Shiro filter with Jaxrs server

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Shiro filter with Jaxrs server

aidaverdi800

Hi all,
I'm new to Shiro and I would like to integrate it in my jaxrs webservice. It has an api to be used by an ajax client. 

The web service starts programmatically in this way:

JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();

JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
ObjectMapper m = new ObjectMapper();
m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);

jackson.setMapper(m);
CrossOriginResourceSharingFilter cors = new CrossOriginResourceSharingFilter();
sf.setProviders( Arrays.< Object >asList(cors, jackson) ); 
sf.setResourceClasses(Service.class, Users.class );
sf.setResourceProvider(Service.class, new SingletonResourceProvider(new ServiceImpl(env)));
sf.setResourceProvider(Users.class, new SingletonResourceProvider(new Users(env)));

sf.setAddress(address);
Server server = sf.create();

I added 

Factory<SecurityManager> shiro = new IniSecurityManagerFactory("classpath:shiro.ini");
       SecurityUtils.setSecurityManager(securityManager);
to configure shiro

My shiro.ini is now very simple.

[main]  
  
# ------------------------  
# Database  
  
# Own Realm  
jdbcRealm = service.nexdata.SecurityRealm
  
# Sha256  
sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
# base64 encoding, not hex in this example:  
sha256Matcher.storedCredentialsHexEncoded = false  
sha256Matcher.hashIterations = 1024  
  
jdbcRealm.credentialsMatcher = $sha256Matcher  


[urls]

/users/** = authcBasic


and the SecurityRealm implements JdbcRealm and specialize it with my user db and works well, I tested it.

Service and Users are two rest apis and I have a status method for development

@CrossOriginResourceSharing(allowAllOrigins = true, maxAge = 100000,  
allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = {"X-custom-3", "X-custom-4"})
@Path("/service")
public abstract class CvService {
...

@GET
@Path("/status/")
public abstract Response status(); // returns if the service is up and running
}



@CrossOriginResourceSharing(allowAllOrigins = true,  maxAge = 300,  
allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = {"X-custom-3", "X-custom-4"})
@Path("/users")
public abstract class Users {

@GET
@Path("/status/")
public abstract Response status();
}

implemented by
public Response status()
{
Subject currentUser = SecurityUtils.getSubject();
boolean auth = currentUser.isAuthenticated();
if (auth)
return Response.status(Status.OK).entity("User Service up and running!").build();
else
return Response.status(Status.OK).entity("User authentication needed!").build();
}

Shiro seems to work quite well if I do explicit login and logout, but the authBasic filter doesn't seem to work. 

I tested it with the chrome extension Advanced Rest Client and putting some breakpoints in BasicHttpAuthenticationFilter and the filter is completly ignored.

I have the feeling that shiro.ini is not enough in this case and I must esplicitly tell the jaxrs server to use shiro filter first but I don't know how.

Is it right? Could you help me, please?
Thank you in advance,


Lisa


Reply | Threaded
Open this post in threaded view
|

Re: Shiro filter with Jaxrs server

taidan19
Have you set up the Shiro Filter in the application's web.xml file?

On Thu, Jul 9, 2015 at 1:39 PM, aidaverdi800 <[hidden email]> wrote:

Hi all,
I'm new to Shiro and I would like to integrate it in my jaxrs webservice. It has an api to be used by an ajax client. 

The web service starts programmatically in this way:

JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();

JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
ObjectMapper m = new ObjectMapper();
m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);

jackson.setMapper(m);
CrossOriginResourceSharingFilter cors = new CrossOriginResourceSharingFilter();
sf.setProviders( Arrays.< Object >asList(cors, jackson) ); 
sf.setResourceClasses(Service.class, Users.class );
sf.setResourceProvider(Service.class, new SingletonResourceProvider(new ServiceImpl(env)));
sf.setResourceProvider(Users.class, new SingletonResourceProvider(new Users(env)));

sf.setAddress(address);
Server server = sf.create();

I added 

Factory<SecurityManager> shiro = new IniSecurityManagerFactory("classpath:shiro.ini");
       SecurityUtils.setSecurityManager(securityManager);
to configure shiro

My shiro.ini is now very simple.

[main]  
  
# ------------------------  
# Database  
  
# Own Realm  
jdbcRealm = service.nexdata.SecurityRealm
  
# Sha256  
sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
# base64 encoding, not hex in this example:  
sha256Matcher.storedCredentialsHexEncoded = false  
sha256Matcher.hashIterations = 1024  
  
jdbcRealm.credentialsMatcher = $sha256Matcher  


[urls]

/users/** = authcBasic


and the SecurityRealm implements JdbcRealm and specialize it with my user db and works well, I tested it.

Service and Users are two rest apis and I have a status method for development

@CrossOriginResourceSharing(allowAllOrigins = true, maxAge = 100000,  
allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = {"X-custom-3", "X-custom-4"})
@Path("/service")
public abstract class CvService {
...

@GET
@Path("/status/")
public abstract Response status(); // returns if the service is up and running
}



@CrossOriginResourceSharing(allowAllOrigins = true,  maxAge = 300,  
allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = {"X-custom-3", "X-custom-4"})
@Path("/users")
public abstract class Users {

@GET
@Path("/status/")
public abstract Response status();
}

implemented by
public Response status()
{
Subject currentUser = SecurityUtils.getSubject();
boolean auth = currentUser.isAuthenticated();
if (auth)
return Response.status(Status.OK).entity("User Service up and running!").build();
else
return Response.status(Status.OK).entity("User authentication needed!").build();
}

Shiro seems to work quite well if I do explicit login and logout, but the authBasic filter doesn't seem to work. 

I tested it with the chrome extension Advanced Rest Client and putting some breakpoints in BasicHttpAuthenticationFilter and the filter is completly ignored.

I have the feeling that shiro.ini is not enough in this case and I must esplicitly tell the jaxrs server to use shiro filter first but I don't know how.

Is it right? Could you help me, please?
Thank you in advance,


Lisa



Reply | Threaded
Open this post in threaded view
|

Re: Shiro filter with Jaxrs server

aidaverdi800
We don't have web.xml, I forgot to tell that I use Jetty embedded so mine is not the tipical webapp layout. The webservice it is only thought to be used as an api so we configured it programmatically for now. Is there a wey to do the same in my main class? 

Lisa

On Thu, Jul 9, 2015 at 7:40 PM, Christian Wolfe <[hidden email]> wrote:
Have you set up the Shiro Filter in the application's web.xml file?

On Thu, Jul 9, 2015 at 1:39 PM, aidaverdi800 <[hidden email]> wrote:

Hi all,
I'm new to Shiro and I would like to integrate it in my jaxrs webservice. It has an api to be used by an ajax client. 

The web service starts programmatically in this way:

JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();

JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
ObjectMapper m = new ObjectMapper();
m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);

jackson.setMapper(m);
CrossOriginResourceSharingFilter cors = new CrossOriginResourceSharingFilter();
sf.setProviders( Arrays.< Object >asList(cors, jackson) ); 
sf.setResourceClasses(Service.class, Users.class );
sf.setResourceProvider(Service.class, new SingletonResourceProvider(new ServiceImpl(env)));
sf.setResourceProvider(Users.class, new SingletonResourceProvider(new Users(env)));

sf.setAddress(address);
Server server = sf.create();

I added 

Factory<SecurityManager> shiro = new IniSecurityManagerFactory("classpath:shiro.ini");
       SecurityUtils.setSecurityManager(securityManager);
to configure shiro

My shiro.ini is now very simple.

[main]  
  
# ------------------------  
# Database  
  
# Own Realm  
jdbcRealm = service.nexdata.SecurityRealm
  
# Sha256  
sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
# base64 encoding, not hex in this example:  
sha256Matcher.storedCredentialsHexEncoded = false  
sha256Matcher.hashIterations = 1024  
  
jdbcRealm.credentialsMatcher = $sha256Matcher  


[urls]

/users/** = authcBasic


and the SecurityRealm implements JdbcRealm and specialize it with my user db and works well, I tested it.

Service and Users are two rest apis and I have a status method for development

@CrossOriginResourceSharing(allowAllOrigins = true, maxAge = 100000,  
allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = {"X-custom-3", "X-custom-4"})
@Path("/service")
public abstract class CvService {
...

@GET
@Path("/status/")
public abstract Response status(); // returns if the service is up and running
}



@CrossOriginResourceSharing(allowAllOrigins = true,  maxAge = 300,  
allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = {"X-custom-3", "X-custom-4"})
@Path("/users")
public abstract class Users {

@GET
@Path("/status/")
public abstract Response status();
}

implemented by
public Response status()
{
Subject currentUser = SecurityUtils.getSubject();
boolean auth = currentUser.isAuthenticated();
if (auth)
return Response.status(Status.OK).entity("User Service up and running!").build();
else
return Response.status(Status.OK).entity("User authentication needed!").build();
}

Shiro seems to work quite well if I do explicit login and logout, but the authBasic filter doesn't seem to work. 

I tested it with the chrome extension Advanced Rest Client and putting some breakpoints in BasicHttpAuthenticationFilter and the filter is completly ignored.

I have the feeling that shiro.ini is not enough in this case and I must esplicitly tell the jaxrs server to use shiro filter first but I don't know how.

Is it right? Could you help me, please?
Thank you in advance,


Lisa




Reply | Threaded
Open this post in threaded view
|

Re: Shiro filter with Jaxrs server

taidan19
This page in the Shiro docs explains how to configure filters when using web.xml - http://shiro.apache.org/web.html. All of that can be done programatically instead.

You should be able to create a ServletContext object and add the filter to it (as well as any configuration properties for the filter). Then you add the ServletContext object to the Server object you created, and then start the server.

This Stack Overflow link shows the basic idea of how to do create a ServletContext object - http://stackoverflow.com/questions/19530806/java-jetty-how-to-add-filter-to-embedded-jetty

On Thu, Jul 9, 2015 at 1:46 PM, aidaverdi800 <[hidden email]> wrote:
We don't have web.xml, I forgot to tell that I use Jetty embedded so mine is not the tipical webapp layout. The webservice it is only thought to be used as an api so we configured it programmatically for now. Is there a wey to do the same in my main class? 

Lisa

On Thu, Jul 9, 2015 at 7:40 PM, Christian Wolfe <[hidden email]> wrote:
Have you set up the Shiro Filter in the application's web.xml file?

On Thu, Jul 9, 2015 at 1:39 PM, aidaverdi800 <[hidden email]> wrote:

Hi all,
I'm new to Shiro and I would like to integrate it in my jaxrs webservice. It has an api to be used by an ajax client. 

The web service starts programmatically in this way:

JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();

JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
ObjectMapper m = new ObjectMapper();
m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);

jackson.setMapper(m);
CrossOriginResourceSharingFilter cors = new CrossOriginResourceSharingFilter();
sf.setProviders( Arrays.< Object >asList(cors, jackson) ); 
sf.setResourceClasses(Service.class, Users.class );
sf.setResourceProvider(Service.class, new SingletonResourceProvider(new ServiceImpl(env)));
sf.setResourceProvider(Users.class, new SingletonResourceProvider(new Users(env)));

sf.setAddress(address);
Server server = sf.create();

I added 

Factory<SecurityManager> shiro = new IniSecurityManagerFactory("classpath:shiro.ini");
       SecurityUtils.setSecurityManager(securityManager);
to configure shiro

My shiro.ini is now very simple.

[main]  
  
# ------------------------  
# Database  
  
# Own Realm  
jdbcRealm = service.nexdata.SecurityRealm
  
# Sha256  
sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
# base64 encoding, not hex in this example:  
sha256Matcher.storedCredentialsHexEncoded = false  
sha256Matcher.hashIterations = 1024  
  
jdbcRealm.credentialsMatcher = $sha256Matcher  


[urls]

/users/** = authcBasic


and the SecurityRealm implements JdbcRealm and specialize it with my user db and works well, I tested it.

Service and Users are two rest apis and I have a status method for development

@CrossOriginResourceSharing(allowAllOrigins = true, maxAge = 100000,  
allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = {"X-custom-3", "X-custom-4"})
@Path("/service")
public abstract class CvService {
...

@GET
@Path("/status/")
public abstract Response status(); // returns if the service is up and running
}



@CrossOriginResourceSharing(allowAllOrigins = true,  maxAge = 300,  
allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = {"X-custom-3", "X-custom-4"})
@Path("/users")
public abstract class Users {

@GET
@Path("/status/")
public abstract Response status();
}

implemented by
public Response status()
{
Subject currentUser = SecurityUtils.getSubject();
boolean auth = currentUser.isAuthenticated();
if (auth)
return Response.status(Status.OK).entity("User Service up and running!").build();
else
return Response.status(Status.OK).entity("User authentication needed!").build();
}

Shiro seems to work quite well if I do explicit login and logout, but the authBasic filter doesn't seem to work. 

I tested it with the chrome extension Advanced Rest Client and putting some breakpoints in BasicHttpAuthenticationFilter and the filter is completly ignored.

I have the feeling that shiro.ini is not enough in this case and I must esplicitly tell the jaxrs server to use shiro filter first but I don't know how.

Is it right? Could you help me, please?
Thank you in advance,


Lisa





Reply | Threaded
Open this post in threaded view
|

Re: Shiro filter with Jaxrs server

aidaverdi800
I'm sorry to get back: I have tried everything to apply your useful suggestion but I think I'm in a slightly different situation or I'm missing something again. 
If I start everything directly launching a jetty server maybe I see something work, but as you can see from my previous code I'm using cxf to manage cors and some other things and I could not find a way to set a servlet context or a filter on JAXRSServerFactoryBean that wraps the server in my case. 
Thank you again,

Lisa

On Thu, Jul 9, 2015 at 7:51 PM, Christian Wolfe <[hidden email]> wrote:
This page in the Shiro docs explains how to configure filters when using web.xml - http://shiro.apache.org/web.html. All of that can be done programatically instead.

You should be able to create a ServletContext object and add the filter to it (as well as any configuration properties for the filter). Then you add the ServletContext object to the Server object you created, and then start the server.

This Stack Overflow link shows the basic idea of how to do create a ServletContext object - http://stackoverflow.com/questions/19530806/java-jetty-how-to-add-filter-to-embedded-jetty

On Thu, Jul 9, 2015 at 1:46 PM, aidaverdi800 <[hidden email]> wrote:
We don't have web.xml, I forgot to tell that I use Jetty embedded so mine is not the tipical webapp layout. The webservice it is only thought to be used as an api so we configured it programmatically for now. Is there a wey to do the same in my main class? 

Lisa

On Thu, Jul 9, 2015 at 7:40 PM, Christian Wolfe <[hidden email]> wrote:
Have you set up the Shiro Filter in the application's web.xml file?

On Thu, Jul 9, 2015 at 1:39 PM, aidaverdi800 <[hidden email]> wrote:

Hi all,
I'm new to Shiro and I would like to integrate it in my jaxrs webservice. It has an api to be used by an ajax client. 

The web service starts programmatically in this way:

JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();

JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
ObjectMapper m = new ObjectMapper();
m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);

jackson.setMapper(m);
CrossOriginResourceSharingFilter cors = new CrossOriginResourceSharingFilter();
sf.setProviders( Arrays.< Object >asList(cors, jackson) ); 
sf.setResourceClasses(Service.class, Users.class );
sf.setResourceProvider(Service.class, new SingletonResourceProvider(new ServiceImpl(env)));
sf.setResourceProvider(Users.class, new SingletonResourceProvider(new Users(env)));

sf.setAddress(address);
Server server = sf.create();

I added 

Factory<SecurityManager> shiro = new IniSecurityManagerFactory("classpath:shiro.ini");
       SecurityUtils.setSecurityManager(securityManager);
to configure shiro

My shiro.ini is now very simple.

[main]  
  
# ------------------------  
# Database  
  
# Own Realm  
jdbcRealm = service.nexdata.SecurityRealm
  
# Sha256  
sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
# base64 encoding, not hex in this example:  
sha256Matcher.storedCredentialsHexEncoded = false  
sha256Matcher.hashIterations = 1024  
  
jdbcRealm.credentialsMatcher = $sha256Matcher  


[urls]

/users/** = authcBasic


and the SecurityRealm implements JdbcRealm and specialize it with my user db and works well, I tested it.

Service and Users are two rest apis and I have a status method for development

@CrossOriginResourceSharing(allowAllOrigins = true, maxAge = 100000,  
allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = {"X-custom-3", "X-custom-4"})
@Path("/service")
public abstract class CvService {
...

@GET
@Path("/status/")
public abstract Response status(); // returns if the service is up and running
}



@CrossOriginResourceSharing(allowAllOrigins = true,  maxAge = 300,  
allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = {"X-custom-3", "X-custom-4"})
@Path("/users")
public abstract class Users {

@GET
@Path("/status/")
public abstract Response status();
}

implemented by
public Response status()
{
Subject currentUser = SecurityUtils.getSubject();
boolean auth = currentUser.isAuthenticated();
if (auth)
return Response.status(Status.OK).entity("User Service up and running!").build();
else
return Response.status(Status.OK).entity("User authentication needed!").build();
}

Shiro seems to work quite well if I do explicit login and logout, but the authBasic filter doesn't seem to work. 

I tested it with the chrome extension Advanced Rest Client and putting some breakpoints in BasicHttpAuthenticationFilter and the filter is completly ignored.

I have the feeling that shiro.ini is not enough in this case and I must esplicitly tell the jaxrs server to use shiro filter first but I don't know how.

Is it right? Could you help me, please?
Thank you in advance,


Lisa






Reply | Threaded
Open this post in threaded view
|

Re: Shiro filter with Jaxrs server

scSynergy
In reply to this post by aidaverdi800
Just on a side-note,
/users/** = authcBasic
leaves your user-password as plain-text and therefor totally vulnerable to eavesdropping.
In production environments I suggest you change that line to
/users/** = ssl[insert your port number here], authcBasic
for instance my server
/users/** = ssl[8443], authcBasic
Reply | Threaded
Open this post in threaded view
|

Re: Shiro filter with Jaxrs server

aidaverdi800
I'm back again, I really cannot figure out how to make work shiro in my environment.
It seems that there isn't a way to add shiro filter in cxf with jetty embedded and no web.xml. I was thinking of doing a new cxf interceptor calling shiro classes but then I will lose the simplicity of shiro configuration.

I tried also to add this code to convert cxf server to jetty server and add the filter as suggested, but if I don't add the shiro filter everything works and I can call my url. If I add the context handler the new servlet doesn't point to the rest resources, so the result of accessing the urls with shiro is "Error 404 Not Found". I'm a beginner in cxf too so understanding what is going on is tricky.

              // old code
JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
ObjectMapper m = new ObjectMapper();
m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);

jackson.setMapper(m);
CrossOriginResourceSharingFilter cors = new CrossOriginResourceSharingFilter();
sf.setProviders( Arrays.< Object >asList(cors, jackson ) );
sf.setResourceProvider(CvService.class, new SingletonResourceProvider(new Curricula(env)));
System.out.println("webservice published on "+address);
sf.setAddress(address);

ì
Server cxfServer = sf.create();

// new code
Destination dest = cxfServer.getDestination();
JettyHTTPDestination jettyDestination = JettyHTTPDestination.class.cast(dest);
ServerEngine engine = jettyDestination.getEngine();
JettyHTTPServerEngine serverEngine = JettyHTTPServerEngine.class.cast(engine);
org.eclipse.jetty.server.Server httpServer = serverEngine.getServer();


// Had to start the server to get the Jetty Server instance.
// Have to stop it to add the custom Jetty handler.
httpServer.stop();
httpServer.join();


CXFNonSpringJaxrsServlet jaxrsServlet = new CXFNonSpringJaxrsServlet(); 
final ServletHolder servletHolder = new ServletHolder(jaxrsServlet); 
ServletContextHandler context=new ServletContextHandler(ServletContextHandler.SECURITY); 
context.addServlet(servletHolder, "/*"); context.setContextPath("/"); 
context.setInitParameter("shiroConfigLocations","classpath:shiro.ini"); 
context.addEventListener(new EnvironmentLoaderListener()); 
FilterHolder filterHolder = new FilterHolder(); 
filterHolder.setFilter(new ShiroFilter()); 
EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class); 
context.addFilter(filterHolder, "/*", types);

httpServer.setHandler(context);

httpServer.start();
httpServer.join();

Could anyone that has ecountered similar problem give me a suggestion for the best direction to analyse? I would like to use shiro better than cxf security but it seems really complicated in my case. Is the cxf interceptor the way to go?

Lisa

On Fri, Jul 10, 2015 at 9:00 AM, scSynergy <[hidden email]> wrote:
Just on a side-note,
/users/** = authcBasic
leaves your user-password as plain-text and therefor totally vulnerable to
eavesdropping.
In production environments I suggest you change that line to
/users/** = ssl[insert your port number here], authcBasic
for instance my server
/users/** = ssl[8443], authcBasic



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-filter-with-Jaxrs-server-tp7580613p7580621.html
Sent from the Shiro User mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: Shiro filter with Jaxrs server

Jared Bunting-2

If you have a bit more of a project demonstrating the issue I can take a look. Our core product runs jetty embedded, with jersey and Shiro. I can't imagine that cxf would be so different that it wouldn't work.

On Aug 29, 2015 7:34 PM, "aidaverdi800" <[hidden email]> wrote:
I'm back again, I really cannot figure out how to make work shiro in my environment.
It seems that there isn't a way to add shiro filter in cxf with jetty embedded and no web.xml. I was thinking of doing a new cxf interceptor calling shiro classes but then I will lose the simplicity of shiro configuration.

I tried also to add this code to convert cxf server to jetty server and add the filter as suggested, but if I don't add the shiro filter everything works and I can call my url. If I add the context handler the new servlet doesn't point to the rest resources, so the result of accessing the urls with shiro is "Error 404 Not Found". I'm a beginner in cxf too so understanding what is going on is tricky.

              // old code
JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
ObjectMapper m = new ObjectMapper();
m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);

jackson.setMapper(m);
CrossOriginResourceSharingFilter cors = new CrossOriginResourceSharingFilter();
sf.setProviders( Arrays.< Object >asList(cors, jackson ) );
sf.setResourceProvider(CvService.class, new SingletonResourceProvider(new Curricula(env)));
System.out.println("webservice published on "+address);
sf.setAddress(address);

ì
Server cxfServer = sf.create();

// new code
Destination dest = cxfServer.getDestination();
JettyHTTPDestination jettyDestination = JettyHTTPDestination.class.cast(dest);
ServerEngine engine = jettyDestination.getEngine();
JettyHTTPServerEngine serverEngine = JettyHTTPServerEngine.class.cast(engine);
org.eclipse.jetty.server.Server httpServer = serverEngine.getServer();


// Had to start the server to get the Jetty Server instance.
// Have to stop it to add the custom Jetty handler.
httpServer.stop();
httpServer.join();


CXFNonSpringJaxrsServlet jaxrsServlet = new CXFNonSpringJaxrsServlet(); 
final ServletHolder servletHolder = new ServletHolder(jaxrsServlet); 
ServletContextHandler context=new ServletContextHandler(ServletContextHandler.SECURITY); 
context.addServlet(servletHolder, "/*"); context.setContextPath("/"); 
context.setInitParameter("shiroConfigLocations","classpath:shiro.ini"); 
context.addEventListener(new EnvironmentLoaderListener()); 
FilterHolder filterHolder = new FilterHolder(); 
filterHolder.setFilter(new ShiroFilter()); 
EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class); 
context.addFilter(filterHolder, "/*", types);

httpServer.setHandler(context);

httpServer.start();
httpServer.join();

Could anyone that has ecountered similar problem give me a suggestion for the best direction to analyse? I would like to use shiro better than cxf security but it seems really complicated in my case. Is the cxf interceptor the way to go?

Lisa

On Fri, Jul 10, 2015 at 9:00 AM, scSynergy <[hidden email]> wrote:
Just on a side-note,
/users/** = authcBasic
leaves your user-password as plain-text and therefor totally vulnerable to
eavesdropping.
In production environments I suggest you change that line to
/users/** = ssl[insert your port number here], authcBasic
for instance my server
/users/** = ssl[8443], authcBasic



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-filter-with-Jaxrs-server-tp7580613p7580621.html
Sent from the Shiro User mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: Shiro filter with Jaxrs server

aidaverdi800
Thank you!
I added a quick mini project with the issue here https://github.com/lisaziri/shiro-cxf-example 
Thanks again,

Lisa

On Sun, Aug 30, 2015 at 3:09 AM, Jared Bunting <[hidden email]> wrote:

If you have a bit more of a project demonstrating the issue I can take a look. Our core product runs jetty embedded, with jersey and Shiro. I can't imagine that cxf would be so different that it wouldn't work.

On Aug 29, 2015 7:34 PM, "aidaverdi800" <[hidden email]> wrote:
I'm back again, I really cannot figure out how to make work shiro in my environment.
It seems that there isn't a way to add shiro filter in cxf with jetty embedded and no web.xml. I was thinking of doing a new cxf interceptor calling shiro classes but then I will lose the simplicity of shiro configuration.

I tried also to add this code to convert cxf server to jetty server and add the filter as suggested, but if I don't add the shiro filter everything works and I can call my url. If I add the context handler the new servlet doesn't point to the rest resources, so the result of accessing the urls with shiro is "Error 404 Not Found". I'm a beginner in cxf too so understanding what is going on is tricky.

              // old code
JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
ObjectMapper m = new ObjectMapper();
m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);

jackson.setMapper(m);
CrossOriginResourceSharingFilter cors = new CrossOriginResourceSharingFilter();
sf.setProviders( Arrays.< Object >asList(cors, jackson ) );
sf.setResourceProvider(CvService.class, new SingletonResourceProvider(new Curricula(env)));
System.out.println("webservice published on "+address);
sf.setAddress(address);

ì
Server cxfServer = sf.create();

// new code
Destination dest = cxfServer.getDestination();
JettyHTTPDestination jettyDestination = JettyHTTPDestination.class.cast(dest);
ServerEngine engine = jettyDestination.getEngine();
JettyHTTPServerEngine serverEngine = JettyHTTPServerEngine.class.cast(engine);
org.eclipse.jetty.server.Server httpServer = serverEngine.getServer();


// Had to start the server to get the Jetty Server instance.
// Have to stop it to add the custom Jetty handler.
httpServer.stop();
httpServer.join();


CXFNonSpringJaxrsServlet jaxrsServlet = new CXFNonSpringJaxrsServlet(); 
final ServletHolder servletHolder = new ServletHolder(jaxrsServlet); 
ServletContextHandler context=new ServletContextHandler(ServletContextHandler.SECURITY); 
context.addServlet(servletHolder, "/*"); context.setContextPath("/"); 
context.setInitParameter("shiroConfigLocations","classpath:shiro.ini"); 
context.addEventListener(new EnvironmentLoaderListener()); 
FilterHolder filterHolder = new FilterHolder(); 
filterHolder.setFilter(new ShiroFilter()); 
EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class); 
context.addFilter(filterHolder, "/*", types);

httpServer.setHandler(context);

httpServer.start();
httpServer.join();

Could anyone that has ecountered similar problem give me a suggestion for the best direction to analyse? I would like to use shiro better than cxf security but it seems really complicated in my case. Is the cxf interceptor the way to go?

Lisa

On Fri, Jul 10, 2015 at 9:00 AM, scSynergy <[hidden email]> wrote:
Just on a side-note,
/users/** = authcBasic
leaves your user-password as plain-text and therefor totally vulnerable to
eavesdropping.
In production environments I suggest you change that line to
/users/** = ssl[insert your port number here], authcBasic
for instance my server
/users/** = ssl[8443], authcBasic



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-filter-with-Jaxrs-server-tp7580613p7580621.html
Sent from the Shiro User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: Shiro filter with Jaxrs server

Jared Bunting-2
Cool.  I think it's missing a ServerConfig.xml.

org.springframework.context.ApplicationContextException: Failed to load configuration ServerConfig.xml
at org.apache.cxf.bus.spring.BusApplicationContext.getConfigResources(BusApplicationContext.java:202)
at org.springframework.context.support.AbstractXmlApplicationContext.loadBeanDefinitions(AbstractXmlApplicationContext.java:121)
at org.apache.cxf.bus.spring.BusApplicationContext.loadBeanDefinitions(BusApplicationContext.java:322)
at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:131)
at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:527)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:441)
at org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:107)
at org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:105)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.cxf.bus.spring.BusApplicationContext.<init>(BusApplicationContext.java:105)
at org.apache.cxf.bus.spring.SpringBusFactory.createApplicationContext(SpringBusFactory.java:157)
at org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:148)
at org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:124)
at org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:94)
at cxfshiro.Main.main(Main.java:37)

On Sun, Aug 30, 2015 at 9:36 AM, aidaverdi800 <[hidden email]> wrote:
Thank you!
I added a quick mini project with the issue here https://github.com/lisaziri/shiro-cxf-example 
Thanks again,

Lisa

On Sun, Aug 30, 2015 at 3:09 AM, Jared Bunting <[hidden email]> wrote:

If you have a bit more of a project demonstrating the issue I can take a look. Our core product runs jetty embedded, with jersey and Shiro. I can't imagine that cxf would be so different that it wouldn't work.

On Aug 29, 2015 7:34 PM, "aidaverdi800" <[hidden email]> wrote:
I'm back again, I really cannot figure out how to make work shiro in my environment.
It seems that there isn't a way to add shiro filter in cxf with jetty embedded and no web.xml. I was thinking of doing a new cxf interceptor calling shiro classes but then I will lose the simplicity of shiro configuration.

I tried also to add this code to convert cxf server to jetty server and add the filter as suggested, but if I don't add the shiro filter everything works and I can call my url. If I add the context handler the new servlet doesn't point to the rest resources, so the result of accessing the urls with shiro is "Error 404 Not Found". I'm a beginner in cxf too so understanding what is going on is tricky.

              // old code
JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
ObjectMapper m = new ObjectMapper();
m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);

jackson.setMapper(m);
CrossOriginResourceSharingFilter cors = new CrossOriginResourceSharingFilter();
sf.setProviders( Arrays.< Object >asList(cors, jackson ) );
sf.setResourceProvider(CvService.class, new SingletonResourceProvider(new Curricula(env)));
System.out.println("webservice published on "+address);
sf.setAddress(address);

ì
Server cxfServer = sf.create();

// new code
Destination dest = cxfServer.getDestination();
JettyHTTPDestination jettyDestination = JettyHTTPDestination.class.cast(dest);
ServerEngine engine = jettyDestination.getEngine();
JettyHTTPServerEngine serverEngine = JettyHTTPServerEngine.class.cast(engine);
org.eclipse.jetty.server.Server httpServer = serverEngine.getServer();


// Had to start the server to get the Jetty Server instance.
// Have to stop it to add the custom Jetty handler.
httpServer.stop();
httpServer.join();


CXFNonSpringJaxrsServlet jaxrsServlet = new CXFNonSpringJaxrsServlet(); 
final ServletHolder servletHolder = new ServletHolder(jaxrsServlet); 
ServletContextHandler context=new ServletContextHandler(ServletContextHandler.SECURITY); 
context.addServlet(servletHolder, "/*"); context.setContextPath("/"); 
context.setInitParameter("shiroConfigLocations","classpath:shiro.ini"); 
context.addEventListener(new EnvironmentLoaderListener()); 
FilterHolder filterHolder = new FilterHolder(); 
filterHolder.setFilter(new ShiroFilter()); 
EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class); 
context.addFilter(filterHolder, "/*", types);

httpServer.setHandler(context);

httpServer.start();
httpServer.join();

Could anyone that has ecountered similar problem give me a suggestion for the best direction to analyse? I would like to use shiro better than cxf security but it seems really complicated in my case. Is the cxf interceptor the way to go?

Lisa

On Fri, Jul 10, 2015 at 9:00 AM, scSynergy <[hidden email]> wrote:
Just on a side-note,
/users/** = authcBasic
leaves your user-password as plain-text and therefor totally vulnerable to
eavesdropping.
In production environments I suggest you change that line to
/users/** = ssl[insert your port number here], authcBasic
for instance my server
/users/** = ssl[8443], authcBasic



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-filter-with-Jaxrs-server-tp7580613p7580621.html
Sent from the Shiro User mailing list archive at Nabble.com.



Reply | Threaded
Open this post in threaded view
|

Re: Shiro filter with Jaxrs server

Anna Elisabetta Ziri
Oh sorry! There is no need to call the serverconfig.xml in this case, it manages other things. If you get the repo again it should be working.

Lisa

On Sun, Aug 30, 2015 at 7:44 PM, Jared Bunting <[hidden email]> wrote:
Cool.  I think it's missing a ServerConfig.xml.

org.springframework.context.ApplicationContextException: Failed to load configuration ServerConfig.xml
at org.apache.cxf.bus.spring.BusApplicationContext.getConfigResources(BusApplicationContext.java:202)
at org.springframework.context.support.AbstractXmlApplicationContext.loadBeanDefinitions(AbstractXmlApplicationContext.java:121)
at org.apache.cxf.bus.spring.BusApplicationContext.loadBeanDefinitions(BusApplicationContext.java:322)
at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:131)
at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:527)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:441)
at org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:107)
at org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:105)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.cxf.bus.spring.BusApplicationContext.<init>(BusApplicationContext.java:105)
at org.apache.cxf.bus.spring.SpringBusFactory.createApplicationContext(SpringBusFactory.java:157)
at org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:148)
at org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:124)
at org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:94)
at cxfshiro.Main.main(Main.java:37)

On Sun, Aug 30, 2015 at 9:36 AM, aidaverdi800 <[hidden email]> wrote:
Thank you!
I added a quick mini project with the issue here https://github.com/lisaziri/shiro-cxf-example 
Thanks again,

Lisa

On Sun, Aug 30, 2015 at 3:09 AM, Jared Bunting <[hidden email]> wrote:

If you have a bit more of a project demonstrating the issue I can take a look. Our core product runs jetty embedded, with jersey and Shiro. I can't imagine that cxf would be so different that it wouldn't work.

On Aug 29, 2015 7:34 PM, "aidaverdi800" <[hidden email]> wrote:
I'm back again, I really cannot figure out how to make work shiro in my environment.
It seems that there isn't a way to add shiro filter in cxf with jetty embedded and no web.xml. I was thinking of doing a new cxf interceptor calling shiro classes but then I will lose the simplicity of shiro configuration.

I tried also to add this code to convert cxf server to jetty server and add the filter as suggested, but if I don't add the shiro filter everything works and I can call my url. If I add the context handler the new servlet doesn't point to the rest resources, so the result of accessing the urls with shiro is "Error 404 Not Found". I'm a beginner in cxf too so understanding what is going on is tricky.

              // old code
JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
ObjectMapper m = new ObjectMapper();
m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);

jackson.setMapper(m);
CrossOriginResourceSharingFilter cors = new CrossOriginResourceSharingFilter();
sf.setProviders( Arrays.< Object >asList(cors, jackson ) );
sf.setResourceProvider(CvService.class, new SingletonResourceProvider(new Curricula(env)));
System.out.println("webservice published on "+address);
sf.setAddress(address);

ì
Server cxfServer = sf.create();

// new code
Destination dest = cxfServer.getDestination();
JettyHTTPDestination jettyDestination = JettyHTTPDestination.class.cast(dest);
ServerEngine engine = jettyDestination.getEngine();
JettyHTTPServerEngine serverEngine = JettyHTTPServerEngine.class.cast(engine);
org.eclipse.jetty.server.Server httpServer = serverEngine.getServer();


// Had to start the server to get the Jetty Server instance.
// Have to stop it to add the custom Jetty handler.
httpServer.stop();
httpServer.join();


CXFNonSpringJaxrsServlet jaxrsServlet = new CXFNonSpringJaxrsServlet(); 
final ServletHolder servletHolder = new ServletHolder(jaxrsServlet); 
ServletContextHandler context=new ServletContextHandler(ServletContextHandler.SECURITY); 
context.addServlet(servletHolder, "/*"); context.setContextPath("/"); 
context.setInitParameter("shiroConfigLocations","classpath:shiro.ini"); 
context.addEventListener(new EnvironmentLoaderListener()); 
FilterHolder filterHolder = new FilterHolder(); 
filterHolder.setFilter(new ShiroFilter()); 
EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class); 
context.addFilter(filterHolder, "/*", types);

httpServer.setHandler(context);

httpServer.start();
httpServer.join();

Could anyone that has ecountered similar problem give me a suggestion for the best direction to analyse? I would like to use shiro better than cxf security but it seems really complicated in my case. Is the cxf interceptor the way to go?

Lisa

On Fri, Jul 10, 2015 at 9:00 AM, scSynergy <[hidden email]> wrote:
Just on a side-note,
/users/** = authcBasic
leaves your user-password as plain-text and therefor totally vulnerable to
eavesdropping.
In production environments I suggest you change that line to
/users/** = ssl[insert your port number here], authcBasic
for instance my server
/users/** = ssl[8443], authcBasic



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-filter-with-Jaxrs-server-tp7580613p7580621.html
Sent from the Shiro User mailing list archive at Nabble.com.






--
Anna Elisabetta Ziri
CTO of Nemoris S.r.l.
[hidden email]
Skype lisa.ziri
Cell. +393403095591      
Tel. +390510827131      
www.nemoris.it


Follow us on:

Reply | Threaded
Open this post in threaded view
|

Re: Shiro filter with Jaxrs server

aidaverdi800
In reply to this post by Jared Bunting-2
Oh sorry! There is no need to call the serverconfig.xml in this case, it manages other things. If you get the repo again it should be working.

Lisa

On Sun, Aug 30, 2015 at 7:44 PM, Jared Bunting <[hidden email]> wrote:
Cool.  I think it's missing a ServerConfig.xml.

org.springframework.context.ApplicationContextException: Failed to load configuration ServerConfig.xml
at org.apache.cxf.bus.spring.BusApplicationContext.getConfigResources(BusApplicationContext.java:202)
at org.springframework.context.support.AbstractXmlApplicationContext.loadBeanDefinitions(AbstractXmlApplicationContext.java:121)
at org.apache.cxf.bus.spring.BusApplicationContext.loadBeanDefinitions(BusApplicationContext.java:322)
at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:131)
at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:527)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:441)
at org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:107)
at org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:105)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.cxf.bus.spring.BusApplicationContext.<init>(BusApplicationContext.java:105)
at org.apache.cxf.bus.spring.SpringBusFactory.createApplicationContext(SpringBusFactory.java:157)
at org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:148)
at org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:124)
at org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:94)
at cxfshiro.Main.main(Main.java:37)

On Sun, Aug 30, 2015 at 9:36 AM, aidaverdi800 <[hidden email]> wrote:
Thank you!
I added a quick mini project with the issue here https://github.com/lisaziri/shiro-cxf-example 
Thanks again,

Lisa

On Sun, Aug 30, 2015 at 3:09 AM, Jared Bunting <[hidden email]> wrote:

If you have a bit more of a project demonstrating the issue I can take a look. Our core product runs jetty embedded, with jersey and Shiro. I can't imagine that cxf would be so different that it wouldn't work.

On Aug 29, 2015 7:34 PM, "aidaverdi800" <[hidden email]> wrote:
I'm back again, I really cannot figure out how to make work shiro in my environment.
It seems that there isn't a way to add shiro filter in cxf with jetty embedded and no web.xml. I was thinking of doing a new cxf interceptor calling shiro classes but then I will lose the simplicity of shiro configuration.

I tried also to add this code to convert cxf server to jetty server and add the filter as suggested, but if I don't add the shiro filter everything works and I can call my url. If I add the context handler the new servlet doesn't point to the rest resources, so the result of accessing the urls with shiro is "Error 404 Not Found". I'm a beginner in cxf too so understanding what is going on is tricky.

              // old code
JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
ObjectMapper m = new ObjectMapper();
m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);

jackson.setMapper(m);
CrossOriginResourceSharingFilter cors = new CrossOriginResourceSharingFilter();
sf.setProviders( Arrays.< Object >asList(cors, jackson ) );
sf.setResourceProvider(CvService.class, new SingletonResourceProvider(new Curricula(env)));
System.out.println("webservice published on "+address);
sf.setAddress(address);

ì
Server cxfServer = sf.create();

// new code
Destination dest = cxfServer.getDestination();
JettyHTTPDestination jettyDestination = JettyHTTPDestination.class.cast(dest);
ServerEngine engine = jettyDestination.getEngine();
JettyHTTPServerEngine serverEngine = JettyHTTPServerEngine.class.cast(engine);
org.eclipse.jetty.server.Server httpServer = serverEngine.getServer();


// Had to start the server to get the Jetty Server instance.
// Have to stop it to add the custom Jetty handler.
httpServer.stop();
httpServer.join();


CXFNonSpringJaxrsServlet jaxrsServlet = new CXFNonSpringJaxrsServlet(); 
final ServletHolder servletHolder = new ServletHolder(jaxrsServlet); 
ServletContextHandler context=new ServletContextHandler(ServletContextHandler.SECURITY); 
context.addServlet(servletHolder, "/*"); context.setContextPath("/"); 
context.setInitParameter("shiroConfigLocations","classpath:shiro.ini"); 
context.addEventListener(new EnvironmentLoaderListener()); 
FilterHolder filterHolder = new FilterHolder(); 
filterHolder.setFilter(new ShiroFilter()); 
EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class); 
context.addFilter(filterHolder, "/*", types);

httpServer.setHandler(context);

httpServer.start();
httpServer.join();

Could anyone that has ecountered similar problem give me a suggestion for the best direction to analyse? I would like to use shiro better than cxf security but it seems really complicated in my case. Is the cxf interceptor the way to go?

Lisa

On Fri, Jul 10, 2015 at 9:00 AM, scSynergy <[hidden email]> wrote:
Just on a side-note,
/users/** = authcBasic
leaves your user-password as plain-text and therefor totally vulnerable to
eavesdropping.
In production environments I suggest you change that line to
/users/** = ssl[insert your port number here], authcBasic
for instance my server
/users/** = ssl[8443], authcBasic



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-filter-with-Jaxrs-server-tp7580613p7580621.html
Sent from the Shiro User mailing list archive at Nabble.com.




Reply | Threaded
Open this post in threaded view
|

Re: Shiro filter with Jaxrs server

Jared Bunting-2
Alright, well I guess I have a better understanding of how cxf is integrating with Jetty now. The servlet API doesn't appear to be involved at all. There's a jetty handler that directly invokes the CXF code. That's going to be a problem since the only built-in authentication filters that shiro provides are based on the servlet API. I've been toying with the idea of doing a native JAX-RS filter but I haven't done anything with it yet.

If this is definitely how the jetty cxf integration needs to work in your project, then you're going to need to write your own filters.

Sorry I couldn't be of more help.

On Sun, Aug 30, 2015 at 1:20 PM, aidaverdi800 <[hidden email]> wrote:
Oh sorry! There is no need to call the serverconfig.xml in this case, it manages other things. If you get the repo again it should be working.

Lisa

On Sun, Aug 30, 2015 at 7:44 PM, Jared Bunting <[hidden email]> wrote:
Cool.  I think it's missing a ServerConfig.xml.

org.springframework.context.ApplicationContextException: Failed to load configuration ServerConfig.xml
at org.apache.cxf.bus.spring.BusApplicationContext.getConfigResources(BusApplicationContext.java:202)
at org.springframework.context.support.AbstractXmlApplicationContext.loadBeanDefinitions(AbstractXmlApplicationContext.java:121)
at org.apache.cxf.bus.spring.BusApplicationContext.loadBeanDefinitions(BusApplicationContext.java:322)
at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:131)
at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:527)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:441)
at org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:107)
at org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:105)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.cxf.bus.spring.BusApplicationContext.<init>(BusApplicationContext.java:105)
at org.apache.cxf.bus.spring.SpringBusFactory.createApplicationContext(SpringBusFactory.java:157)
at org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:148)
at org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:124)
at org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:94)
at cxfshiro.Main.main(Main.java:37)

On Sun, Aug 30, 2015 at 9:36 AM, aidaverdi800 <[hidden email]> wrote:
Thank you!
I added a quick mini project with the issue here https://github.com/lisaziri/shiro-cxf-example 
Thanks again,

Lisa

On Sun, Aug 30, 2015 at 3:09 AM, Jared Bunting <[hidden email]> wrote:

If you have a bit more of a project demonstrating the issue I can take a look. Our core product runs jetty embedded, with jersey and Shiro. I can't imagine that cxf would be so different that it wouldn't work.

On Aug 29, 2015 7:34 PM, "aidaverdi800" <[hidden email]> wrote:
I'm back again, I really cannot figure out how to make work shiro in my environment.
It seems that there isn't a way to add shiro filter in cxf with jetty embedded and no web.xml. I was thinking of doing a new cxf interceptor calling shiro classes but then I will lose the simplicity of shiro configuration.

I tried also to add this code to convert cxf server to jetty server and add the filter as suggested, but if I don't add the shiro filter everything works and I can call my url. If I add the context handler the new servlet doesn't point to the rest resources, so the result of accessing the urls with shiro is "Error 404 Not Found". I'm a beginner in cxf too so understanding what is going on is tricky.

              // old code
JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
ObjectMapper m = new ObjectMapper();
m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);

jackson.setMapper(m);
CrossOriginResourceSharingFilter cors = new CrossOriginResourceSharingFilter();
sf.setProviders( Arrays.< Object >asList(cors, jackson ) );
sf.setResourceProvider(CvService.class, new SingletonResourceProvider(new Curricula(env)));
System.out.println("webservice published on "+address);
sf.setAddress(address);

ì
Server cxfServer = sf.create();

// new code
Destination dest = cxfServer.getDestination();
JettyHTTPDestination jettyDestination = JettyHTTPDestination.class.cast(dest);
ServerEngine engine = jettyDestination.getEngine();
JettyHTTPServerEngine serverEngine = JettyHTTPServerEngine.class.cast(engine);
org.eclipse.jetty.server.Server httpServer = serverEngine.getServer();


// Had to start the server to get the Jetty Server instance.
// Have to stop it to add the custom Jetty handler.
httpServer.stop();
httpServer.join();


CXFNonSpringJaxrsServlet jaxrsServlet = new CXFNonSpringJaxrsServlet(); 
final ServletHolder servletHolder = new ServletHolder(jaxrsServlet); 
ServletContextHandler context=new ServletContextHandler(ServletContextHandler.SECURITY); 
context.addServlet(servletHolder, "/*"); context.setContextPath("/"); 
context.setInitParameter("shiroConfigLocations","classpath:shiro.ini"); 
context.addEventListener(new EnvironmentLoaderListener()); 
FilterHolder filterHolder = new FilterHolder(); 
filterHolder.setFilter(new ShiroFilter()); 
EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class); 
context.addFilter(filterHolder, "/*", types);

httpServer.setHandler(context);

httpServer.start();
httpServer.join();

Could anyone that has ecountered similar problem give me a suggestion for the best direction to analyse? I would like to use shiro better than cxf security but it seems really complicated in my case. Is the cxf interceptor the way to go?

Lisa

On Fri, Jul 10, 2015 at 9:00 AM, scSynergy <[hidden email]> wrote:
Just on a side-note,
/users/** = authcBasic
leaves your user-password as plain-text and therefor totally vulnerable to
eavesdropping.
In production environments I suggest you change that line to
/users/** = ssl[insert your port number here], authcBasic
for instance my server
/users/** = ssl[8443], authcBasic



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-filter-with-Jaxrs-server-tp7580613p7580621.html
Sent from the Shiro User mailing list archive at Nabble.com.