initial RMI service method. This is similar to how the the Shiro Web filters work. Any following calls to get the subject will have access to the currently bound one.

Does this help?

On Wed, Feb 1, 2017 at 1:53 AM, yoann159 <[hidden email]> wrote:
Hi,



Yes around is the best solution.



I will try to clarify the part you did not understand:

With the AspectJ around I catch all method execution (and call if I configure that also) annotated with @RequireRoles/Permissions/etc (could of course only change the pointcut to intercept only when annotations are within a class that implements my interface Service), so I need to add in the thread context the first time it reaches one of these methods a Boolean to know if the subject was already got from a service class (RMI endpoint clients call) (or from another context I might do later), if it is True then only proceed is called and I do not rebind the subject with execute().

If I was rebinding the subject would be removed from current context/thread and any call to another method annotated with @RequireRoles/Permissions/etc would throw an exception if not in a service class and also I could also try to get the subject within a method later on (outside a service class) and I would receive an empty Subject.



Hope I was clear enough on that point.



Now I am including Spring in my project because it adds many features that I require, @transactional, @Cacheable and simple integration with JOOQ.



From: Brian Demers [via Shiro User] [mailto:[hidden email]]
Sent: 2017年1月31日 1:53
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro



I'm not sure i understand this part, the solution you proposed on stackoverflow seems like your best bet, use an 'around' and subject.execute(). This will allow any other shiro call to function, and unbind the thread when complete.  Feel free to answer respond back on stack overflow



I tried to intercept Shiro annotations with Before and Around advice with

AspectJ, it works and I can do what I wanted (see link to stackoverflow for

code). Around advice is the good solution, it set and unset the Subject,

what I did not show in my code is that we need to store in the thread

context one more info that we are already in an intercepted call so we do

not need to get the Subject from the Service otherwise it would remove the

subject in nested calls.



http://stackoverflow.com/questions/41849439/apache-shiro-annotation-aop-and-rmi



On Mon, Jan 30, 2017 at 5:35 AM, yoann159 <[hidden email]> wrote:

Hi,



So far I decided to use RMI, JUnit 5, Mockito, Guava, JOOQ, AspectJ, Apache
IO/imaging/Configuration/Net for my project and Apache Shiro (but why not
use Spring Security? See later explication).



My application is a standalone app, for desktop. A server app, a client app
and GUI made with JavaFx.



I tried to intercept Shiro annotations with Before and Around advice with
AspectJ, it works and I can do what I wanted (see link to stackoverflow for
code). Around advice is the good solution, it set and unset the Subject,
what I did not show in my code is that we need to store in the thread
context one more info that we are already in an intercepted call so we do
not need to get the Subject from the Service otherwise it would remove the
subject in nested calls.



I know I am going to need to do caching, transactions, metrics for my app
therefore I started to look for Spring Boot to not code everything ->
@Transactional, @Cacheable, @Count, etc.

So far I came with different dependencies: Spring boot 2.0.0, Spring
Security, Spring AOP and AspectJ, Spring Cache, Spring Mail, Spring JOOQ/
Spring  H2 (for tests and dev)/ Spring MySQL driver, Spring Actuator (and
above framework except Apache Shiro).

So maybe if I use Spring security I do not need Apache Shiro but now I need
to see how to configure Spring Security with AspectJ.



If you know what I said above, do you see any incoherence in the different
technologies I decided to use. All of the one (from Spring) I quoted are
standalone compatible (not only for web)?



I suggest we could continue on
http://stackoverflow.com/questions/41849439/apache-shiro-annotation-aop-and-
rmi as it would reach more people searching on stackoverflow.



Thank you.



From: Brian Demers [via Shiro User]
[mailto:[hidden email]]
Sent: 2017年1月26日 22:49
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro



I'm not sure I'm fully following anymore, lets take a step back, tell us
about your stack. And we can point you in the right direction. (there are a
few ways to process the Shiro annotations, Spring, Guice, JAX-RS, aop, (and
CDI on a branch).



Take a look at this as well:
https://shiro.apache.org/subject.html#thread-association




On Wed, Jan 25, 2017 at 10:47 PM, yoann159 <[hidden email]> wrote:

Hi,



I tried the aspect example (
<<a href="https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o rg/apache/shiro/samples/aspectj/bank <https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o%20rg/apache/shiro/samples/aspectj/bank> " rel="noreferrer" target="_blank"><a href="https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o rg/apache/shiro/samples/aspectj/bank" rel="noreferrer" target="_blank">https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o
rg/apache/shiro/samples/aspectj/bank>
<a href="https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or g/apache/shiro/samples/aspectj/bank <https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or%20g/apache/shiro/samples/aspectj/bank> " rel="noreferrer" target="_blank">https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or
g/apache/shiro/samples/aspectj/bank)

It works for the tests but I do not see how I can intercept the
RequiresPermissions or RequiresRoles or etc to get the jointpoint called,
get the reference of subject stored in the service instantiated for that
client and simply call set method to set Subject to current executing
thread.



Also  <https://github.com/apache/shiro/blob/master/samples/spring-boot/>
https://github.com/apache/shiro/blob/master/samples/spring-boot/ is good
simple example but like I said I do not use Spring context, I do desktop app
with a server and clients.





Unless it is possible to use Spring without a web context? Spring boot is
good but it is more like: @GetMapping() @RequestMapping(…)



I maybe have a solution with:
pointcut allow():
execution(@org.apache.shiro.authz.annotation.RequiresPermissions * *(..)) ||
execution(@org.apache.shiro.authz.annotation.RequiresRoles * *(..));

With that I can have before advice and do:



((Service) thisJoinPoint.getThis()).getSubject();
ThreadState threadState = new SubjectThreadState(subject);
threadState.bind();



Not sure if I need to add a after advice to unbind the threadState but it
seems to work, and anyway any method will override the current subject. What
would you suggest?



Thank you.




From: Brian Demers [via Shiro User] [mailto:[hidden email]]

Sent: 2017年1月25日 22:32
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro



Take a look at: https://shiro.apache.org/spring.html#secure-spring-remoting



Most of the Spring samples also include a remoting example:Â
https://github.com/apache/shiro/tree/master/samples



There is also an aspectj example



On Tue, Jan 24, 2017 at 11:24 PM, yoann159 <[hidden email]> wrote:

How to make RMI work with Apache Shiro?

Each calls on a method with @RequireRoles("..") execute on different thread
shared by multiple clients.

Is there a way to intercept this AOP, set the current Subject for this
thread (threadLocal), then unset it at the end of the method?

Thank you for your help



--
View this message in context:
<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir o-tp7581467.html <http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir%20o-tp7581467.html> " rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir
o-tp7581467.html
Sent from the Shiro User mailing list archive at Nabble.com.





  _____

If you reply to this email, your message will be added to the discussion
below:

<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi ro-tp7581467p7581468.html <http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi%20ro-tp7581467p7581468.html> " rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi
ro-tp7581467p7581468.html

To unsubscribe from How to make RMI work with Apache Shiro, click here
<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub%20scribe_by_code&amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg> &amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub
scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg
xNDY3fDYzMDk5NjIyOQ==> .

<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer

<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro _viewer <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro%20_viewer&amp;id=instant_html%21nabble%3Aemail.naml&amp;base=nabble.naml.namespaces.Ba%20sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa%20te.NodeNamespace&amp;breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan%20t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> &amp;id=instant_html%21nabble%3Aemail.naml&amp;base=nabble.naml.namespaces.Ba sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa te.NodeNamespace&amp;breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba
sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa
te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan
t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicName
space-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.Node
Namespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_email
s%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML





--
View this message in context:
<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir o-tp7581467p7581473.html <http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir%20o-tp7581467p7581473.html> " rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir
o-tp7581467p7581473.html

Sent from the Shiro User mailing list archive at Nabble.com.





  _____

If you reply to this email, your message will be added to the discussion
below:

<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi ro-tp7581467p7581474.html" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi
ro-tp7581467p7581474.html

To unsubscribe from How to make RMI work with Apache Shiro, click here
<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub%20scribe_by_code&amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg> &amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg" rel="noreferrer" target="_blank"><a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code&amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub
scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg
xNDY3fDYzMDk5NjIyOQ==> .

<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro _viewer <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro%20_viewer&amp;id=instant_html%21nabble%3Aemail.naml&amp;base=nabble.naml.namespaces.Ba%20sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa%20te.NodeNamespace&amp;breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan%20t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> &amp;id=instant_html%21nabble%3Aemail.naml&amp;base=nabble.naml.namespaces.Ba sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa te.NodeNamespace&amp;breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba
sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa
te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan
t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
NAML



winmail.dat (15K) <http://shiro-user.582556.n2.nabble.com/attachment/7581479/0/winmail.dat>




--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581479.html

Sent from the Shiro User mailing list archive at Nabble.com.





  _____

If you reply to this email, your message will be added to the discussion below:

http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581480.html

To unsubscribe from How to make RMI work with Apache Shiro, click here <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTgxNDY3fDYzMDk5NjIyOQ==> .
 <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML





--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581484.html
Sent from the Shiro User mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

RE: How to make RMI work with Apache Shiro

yoann159

Yes it the behavior that could happen and I want to be able to handle with AspectJ also.

By design I think it might not be good for RMI to program like: myServiceA.securedMethod1() -> myServiceB.securedMethod2(), I see these methods more like endpoint from clients then these methods call internal services/modules to apply real business logic (and easier auditing of request, metrics, etc).

You are right, subject is not bound the first time it reaches myServiceA, it is bound, then when it reaches myServiceB I could simply check that Subject is or not bound then simply skip the bounding and call proceed straight or throw an exception if I decide to not call other RMI services internally.

Furthermore myServiceA has no (might not have) knowledge of myServiceB and even myServiceB could be not instantiated yet as the user did not login in that particular service yet.

 

So I would rather do like: myServiceA.securedMethod1() -> myInternalService.securedMethodOfSomething();

Then comes to mind why secure securedMethodOfSomething (and why not put business logic in services of RMI clients, maybe some business logic will be in RMI services but some might be put somewhere else) ? If all methods in services from RMI clients are secured, I prefer to be secured internally but is it really overkill…. That’s why I want to have two Aspects, one that catch methods annotated and classes that implements my Service interface (RMI Client calls) and another that catch all other annotated methods so I can activate or deactivate the internal security.

 

 

Thank you.

 

From: Brian Demers [via Shiro User] [mailto:[hidden email]]
Sent: 2017
21 22:55
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro

 

It sounds like you have nested calls of annotated methods?  The initial RMI call to

 myServiceA.securedMethod1() ->

    myServiceB.securedMethod2()

 

It sounds like you could just use a subject.execute() from the initial RMI service method. This is similar to how the the Shiro Web filters work. Any following calls to get the subject will have access to the currently bound one.

 

Does this help?

 

On Wed, Feb 1, 2017 at 1:53 AM, yoann159 <[hidden email]> wrote:

Hi,



Yes around is the best solution.



I will try to clarify the part you did not understand:

With the AspectJ around I catch all method execution (and call if I configure that also) annotated with @RequireRoles/Permissions/etc (could of course only change the pointcut to intercept only when annotations are within a class that implements my interface Service), so I need to add in the thread context the first time it reaches one of these methods a Boolean to know if the subject was already got from a service class (RMI endpoint clients call) (or from another context I might do later), if it is True then only proceed is called and I do not rebind the subject with execute().

If I was rebinding the subject would be removed from current context/thread and any call to another method annotated with @RequireRoles/Permissions/etc would throw an exception if not in a service class and also I could also try to get the subject within a method later on (outside a service class) and I would receive an empty Subject.



Hope I was clear enough on that point.



Now I am including Spring in my project because it adds many features that I require, @transactional, @Cacheable and simple integration with JOOQ.



From: Brian Demers [via Shiro User] [mailto:[hidden email]]
Sent: 2017131 1:53
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro



I'm not sure i understand this part, the solution you proposed on stackoverflow seems like your best bet, use an 'around' and subject.execute(). This will allow any other shiro call to function, and unbind the thread when complete.  Feel free to answer respond back on stack overflow



I tried to intercept Shiro annotations with Before and Around advice with

AspectJ, it works and I can do what I wanted (see link to stackoverflow for

code). Around advice is the good solution, it set and unset the Subject,

what I did not show in my code is that we need to store in the thread

context one more info that we are already in an intercepted call so we do

not need to get the Subject from the Service otherwise it would remove the

subject in nested calls.



http://stackoverflow.com/questions/41849439/apache-shiro-annotation-aop-and-rmi


On Mon, Jan 30, 2017 at 5:35 AM, yoann159 <[hidden email]> wrote:

Hi,



So far I decided to use RMI, JUnit 5, Mockito, Guava, JOOQ, AspectJ, Apache
IO/imaging/Configuration/Net for my project and Apache Shiro (but why not
use Spring Security? See later explication).



My application is a standalone app, for desktop. A server app, a client app
and GUI made with JavaFx.



I tried to intercept Shiro annotations with Before and Around advice with
AspectJ, it works and I can do what I wanted (see link to stackoverflow for
code). Around advice is the good solution, it set and unset the Subject,
what I did not show in my code is that we need to store in the thread
context one more info that we are already in an intercepted call so we do
not need to get the Subject from the Service otherwise it would remove the
subject in nested calls.



I know I am going to need to do caching, transactions, metrics for my app
therefore I started to look for Spring Boot to not code everything ->
@Transactional, @Cacheable, @Count, etc.

So far I came with different dependencies: Spring boot 2.0.0, Spring
Security, Spring AOP and AspectJ, Spring Cache, Spring Mail, Spring JOOQ/
Spring  H2 (for tests and dev)/ Spring MySQL driver, Spring Actuator (and
above framework except Apache Shiro).

So maybe if I use Spring security I do not need Apache Shiro but now I need
to see how to configure Spring Security with AspectJ.



If you know what I said above, do you see any incoherence in the different
technologies I decided to use. All of the one (from Spring) I quoted are
standalone compatible (not only for web)?



I suggest we could continue on
http://stackoverflow.com/questions/41849439/apache-shiro-annotation-aop-and-
rmi as it would reach more people searching on stackoverflow.



Thank you.



From: Brian Demers [via Shiro User]

[mailto:[hidden email]]
Sent: 2017126 22:49
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro



I'm not sure I'm fully following anymore, lets take a step back, tell us
about your stack. And we can point you in the right direction. (there are a
few ways to process the Shiro annotations, Spring, Guice, JAX-RS, aop, (and
CDI on a branch).



Take a look at this as well:
https://shiro.apache.org/subject.html#thread-association




On Wed, Jan 25, 2017 at 10:47 PM, yoann159 <[hidden email]> wrote:

Hi,



I tried the aspect example (
<<a href="https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o rg/apache/shiro/samples/aspectj/bank <https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o%20rg/apache/shiro/samples/aspectj/bank> " rel="noreferrer" target="_blank"><a href="https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o rg/apache/shiro/samples/aspectj/bank" rel="noreferrer" target="_blank">https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o
rg/apache/shiro/samples/aspectj/bank>
<a href="https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or g/apache/shiro/samples/aspectj/bank <https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or%20g/apache/shiro/samples/aspectj/bank> " rel="noreferrer" target="_blank">https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or

g/apache/shiro/samples/aspectj/bank)

It works for the tests but I do not see how I can intercept the
RequiresPermissions or RequiresRoles or etc to get the jointpoint called,
get the reference of subject stored in the service instantiated for that
client and simply call set method to set Subject to current executing
thread.



Also  <https://github.com/apache/shiro/blob/master/samples/spring-boot/>
https://github.com/apache/shiro/blob/master/samples/spring-boot/ is good
simple example but like I said I do not use Spring context, I do desktop app
with a server and clients.





Unless it is possible to use Spring without a web context? Spring boot is
good but it is more like: @GetMapping() @RequestMapping(…)



I maybe have a solution with:
pointcut allow():
execution(@org.apache.shiro.authz.annotation.RequiresPermissions * *(..)) ||
execution(@org.apache.shiro.authz.annotation.RequiresRoles * *(..));

With that I can have before advice and do:



((Service) thisJoinPoint.getThis()).getSubject();
ThreadState threadState = new SubjectThreadState(subject);
threadState.bind();



Not sure if I need to add a after advice to unbind the threadState but it
seems to work, and anyway any method will override the current subject. What
would you suggest?



Thank you.




From: Brian Demers [via Shiro User] [mailto:[hidden email]]

Sent: 2017125 22:32
To: yoann159
Subject: Re: How to make RMI work with Apache Shiro



Take a look at: https://shiro.apache.org/spring.html#secure-spring-remoting



Most of the Spring samples also include a remoting example:Â
https://github.com/apache/shiro/tree/master/samples



There is also an aspectj example



On Tue, Jan 24, 2017 at 11:24 PM, yoann159 <[hidden email]> wrote:

How to make RMI work with Apache Shiro?

Each calls on a method with @RequireRoles("..") execute on different thread
shared by multiple clients.

Is there a way to intercept this AOP, set the current Subject for this
thread (threadLocal), then unset it at the end of the method?

Thank you for your help



--
View this message in context:

<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir o-tp7581467.html <http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir%20o-tp7581467.html> " rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir
o-tp7581467.html
Sent from the Shiro User mailing list archive at Nabble.com.





  _____

If you reply to this email, your message will be added to the discussion
below:

<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi ro-tp7581467p7581468.html <http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi%20ro-tp7581467p7581468.html> " rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi
ro-tp7581467p7581468.html

To unsubscribe from How to make RMI work with Apache Shiro, click here
<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub%20scribe_by_code&amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg> &amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub
scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg
xNDY3fDYzMDk5NjIyOQ==> .

<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer

<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro _viewer <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro%20_viewer&amp;id=instant_html%21nabble%3Aemail.naml&amp;base=nabble.naml.namespaces.Ba%20sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa%20te.NodeNamespace&amp;breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan%20t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> &amp;id=instant_html%21nabble%3Aemail.naml&amp;base=nabble.naml.namespaces.Ba sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa te.NodeNamespace&amp;breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba
sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa
te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan
t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicName
space-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.Node
Namespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_email
s%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML





--
View this message in context:
<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir o-tp7581467p7581473.html <http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir%20o-tp7581467p7581473.html> " rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir
o-tp7581467p7581473.html

Sent from the Shiro User mailing list archive at Nabble.com.





  _____

If you reply to this email, your message will be added to the discussion
below:

<a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi ro-tp7581467p7581474.html" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi
ro-tp7581467p7581474.html

To unsubscribe from How to make RMI work with Apache Shiro, click here
<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub%20scribe_by_code&amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg> &amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg" rel="noreferrer" target="_blank"><a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code&amp;node=7581467&amp;code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub
scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg
xNDY3fDYzMDk5NjIyOQ==> .

<<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro _viewer <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro%20_viewer&amp;id=instant_html%21nabble%3Aemail.naml&amp;base=nabble.naml.namespaces.Ba%20sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa%20te.NodeNamespace&amp;breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan%20t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> &amp;id=instant_html%21nabble%3Aemail.naml&amp;base=nabble.naml.namespaces.Ba sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa te.NodeNamespace&amp;breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro
_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba
sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa
te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan
t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
NAML



winmail.dat (15K) <http://shiro-user.582556.n2.nabble.com/attachment/7581479/0/winmail.dat>




--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581479.html

Sent from the Shiro User mailing list archive at Nabble.com.





  _____

If you reply to this email, your message will be added to the discussion below:

http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581480.html

To unsubscribe from How to make RMI work with Apache Shiro, click here < .
 <
http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML





--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581484.html

Sent from the Shiro User mailing list archive at Nabble.com.

 

 


If you reply to this email, your message will be added to the discussion below:

http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581489.html

To unsubscribe from How to make RMI work with Apache Shiro, click here.
NAML