Stuck - authentication works but authorization is not working.

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Stuck - authentication works but authorization is not working.

Animesh Jain
Hi

I'm a newbie to jsecurity so I might be missing something in my config here. My authentication is happening fine, but when I try to do a role check I get a java.util.NoSuchElementException. Let me explain my config -

I've made a new Realm called HibernateSecurityRealm and have implemented the
doGetAuthenticationInfo
doGetAuthorizationInfo
methods. Here's the implementation code snippet

--- code start ---

  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    UsernamePasswordToken upToken = (UsernamePasswordToken) token;
    String username = upToken.getUsername();
    // Null username is invalid
    if (username == null) {
      throw new AccountException("Null usernames are not allowed by this realm.");
    }

    String password = userSecurityDao.getPasswordForUser(username);
    if (password == null) {
      throw new UnknownAccountException("No account found for user [" + username + "]");
    }
    return buildAuthenticationInfo(username, password.toCharArray());
  }

  protected AuthenticationInfo buildAuthenticationInfo(String username, char[] password) {
    return new SimpleAuthenticationInfo(username, password, getName());
  }

  /**
   * This implementation of the interface expects the principals collection to return a String username keyed off of
   * this realm's {@link #getName() name}
   *
   * @see AuthorizingRealm#getAuthorizationInfo(org.jsecurity.subject.PrincipalCollection)
   */
  @Override
  protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

    //null usernames are invalid
    if (principals == null) {
      throw new AuthorizationException("PrincipalCollection method argument cannot be null.");
    }

    String username = (String) principals.fromRealm(getName()).iterator().next();

    // Retrieve roles and permissions from database
    Set<String> roleNames = userSecurityDao.getRoleNamesForUser(username);
    Set<String> permissions= userSecurityDao.getPermissions(username, roleNames);

    SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roleNames);
    info.setStringPermissions(permissions);
    return info;
  }

--- code end ---

Now whenever I'm calling something like
getSecurityManager().login(token);
in my action. the call to doGetAuthenticationInfo is happening just fine.

But when I try to do something like
getSecurityManager().getSubject().hasRole("XYZ")
I get the NoSuchElementException exception.

Please help. Let me know if there's something more to be implemented when creating a realm.

Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Les Hazlewood-2
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les

On Sun, Sep 7, 2008 at 11:11 AM, Animesh Jain <[hidden email]> wrote:
Hi

I'm a newbie to jsecurity so I might be missing something in my config here. My authentication is happening fine, but when I try to do a role check I get a java.util.NoSuchElementException. Let me explain my config -

I've made a new Realm called HibernateSecurityRealm and have implemented the
doGetAuthenticationInfo
doGetAuthorizationInfo
methods. Here's the implementation code snippet

--- code start ---

  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    UsernamePasswordToken upToken = (UsernamePasswordToken) token;
    String username = upToken.getUsername();
    // Null username is invalid
    if (username == null) {
      throw new AccountException("Null usernames are not allowed by this realm.");
    }

    String password = userSecurityDao.getPasswordForUser(username);
    if (password == null) {
      throw new UnknownAccountException("No account found for user [" + username + "]");
    }
    return buildAuthenticationInfo(username, password.toCharArray());
  }

  protected AuthenticationInfo buildAuthenticationInfo(String username, char[] password) {
    return new SimpleAuthenticationInfo(username, password, getName());
  }

  /**
   * This implementation of the interface expects the principals collection to return a String username keyed off of
   * this realm's {@link #getName() name}
   *
   * @see AuthorizingRealm#getAuthorizationInfo(org.jsecurity.subject.PrincipalCollection)
   */
  @Override
  protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

    //null usernames are invalid
    if (principals == null) {
      throw new AuthorizationException("PrincipalCollection method argument cannot be null.");
    }

    String username = (String) principals.fromRealm(getName()).iterator().next();

    // Retrieve roles and permissions from database
    Set<String> roleNames = userSecurityDao.getRoleNamesForUser(username);
    Set<String> permissions= userSecurityDao.getPermissions(username, roleNames);

    SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roleNames);
    info.setStringPermissions(permissions);
    return info;
  }

--- code end ---

Now whenever I'm calling something like
getSecurityManager().login(token);
in my action. the call to doGetAuthenticationInfo is happening just fine.

But when I try to do something like
getSecurityManager().getSubject().hasRole("XYZ")
I get the NoSuchElementException exception.

Please help. Let me know if there's something more to be implemented when creating a realm.


Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Animesh Jain
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)


On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les




Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Animesh Jain
Les,

On second thoughts.. I'm still not sure. Why is it that there's SimpleAccountRealm.java in the stacktrace and no HibernateSecurityRealm (the one I implemented).

Any thoughts.

Animesh

On Mon, Sep 8, 2008 at 12:24 AM, Animesh Jain <[hidden email]> wrote:
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)



On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les





Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Les Hazlewood
Administrator
The SimpleAccountRealm is a fallback/failsafe realm that is used if you haven't correctly configured a realm yourself.  What does your JSecurity configuration look like?

On Sun, Sep 7, 2008 at 3:04 PM, Animesh Jain <[hidden email]> wrote:
Les,

On second thoughts.. I'm still not sure. Why is it that there's SimpleAccountRealm.java in the stacktrace and no HibernateSecurityRealm (the one I implemented).

Any thoughts.

Animesh


On Mon, Sep 8, 2008 at 12:24 AM, Animesh Jain <[hidden email]> wrote:
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)



On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les






Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Animesh Jain
Ok here's the deal..

I'm injecting a DefaultWebSecurityManager into my action classes, which has my HibernateSecurityRealm set correctly. So calling

Subject subject = getSecurityManager().getSubject();

is giving me the correct currently logged in user. But strangely when I debug the subject instance after getting it, the securityManager it shows is not the same - it has a real called org.jsecurity.realm.text.PropertiesRealm. Now how is that possible?

I was not using the SecurityUtils class and had not explicitly set a SecurityManager using SecurityUtils.setSecurityManager(). Is that required. Anyway I now added it too but that has had no effect. Still the same error.

So where's the subject instance getting the different implementation from

Animesh

On Mon, Sep 8, 2008 at 12:52 AM, Les Hazlewood <[hidden email]> wrote:
The SimpleAccountRealm is a fallback/failsafe realm that is used if you haven't correctly configured a realm yourself.  What does your JSecurity configuration look like?


On Sun, Sep 7, 2008 at 3:04 PM, Animesh Jain <[hidden email]> wrote:
Les,

On second thoughts.. I'm still not sure. Why is it that there's SimpleAccountRealm.java in the stacktrace and no HibernateSecurityRealm (the one I implemented).

Any thoughts.

Animesh


On Mon, Sep 8, 2008 at 12:24 AM, Animesh Jain <[hidden email]> wrote:
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)



On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les







Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Les Hazlewood
Administrator
Is this a web app?  I.e. is there a web.xml file somewhere?

Also, is this a spring application?

On Sun, Sep 7, 2008 at 3:44 PM, Animesh Jain <[hidden email]> wrote:
Ok here's the deal..

I'm injecting a DefaultWebSecurityManager into my action classes, which has my HibernateSecurityRealm set correctly. So calling

Subject subject = getSecurityManager().getSubject();

is giving me the correct currently logged in user. But strangely when I debug the subject instance after getting it, the securityManager it shows is not the same - it has a real called org.jsecurity.realm.text.PropertiesRealm. Now how is that possible?

I was not using the SecurityUtils class and had not explicitly set a SecurityManager using SecurityUtils.setSecurityManager(). Is that required. Anyway I now added it too but that has had no effect. Still the same error.

So where's the subject instance getting the different implementation from

Animesh


On Mon, Sep 8, 2008 at 12:52 AM, Les Hazlewood <[hidden email]> wrote:
The SimpleAccountRealm is a fallback/failsafe realm that is used if you haven't correctly configured a realm yourself.  What does your JSecurity configuration look like?


On Sun, Sep 7, 2008 at 3:04 PM, Animesh Jain <[hidden email]> wrote:
Les,

On second thoughts.. I'm still not sure. Why is it that there's SimpleAccountRealm.java in the stacktrace and no HibernateSecurityRealm (the one I implemented).

Any thoughts.

Animesh


On Mon, Sep 8, 2008 at 12:24 AM, Animesh Jain <[hidden email]> wrote:
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)



On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les








Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Animesh Jain
Yup this is a web-app. I'm using Guice for dependency injection so you can think of that as a replacement for Spring. I could send you the whole app too so you'd see what I see. I'm pretty sure there's nothing wrong with the dependency injection here. Because as I said after the login action I'm able to obtain an instance of the subject in a separate action class by calling

Subject subject = getSecurityManager().getSubject()

Here getSecurityManager() gets me an injected SecurityManager correctly with my realm properly configured and all. Right after this line if I call

subject.hasRole("XYZ")

the error gets thrown up.

- Animesh


On Mon, Sep 8, 2008 at 1:38 AM, Les Hazlewood <[hidden email]> wrote:
Is this a web app?  I.e. is there a web.xml file somewhere?

Also, is this a spring application?


On Sun, Sep 7, 2008 at 3:44 PM, Animesh Jain <[hidden email]> wrote:
Ok here's the deal..

I'm injecting a DefaultWebSecurityManager into my action classes, which has my HibernateSecurityRealm set correctly. So calling

Subject subject = getSecurityManager().getSubject();

is giving me the correct currently logged in user. But strangely when I debug the subject instance after getting it, the securityManager it shows is not the same - it has a real called org.jsecurity.realm.text.PropertiesRealm. Now how is that possible?

I was not using the SecurityUtils class and had not explicitly set a SecurityManager using SecurityUtils.setSecurityManager(). Is that required. Anyway I now added it too but that has had no effect. Still the same error.

So where's the subject instance getting the different implementation from

Animesh


On Mon, Sep 8, 2008 at 12:52 AM, Les Hazlewood <[hidden email]> wrote:
The SimpleAccountRealm is a fallback/failsafe realm that is used if you haven't correctly configured a realm yourself.  What does your JSecurity configuration look like?


On Sun, Sep 7, 2008 at 3:04 PM, Animesh Jain <[hidden email]> wrote:
Les,

On second thoughts.. I'm still not sure. Why is it that there's SimpleAccountRealm.java in the stacktrace and no HibernateSecurityRealm (the one I implemented).

Any thoughts.

Animesh


On Mon, Sep 8, 2008 at 12:24 AM, Animesh Jain <[hidden email]> wrote:
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)



On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les









Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Animesh Jain
Well how does subject get its securityManager / realm. That may throw some light onto whether the realm needs to be injected elsewhere too.

- Animesh

On Mon, Sep 8, 2008 at 1:46 AM, Animesh Jain <[hidden email]> wrote:
Yup this is a web-app. I'm using Guice for dependency injection so you can think of that as a replacement for Spring. I could send you the whole app too so you'd see what I see. I'm pretty sure there's nothing wrong with the dependency injection here. Because as I said after the login action I'm able to obtain an instance of the subject in a separate action class by calling

Subject subject = getSecurityManager().getSubject()

Here getSecurityManager() gets me an injected SecurityManager correctly with my realm properly configured and all. Right after this line if I call

subject.hasRole("XYZ")

the error gets thrown up.

- Animesh



On Mon, Sep 8, 2008 at 1:38 AM, Les Hazlewood <[hidden email]> wrote:
Is this a web app?  I.e. is there a web.xml file somewhere?

Also, is this a spring application?


On Sun, Sep 7, 2008 at 3:44 PM, Animesh Jain <[hidden email]> wrote:
Ok here's the deal..

I'm injecting a DefaultWebSecurityManager into my action classes, which has my HibernateSecurityRealm set correctly. So calling

Subject subject = getSecurityManager().getSubject();

is giving me the correct currently logged in user. But strangely when I debug the subject instance after getting it, the securityManager it shows is not the same - it has a real called org.jsecurity.realm.text.PropertiesRealm. Now how is that possible?

I was not using the SecurityUtils class and had not explicitly set a SecurityManager using SecurityUtils.setSecurityManager(). Is that required. Anyway I now added it too but that has had no effect. Still the same error.

So where's the subject instance getting the different implementation from

Animesh


On Mon, Sep 8, 2008 at 12:52 AM, Les Hazlewood <[hidden email]> wrote:
The SimpleAccountRealm is a fallback/failsafe realm that is used if you haven't correctly configured a realm yourself.  What does your JSecurity configuration look like?


On Sun, Sep 7, 2008 at 3:04 PM, Animesh Jain <[hidden email]> wrote:
Les,

On second thoughts.. I'm still not sure. Why is it that there's SimpleAccountRealm.java in the stacktrace and no HibernateSecurityRealm (the one I implemented).

Any thoughts.

Animesh


On Mon, Sep 8, 2008 at 12:24 AM, Animesh Jain <[hidden email]> wrote:
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)



On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les










Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Les Hazlewood-2
In reply to this post by Animesh Jain
Ah, this helps greatly.

In a web app, the best thing to do is configure JSecurity in web.xml via the ini format.  The JSecurityFilter will acquire the SecurityManager and enable SecurityUtils automatically, as long as there is a Configuration class that can be used.

For example, in Spring-based webapps, we have a SpringIniWebConfiguration implementation to support this (http://jsecurity.svn.sourceforge.net/viewvc/jsecurity/trunk/support/spring/src/org/jsecurity/spring/SpringIniWebConfiguration.java?revision=868&view=markup).

The best thing to do would be to create a GuiceIniWebConfiguration that does the same thing and then use it in web.xml:

<filter>
  <filter-name>JSecurityFilter</filter-name>
  <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
  <init-param>
    <param-name>configClassName</param-name>
    <param-value>com.domain.my.package.GuiceIniWebConfiguration</param-value>
  </init-param>
  <init-param>
    <param-name>config</param-name>
    <param-value>

     # config as specified in the JSecurityFilter JavaDoc (http://jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html)
    </param-value>
  </init-param>
</filter>

...

filter-mapping here.

Then you can use SecurityUtils.getSubject() anywhere in your code and not worry about anything else.

If you create this GuiceIniWebConfiguration class, please contribute it back to the project - we'll be happy to maintain it!

Thanks,

Les

On Sun, Sep 7, 2008 at 4:16 PM, Animesh Jain <[hidden email]> wrote:
Yup this is a web-app. I'm using Guice for dependency injection so you can think of that as a replacement for Spring. I could send you the whole app too so you'd see what I see. I'm pretty sure there's nothing wrong with the dependency injection here. Because as I said after the login action I'm able to obtain an instance of the subject in a separate action class by calling

Subject subject = getSecurityManager().getSubject()

Here getSecurityManager() gets me an injected SecurityManager correctly with my realm properly configured and all. Right after this line if I call

subject.hasRole("XYZ")

the error gets thrown up.

- Animesh



On Mon, Sep 8, 2008 at 1:38 AM, Les Hazlewood <[hidden email]> wrote:
Is this a web app?  I.e. is there a web.xml file somewhere?

Also, is this a spring application?


On Sun, Sep 7, 2008 at 3:44 PM, Animesh Jain <[hidden email]> wrote:
Ok here's the deal..

I'm injecting a DefaultWebSecurityManager into my action classes, which has my HibernateSecurityRealm set correctly. So calling

Subject subject = getSecurityManager().getSubject();

is giving me the correct currently logged in user. But strangely when I debug the subject instance after getting it, the securityManager it shows is not the same - it has a real called org.jsecurity.realm.text.PropertiesRealm. Now how is that possible?

I was not using the SecurityUtils class and had not explicitly set a SecurityManager using SecurityUtils.setSecurityManager(). Is that required. Anyway I now added it too but that has had no effect. Still the same error.

So where's the subject instance getting the different implementation from

Animesh


On Mon, Sep 8, 2008 at 12:52 AM, Les Hazlewood <[hidden email]> wrote:
The SimpleAccountRealm is a fallback/failsafe realm that is used if you haven't correctly configured a realm yourself.  What does your JSecurity configuration look like?


On Sun, Sep 7, 2008 at 3:04 PM, Animesh Jain <[hidden email]> wrote:
Les,

On second thoughts.. I'm still not sure. Why is it that there's SimpleAccountRealm.java in the stacktrace and no HibernateSecurityRealm (the one I implemented).

Any thoughts.

Animesh


On Mon, Sep 8, 2008 at 12:24 AM, Animesh Jain <[hidden email]> wrote:
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)



On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les










Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Les Hazlewood
Administrator
In reply to this post by Animesh Jain
The realm needs to be injected into the security manager only once:

securityManager.setRealm(realm);

This will ensure the lazily-created PropertiesRealm (the fallback/failsafe one) is not created.

In a web app, the JSecurityFilter ensures SecurityUtils is set up properly.  In a standalone application, you need to call SecurityUtils.setSecurityManager explicitly _if_ you are not using a DI framework like Spring or Guice.

On Sun, Sep 7, 2008 at 4:18 PM, Animesh Jain <[hidden email]> wrote:
Well how does subject get its securityManager / realm. That may throw some light onto whether the realm needs to be injected elsewhere too.

- Animesh


On Mon, Sep 8, 2008 at 1:46 AM, Animesh Jain <[hidden email]> wrote:
Yup this is a web-app. I'm using Guice for dependency injection so you can think of that as a replacement for Spring. I could send you the whole app too so you'd see what I see. I'm pretty sure there's nothing wrong with the dependency injection here. Because as I said after the login action I'm able to obtain an instance of the subject in a separate action class by calling

Subject subject = getSecurityManager().getSubject()

Here getSecurityManager() gets me an injected SecurityManager correctly with my realm properly configured and all. Right after this line if I call

subject.hasRole("XYZ")

the error gets thrown up.

- Animesh



On Mon, Sep 8, 2008 at 1:38 AM, Les Hazlewood <[hidden email]> wrote:
Is this a web app?  I.e. is there a web.xml file somewhere?

Also, is this a spring application?


On Sun, Sep 7, 2008 at 3:44 PM, Animesh Jain <[hidden email]> wrote:
Ok here's the deal..

I'm injecting a DefaultWebSecurityManager into my action classes, which has my HibernateSecurityRealm set correctly. So calling

Subject subject = getSecurityManager().getSubject();

is giving me the correct currently logged in user. But strangely when I debug the subject instance after getting it, the securityManager it shows is not the same - it has a real called org.jsecurity.realm.text.PropertiesRealm. Now how is that possible?

I was not using the SecurityUtils class and had not explicitly set a SecurityManager using SecurityUtils.setSecurityManager(). Is that required. Anyway I now added it too but that has had no effect. Still the same error.

So where's the subject instance getting the different implementation from

Animesh


On Mon, Sep 8, 2008 at 12:52 AM, Les Hazlewood <[hidden email]> wrote:
The SimpleAccountRealm is a fallback/failsafe realm that is used if you haven't correctly configured a realm yourself.  What does your JSecurity configuration look like?


On Sun, Sep 7, 2008 at 3:04 PM, Animesh Jain <[hidden email]> wrote:
Les,

On second thoughts.. I'm still not sure. Why is it that there's SimpleAccountRealm.java in the stacktrace and no HibernateSecurityRealm (the one I implemented).

Any thoughts.

Animesh


On Mon, Sep 8, 2008 at 12:24 AM, Animesh Jain <[hidden email]> wrote:
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)



On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les











Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Animesh Jain
Ok now it makes sense. I completely forgot about the filter! Will go to sleep now (late night in my part of the world) and update when I figure this out.

Thanks a lot for the help Les :)

- Animesh

On Mon, Sep 8, 2008 at 2:02 AM, Les Hazlewood <[hidden email]> wrote:
The realm needs to be injected into the security manager only once:

securityManager.setRealm(realm);

This will ensure the lazily-created PropertiesRealm (the fallback/failsafe one) is not created.

In a web app, the JSecurityFilter ensures SecurityUtils is set up properly.  In a standalone application, you need to call SecurityUtils.setSecurityManager explicitly _if_ you are not using a DI framework like Spring or Guice.


On Sun, Sep 7, 2008 at 4:18 PM, Animesh Jain <[hidden email]> wrote:
Well how does subject get its securityManager / realm. That may throw some light onto whether the realm needs to be injected elsewhere too.

- Animesh


On Mon, Sep 8, 2008 at 1:46 AM, Animesh Jain <[hidden email]> wrote:
Yup this is a web-app. I'm using Guice for dependency injection so you can think of that as a replacement for Spring. I could send you the whole app too so you'd see what I see. I'm pretty sure there's nothing wrong with the dependency injection here. Because as I said after the login action I'm able to obtain an instance of the subject in a separate action class by calling

Subject subject = getSecurityManager().getSubject()

Here getSecurityManager() gets me an injected SecurityManager correctly with my realm properly configured and all. Right after this line if I call

subject.hasRole("XYZ")

the error gets thrown up.

- Animesh



On Mon, Sep 8, 2008 at 1:38 AM, Les Hazlewood <[hidden email]> wrote:
Is this a web app?  I.e. is there a web.xml file somewhere?

Also, is this a spring application?


On Sun, Sep 7, 2008 at 3:44 PM, Animesh Jain <[hidden email]> wrote:
Ok here's the deal..

I'm injecting a DefaultWebSecurityManager into my action classes, which has my HibernateSecurityRealm set correctly. So calling

Subject subject = getSecurityManager().getSubject();

is giving me the correct currently logged in user. But strangely when I debug the subject instance after getting it, the securityManager it shows is not the same - it has a real called org.jsecurity.realm.text.PropertiesRealm. Now how is that possible?

I was not using the SecurityUtils class and had not explicitly set a SecurityManager using SecurityUtils.setSecurityManager(). Is that required. Anyway I now added it too but that has had no effect. Still the same error.

So where's the subject instance getting the different implementation from

Animesh


On Mon, Sep 8, 2008 at 12:52 AM, Les Hazlewood <[hidden email]> wrote:
The SimpleAccountRealm is a fallback/failsafe realm that is used if you haven't correctly configured a realm yourself.  What does your JSecurity configuration look like?


On Sun, Sep 7, 2008 at 3:04 PM, Animesh Jain <[hidden email]> wrote:
Les,

On second thoughts.. I'm still not sure. Why is it that there's SimpleAccountRealm.java in the stacktrace and no HibernateSecurityRealm (the one I implemented).

Any thoughts.

Animesh


On Mon, Sep 8, 2008 at 12:24 AM, Animesh Jain <[hidden email]> wrote:
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)



On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les












Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Animesh Jain
Hey..

Finally found some time and got things working. Wrote a GuiceWebConfiguration as you suggested with some effort. Not sure if its good enough for inclusion in Jsecurity, although I'll share whatever I have here. Should I email the class to you Les?

Animesh

On Mon, Sep 8, 2008 at 2:13 AM, Animesh Jain <[hidden email]> wrote:
Ok now it makes sense. I completely forgot about the filter! Will go to sleep now (late night in my part of the world) and update when I figure this out.

Thanks a lot for the help Les :)

- Animesh


On Mon, Sep 8, 2008 at 2:02 AM, Les Hazlewood <[hidden email]> wrote:
The realm needs to be injected into the security manager only once:

securityManager.setRealm(realm);

This will ensure the lazily-created PropertiesRealm (the fallback/failsafe one) is not created.

In a web app, the JSecurityFilter ensures SecurityUtils is set up properly.  In a standalone application, you need to call SecurityUtils.setSecurityManager explicitly _if_ you are not using a DI framework like Spring or Guice.


On Sun, Sep 7, 2008 at 4:18 PM, Animesh Jain <[hidden email]> wrote:
Well how does subject get its securityManager / realm. That may throw some light onto whether the realm needs to be injected elsewhere too.

- Animesh


On Mon, Sep 8, 2008 at 1:46 AM, Animesh Jain <[hidden email]> wrote:
Yup this is a web-app. I'm using Guice for dependency injection so you can think of that as a replacement for Spring. I could send you the whole app too so you'd see what I see. I'm pretty sure there's nothing wrong with the dependency injection here. Because as I said after the login action I'm able to obtain an instance of the subject in a separate action class by calling

Subject subject = getSecurityManager().getSubject()

Here getSecurityManager() gets me an injected SecurityManager correctly with my realm properly configured and all. Right after this line if I call

subject.hasRole("XYZ")

the error gets thrown up.

- Animesh



On Mon, Sep 8, 2008 at 1:38 AM, Les Hazlewood <[hidden email]> wrote:
Is this a web app?  I.e. is there a web.xml file somewhere?

Also, is this a spring application?


On Sun, Sep 7, 2008 at 3:44 PM, Animesh Jain <[hidden email]> wrote:
Ok here's the deal..

I'm injecting a DefaultWebSecurityManager into my action classes, which has my HibernateSecurityRealm set correctly. So calling

Subject subject = getSecurityManager().getSubject();

is giving me the correct currently logged in user. But strangely when I debug the subject instance after getting it, the securityManager it shows is not the same - it has a real called org.jsecurity.realm.text.PropertiesRealm. Now how is that possible?

I was not using the SecurityUtils class and had not explicitly set a SecurityManager using SecurityUtils.setSecurityManager(). Is that required. Anyway I now added it too but that has had no effect. Still the same error.

So where's the subject instance getting the different implementation from

Animesh


On Mon, Sep 8, 2008 at 12:52 AM, Les Hazlewood <[hidden email]> wrote:
The SimpleAccountRealm is a fallback/failsafe realm that is used if you haven't correctly configured a realm yourself.  What does your JSecurity configuration look like?


On Sun, Sep 7, 2008 at 3:04 PM, Animesh Jain <[hidden email]> wrote:
Les,

On second thoughts.. I'm still not sure. Why is it that there's SimpleAccountRealm.java in the stacktrace and no HibernateSecurityRealm (the one I implemented).

Any thoughts.

Animesh


On Mon, Sep 8, 2008 at 12:24 AM, Animesh Jain <[hidden email]> wrote:
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)



On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les













Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Animesh Jain
Here's what I have write now

----------------------------------------

public class GuiceWebConfiguration extends IniWebConfiguration {

  public static final String INJECTOR_FACTORY_CLASS = "InjectorFactoryClass";
  public static final String INJECTOR_FACTORY_METHOD = "InjectorFactoryMethod";

  private static final Log log = LogFactory.getLog(GuiceWebConfiguration.class);

  protected Injector injector;

  public Injector getInjector() {
    return injector;
  }

  public void setInjector(Injector injector) {
    this.injector = injector;
  }

  public GuiceWebConfiguration() {
  }

  @Override
  public void init() throws JSecurityException {
    String className = getFilterConfig().getInitParameter(INJECTOR_FACTORY_CLASS);
    String methodName = getFilterConfig().getInitParameter(INJECTOR_FACTORY_METHOD);
    /*
    Get injector from a class which holds an instance for this application. I had a static method in a class that returns the injector.
    I've put the class name and method name in filter init params.
    */
    try {
      Class clazz = Class.forName(className);
      Method method = clazz.getMethod(methodName);
      Injector injector = (Injector) method.invoke(null);
      setInjector(injector);
    } catch (ClassNotFoundException e) {
      log.error("Injector factory class not found - "+className, e);
      throw new JSecurityException("Injector factory class not found - "+methodName, e);
    } catch (NoSuchMethodException e) {
      log.error("Injector factory method not found - "+methodName+" in class "+className, e);
      throw new JSecurityException("Injector factory method not found - "+methodName+" in class "+className, e);
    } catch (InvocationTargetException e) {
      log.error("InvocationTargetException when trying to invoke - "+methodName+" in class "+className, e);
      throw new JSecurityException("InvocationTargetException when trying to invoke - "+methodName+" in class "+className, e);
    } catch (IllegalAccessException e) {
      log.error("IllegalAccessException when trying to invoke - "+methodName+" in class "+className, e);
      throw new JSecurityException("IllegalAccessException when trying to invoke - "+methodName+" in class "+className, e);
    }
    super.init();
  }

  @Override
  protected SecurityManager createDefaultSecurityManager() {
    return createSecurityManager(null);
  }

  @Override
  protected SecurityManager createSecurityManager(Map<String, Map<String, String>> sections) {
    return getOrCreateSecurityManager(injector, sections);
  }

  protected SecurityManager getOrCreateSecurityManager(Injector injector, Map<String, Map<String, String>> sections) {
    System.out.println("Trying to create Security Manager");
    SecurityManager securityManager = null;
    if (injector != null) {
      /*
      The security manager is obtained using the Guice injector.
      Typically one will have to use a custom provider and bind it to the DefaultWebSecurityManager class
      This is the way Guice handles external configuration
      */
      securityManager = injector.getInstance(DefaultWebSecurityManager.class);
      SecurityUtils.setSecurityManager(securityManager);
    } else {
      throw new JSecurityException("Injector is null. Cannot instantiate security manager");
    }

    return securityManager;
  }

}


On Sun, Sep 14, 2008 at 12:05 PM, Animesh Jain <[hidden email]> wrote:
Hey..

Finally found some time and got things working. Wrote a GuiceWebConfiguration as you suggested with some effort. Not sure if its good enough for inclusion in Jsecurity, although I'll share whatever I have here. Should I email the class to you Les?

Animesh


On Mon, Sep 8, 2008 at 2:13 AM, Animesh Jain <[hidden email]> wrote:
Ok now it makes sense. I completely forgot about the filter! Will go to sleep now (late night in my part of the world) and update when I figure this out.

Thanks a lot for the help Les :)

- Animesh


On Mon, Sep 8, 2008 at 2:02 AM, Les Hazlewood <[hidden email]> wrote:
The realm needs to be injected into the security manager only once:

securityManager.setRealm(realm);

This will ensure the lazily-created PropertiesRealm (the fallback/failsafe one) is not created.

In a web app, the JSecurityFilter ensures SecurityUtils is set up properly.  In a standalone application, you need to call SecurityUtils.setSecurityManager explicitly _if_ you are not using a DI framework like Spring or Guice.


On Sun, Sep 7, 2008 at 4:18 PM, Animesh Jain <[hidden email]> wrote:
Well how does subject get its securityManager / realm. That may throw some light onto whether the realm needs to be injected elsewhere too.

- Animesh


On Mon, Sep 8, 2008 at 1:46 AM, Animesh Jain <[hidden email]> wrote:
Yup this is a web-app. I'm using Guice for dependency injection so you can think of that as a replacement for Spring. I could send you the whole app too so you'd see what I see. I'm pretty sure there's nothing wrong with the dependency injection here. Because as I said after the login action I'm able to obtain an instance of the subject in a separate action class by calling

Subject subject = getSecurityManager().getSubject()

Here getSecurityManager() gets me an injected SecurityManager correctly with my realm properly configured and all. Right after this line if I call

subject.hasRole("XYZ")

the error gets thrown up.

- Animesh



On Mon, Sep 8, 2008 at 1:38 AM, Les Hazlewood <[hidden email]> wrote:
Is this a web app?  I.e. is there a web.xml file somewhere?

Also, is this a spring application?


On Sun, Sep 7, 2008 at 3:44 PM, Animesh Jain <[hidden email]> wrote:
Ok here's the deal..

I'm injecting a DefaultWebSecurityManager into my action classes, which has my HibernateSecurityRealm set correctly. So calling

Subject subject = getSecurityManager().getSubject();

is giving me the correct currently logged in user. But strangely when I debug the subject instance after getting it, the securityManager it shows is not the same - it has a real called org.jsecurity.realm.text.PropertiesRealm. Now how is that possible?

I was not using the SecurityUtils class and had not explicitly set a SecurityManager using SecurityUtils.setSecurityManager(). Is that required. Anyway I now added it too but that has had no effect. Still the same error.

So where's the subject instance getting the different implementation from

Animesh


On Mon, Sep 8, 2008 at 12:52 AM, Les Hazlewood <[hidden email]> wrote:
The SimpleAccountRealm is a fallback/failsafe realm that is used if you haven't correctly configured a realm yourself.  What does your JSecurity configuration look like?


On Sun, Sep 7, 2008 at 3:04 PM, Animesh Jain <[hidden email]> wrote:
Les,

On second thoughts.. I'm still not sure. Why is it that there's SimpleAccountRealm.java in the stacktrace and no HibernateSecurityRealm (the one I implemented).

Any thoughts.

Animesh


On Mon, Sep 8, 2008 at 12:24 AM, Animesh Jain <[hidden email]> wrote:
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)



On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les














Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Les Hazlewood-2
Hi Animesh,

This is good stuff, thanks very much!

Could you please open an issue in our Jira (https://issues.apache.org/jira/browse/JSEC) and attach that class?

Also, since we are an ASF 2.0 licensed project, please indicate in the issue comment that your contribution is submitted under the ASF 2.0 license to the ASF.

Once you've done that, I can add it in asap.  Since 0.9 final is very close to being released, it won't be able to make it in for 0.9, but we can have it in immediately after that.

Thanks again,

Les

On Sun, Sep 14, 2008 at 2:41 AM, Animesh Jain <[hidden email]> wrote:
Here's what I have write now

----------------------------------------

public class GuiceWebConfiguration extends IniWebConfiguration {

  public static final String INJECTOR_FACTORY_CLASS = "InjectorFactoryClass";
  public static final String INJECTOR_FACTORY_METHOD = "InjectorFactoryMethod";

  private static final Log log = LogFactory.getLog(GuiceWebConfiguration.class);

  protected Injector injector;

  public Injector getInjector() {
    return injector;
  }

  public void setInjector(Injector injector) {
    this.injector = injector;
  }

  public GuiceWebConfiguration() {
  }

  @Override
  public void init() throws JSecurityException {
    String className = getFilterConfig().getInitParameter(INJECTOR_FACTORY_CLASS);
    String methodName = getFilterConfig().getInitParameter(INJECTOR_FACTORY_METHOD);
    /*
    Get injector from a class which holds an instance for this application. I had a static method in a class that returns the injector.
    I've put the class name and method name in filter init params.
    */
    try {
      Class clazz = Class.forName(className);
      Method method = clazz.getMethod(methodName);
      Injector injector = (Injector) method.invoke(null);
      setInjector(injector);
    } catch (ClassNotFoundException e) {
      log.error("Injector factory class not found - "+className, e);
      throw new JSecurityException("Injector factory class not found - "+methodName, e);
    } catch (NoSuchMethodException e) {
      log.error("Injector factory method not found - "+methodName+" in class "+className, e);
      throw new JSecurityException("Injector factory method not found - "+methodName+" in class "+className, e);
    } catch (InvocationTargetException e) {
      log.error("InvocationTargetException when trying to invoke - "+methodName+" in class "+className, e);
      throw new JSecurityException("InvocationTargetException when trying to invoke - "+methodName+" in class "+className, e);
    } catch (IllegalAccessException e) {
      log.error("IllegalAccessException when trying to invoke - "+methodName+" in class "+className, e);
      throw new JSecurityException("IllegalAccessException when trying to invoke - "+methodName+" in class "+className, e);
    }
    super.init();
  }

  @Override
  protected SecurityManager createDefaultSecurityManager() {
    return createSecurityManager(null);
  }

  @Override
  protected SecurityManager createSecurityManager(Map<String, Map<String, String>> sections) {
    return getOrCreateSecurityManager(injector, sections);
  }

  protected SecurityManager getOrCreateSecurityManager(Injector injector, Map<String, Map<String, String>> sections) {
    System.out.println("Trying to create Security Manager");
    SecurityManager securityManager = null;
    if (injector != null) {
      /*
      The security manager is obtained using the Guice injector.
      Typically one will have to use a custom provider and bind it to the DefaultWebSecurityManager class
      This is the way Guice handles external configuration
      */
      securityManager = injector.getInstance(DefaultWebSecurityManager.class);
      SecurityUtils.setSecurityManager(securityManager);
    } else {
      throw new JSecurityException("Injector is null. Cannot instantiate security manager");
    }

    return securityManager;

  }

}


On Sun, Sep 14, 2008 at 12:05 PM, Animesh Jain <[hidden email]> wrote:
Hey..

Finally found some time and got things working. Wrote a GuiceWebConfiguration as you suggested with some effort. Not sure if its good enough for inclusion in Jsecurity, although I'll share whatever I have here. Should I email the class to you Les?

Animesh


On Mon, Sep 8, 2008 at 2:13 AM, Animesh Jain <[hidden email]> wrote:
Ok now it makes sense. I completely forgot about the filter! Will go to sleep now (late night in my part of the world) and update when I figure this out.

Thanks a lot for the help Les :)

- Animesh


On Mon, Sep 8, 2008 at 2:02 AM, Les Hazlewood <[hidden email]> wrote:
The realm needs to be injected into the security manager only once:

securityManager.setRealm(realm);

This will ensure the lazily-created PropertiesRealm (the fallback/failsafe one) is not created.

In a web app, the JSecurityFilter ensures SecurityUtils is set up properly.  In a standalone application, you need to call SecurityUtils.setSecurityManager explicitly _if_ you are not using a DI framework like Spring or Guice.


On Sun, Sep 7, 2008 at 4:18 PM, Animesh Jain <[hidden email]> wrote:
Well how does subject get its securityManager / realm. That may throw some light onto whether the realm needs to be injected elsewhere too.

- Animesh


On Mon, Sep 8, 2008 at 1:46 AM, Animesh Jain <[hidden email]> wrote:
Yup this is a web-app. I'm using Guice for dependency injection so you can think of that as a replacement for Spring. I could send you the whole app too so you'd see what I see. I'm pretty sure there's nothing wrong with the dependency injection here. Because as I said after the login action I'm able to obtain an instance of the subject in a separate action class by calling

Subject subject = getSecurityManager().getSubject()

Here getSecurityManager() gets me an injected SecurityManager correctly with my realm properly configured and all. Right after this line if I call

subject.hasRole("XYZ")

the error gets thrown up.

- Animesh



On Mon, Sep 8, 2008 at 1:38 AM, Les Hazlewood <[hidden email]> wrote:
Is this a web app?  I.e. is there a web.xml file somewhere?

Also, is this a spring application?


On Sun, Sep 7, 2008 at 3:44 PM, Animesh Jain <[hidden email]> wrote:
Ok here's the deal..

I'm injecting a DefaultWebSecurityManager into my action classes, which has my HibernateSecurityRealm set correctly. So calling

Subject subject = getSecurityManager().getSubject();

is giving me the correct currently logged in user. But strangely when I debug the subject instance after getting it, the securityManager it shows is not the same - it has a real called org.jsecurity.realm.text.PropertiesRealm. Now how is that possible?

I was not using the SecurityUtils class and had not explicitly set a SecurityManager using SecurityUtils.setSecurityManager(). Is that required. Anyway I now added it too but that has had no effect. Still the same error.

So where's the subject instance getting the different implementation from

Animesh


On Mon, Sep 8, 2008 at 12:52 AM, Les Hazlewood <[hidden email]> wrote:
The SimpleAccountRealm is a fallback/failsafe realm that is used if you haven't correctly configured a realm yourself.  What does your JSecurity configuration look like?


On Sun, Sep 7, 2008 at 3:04 PM, Animesh Jain <[hidden email]> wrote:
Les,

On second thoughts.. I'm still not sure. Why is it that there's SimpleAccountRealm.java in the stacktrace and no HibernateSecurityRealm (the one I implemented).

Any thoughts.

Animesh


On Mon, Sep 8, 2008 at 12:24 AM, Animesh Jain <[hidden email]> wrote:
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)



On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les















Reply | Threaded
Open this post in threaded view
|

Re: Stuck - authentication works but authorization is not working.

Animesh Jain
Hi Les

I finally opened a Jira for the Guice integration. Let me know if something's missing. I couldn't get url based authentication to work though.. I'll start a thread about it on the mailing list later.

Cheers
Animesh
--------------------------
http://twitter.com/animeshjain


On Sun, Sep 14, 2008 at 8:32 PM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

This is good stuff, thanks very much!

Could you please open an issue in our Jira (https://issues.apache.org/jira/browse/JSEC) and attach that class?

Also, since we are an ASF 2.0 licensed project, please indicate in the issue comment that your contribution is submitted under the ASF 2.0 license to the ASF.

Once you've done that, I can add it in asap.  Since 0.9 final is very close to being released, it won't be able to make it in for 0.9, but we can have it in immediately after that.

Thanks again,

Les


On Sun, Sep 14, 2008 at 2:41 AM, Animesh Jain <[hidden email]> wrote:
Here's what I have write now

----------------------------------------

public class GuiceWebConfiguration extends IniWebConfiguration {

  public static final String INJECTOR_FACTORY_CLASS = "InjectorFactoryClass";
  public static final String INJECTOR_FACTORY_METHOD = "InjectorFactoryMethod";

  private static final Log log = LogFactory.getLog(GuiceWebConfiguration.class);

  protected Injector injector;

  public Injector getInjector() {
    return injector;
  }

  public void setInjector(Injector injector) {
    this.injector = injector;
  }

  public GuiceWebConfiguration() {
  }

  @Override
  public void init() throws JSecurityException {
    String className = getFilterConfig().getInitParameter(INJECTOR_FACTORY_CLASS);
    String methodName = getFilterConfig().getInitParameter(INJECTOR_FACTORY_METHOD);
    /*
    Get injector from a class which holds an instance for this application. I had a static method in a class that returns the injector.
    I've put the class name and method name in filter init params.
    */
    try {
      Class clazz = Class.forName(className);
      Method method = clazz.getMethod(methodName);
      Injector injector = (Injector) method.invoke(null);
      setInjector(injector);
    } catch (ClassNotFoundException e) {
      log.error("Injector factory class not found - "+className, e);
      throw new JSecurityException("Injector factory class not found - "+methodName, e);
    } catch (NoSuchMethodException e) {
      log.error("Injector factory method not found - "+methodName+" in class "+className, e);
      throw new JSecurityException("Injector factory method not found - "+methodName+" in class "+className, e);
    } catch (InvocationTargetException e) {
      log.error("InvocationTargetException when trying to invoke - "+methodName+" in class "+className, e);
      throw new JSecurityException("InvocationTargetException when trying to invoke - "+methodName+" in class "+className, e);
    } catch (IllegalAccessException e) {
      log.error("IllegalAccessException when trying to invoke - "+methodName+" in class "+className, e);
      throw new JSecurityException("IllegalAccessException when trying to invoke - "+methodName+" in class "+className, e);
    }
    super.init();
  }

  @Override
  protected SecurityManager createDefaultSecurityManager() {
    return createSecurityManager(null);
  }

  @Override
  protected SecurityManager createSecurityManager(Map<String, Map<String, String>> sections) {
    return getOrCreateSecurityManager(injector, sections);
  }

  protected SecurityManager getOrCreateSecurityManager(Injector injector, Map<String, Map<String, String>> sections) {
    System.out.println("Trying to create Security Manager");
    SecurityManager securityManager = null;
    if (injector != null) {
      /*
      The security manager is obtained using the Guice injector.
      Typically one will have to use a custom provider and bind it to the DefaultWebSecurityManager class
      This is the way Guice handles external configuration
      */
      securityManager = injector.getInstance(DefaultWebSecurityManager.class);
      SecurityUtils.setSecurityManager(securityManager);
    } else {
      throw new JSecurityException("Injector is null. Cannot instantiate security manager");
    }

    return securityManager;

  }

}


On Sun, Sep 14, 2008 at 12:05 PM, Animesh Jain <[hidden email]> wrote:
Hey..

Finally found some time and got things working. Wrote a GuiceWebConfiguration as you suggested with some effort. Not sure if its good enough for inclusion in Jsecurity, although I'll share whatever I have here. Should I email the class to you Les?

Animesh


On Mon, Sep 8, 2008 at 2:13 AM, Animesh Jain <[hidden email]> wrote:
Ok now it makes sense. I completely forgot about the filter! Will go to sleep now (late night in my part of the world) and update when I figure this out.

Thanks a lot for the help Les :)

- Animesh


On Mon, Sep 8, 2008 at 2:02 AM, Les Hazlewood <[hidden email]> wrote:
The realm needs to be injected into the security manager only once:

securityManager.setRealm(realm);

This will ensure the lazily-created PropertiesRealm (the fallback/failsafe one) is not created.

In a web app, the JSecurityFilter ensures SecurityUtils is set up properly.  In a standalone application, you need to call SecurityUtils.setSecurityManager explicitly _if_ you are not using a DI framework like Spring or Guice.


On Sun, Sep 7, 2008 at 4:18 PM, Animesh Jain <[hidden email]> wrote:
Well how does subject get its securityManager / realm. That may throw some light onto whether the realm needs to be injected elsewhere too.

- Animesh


On Mon, Sep 8, 2008 at 1:46 AM, Animesh Jain <[hidden email]> wrote:
Yup this is a web-app. I'm using Guice for dependency injection so you can think of that as a replacement for Spring. I could send you the whole app too so you'd see what I see. I'm pretty sure there's nothing wrong with the dependency injection here. Because as I said after the login action I'm able to obtain an instance of the subject in a separate action class by calling

Subject subject = getSecurityManager().getSubject()

Here getSecurityManager() gets me an injected SecurityManager correctly with my realm properly configured and all. Right after this line if I call

subject.hasRole("XYZ")

the error gets thrown up.

- Animesh



On Mon, Sep 8, 2008 at 1:38 AM, Les Hazlewood <[hidden email]> wrote:
Is this a web app?  I.e. is there a web.xml file somewhere?

Also, is this a spring application?


On Sun, Sep 7, 2008 at 3:44 PM, Animesh Jain <[hidden email]> wrote:
Ok here's the deal..

I'm injecting a DefaultWebSecurityManager into my action classes, which has my HibernateSecurityRealm set correctly. So calling

Subject subject = getSecurityManager().getSubject();

is giving me the correct currently logged in user. But strangely when I debug the subject instance after getting it, the securityManager it shows is not the same - it has a real called org.jsecurity.realm.text.PropertiesRealm. Now how is that possible?

I was not using the SecurityUtils class and had not explicitly set a SecurityManager using SecurityUtils.setSecurityManager(). Is that required. Anyway I now added it too but that has had no effect. Still the same error.

So where's the subject instance getting the different implementation from

Animesh


On Mon, Sep 8, 2008 at 12:52 AM, Les Hazlewood <[hidden email]> wrote:
The SimpleAccountRealm is a fallback/failsafe realm that is used if you haven't correctly configured a realm yourself.  What does your JSecurity configuration look like?


On Sun, Sep 7, 2008 at 3:04 PM, Animesh Jain <[hidden email]> wrote:
Les,

On second thoughts.. I'm still not sure. Why is it that there's SimpleAccountRealm.java in the stacktrace and no HibernateSecurityRealm (the one I implemented).

Any thoughts.

Animesh


On Mon, Sep 8, 2008 at 12:24 AM, Animesh Jain <[hidden email]> wrote:
Oops! I should have looked at the stacktrace closer. This is unrelated to Jsecurity. I've been working on an integration of Stripes+Guice+Warp persist+Jsecurity. Jsecurity is the last remaining thing and when I got the error I assumed it was because of that :P. So I'll close it here.. maybe I'll drop you an email if I feel I need your help.

Stacktrace:

exception

net.sourceforge.stripes.exception.StripesServletException: Unhandled exception in exception handler.
    net.sourceforge.stripes.exception.DefaultExceptionHandler.handle(DefaultExceptionHandler.java:158)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:249)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)

root cause

java.util.NoSuchElementException
    java.util.Collections$EmptySet$1.next(Collections.java:2910)
    java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
    org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:157)
    org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:265)
    org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
    org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
    org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
    org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
    bookmark.web.action.HomeAction.preAction(HomeAction.java:14)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    java.lang.reflect.Method.invoke(Method.java:585)
    net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:442)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
    net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
    net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
    net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:440)
    net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:285)
    net.sourceforge.stripes.controller.DispatcherServlet.doPost(DispatcherServlet.java:167)
    net.sourceforge.stripes.controller.DispatcherServlet.doGet(DispatcherServlet.java:67)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
    org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    com.wideplay.warp.hibernate.SessionPerRequestFilter.doFilter(SessionPerRequestFilter.java:53)



On Mon, Sep 8, 2008 at 12:13 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Your realm implementation looks fine.  But, JSecurity doesn't throw a NoSuchElementException anywhere in its code.  I'm assuming this has to do with how a collection is being used, either iterated by JSecurity, or something happening in your DAO layer.

Please include the stacktrace - it is very hard to debug without it ;)

Thanks,

Les