using CXF with JSecurity

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

using CXF with JSecurity

jvreeker
Hi,

I have a tomcat server, with spring using cxf to enable the soap calls.

So I have a soap call login. when I call securityManager.getSubject() I get always the same subject back.
I though it was because I am using org.jsecurity.mgt.DefaultSecurityManager.

So I tried DefaultWebSecurityManager but then I am getting errors.
No ServletRequest found in ThreadContext. Make sure WebUtils.bind() is being called.

But in the first option if I use getSubject().GetSession it returns different sessions.
should I then use SessionManager and the correct sessionID.

Is this the correct way?
Thanks,
Jelle
Reply | Threaded
Open this post in threaded view
|

Re: using CXF with JSecurity

Les Hazlewood-2
Hi Jelle,

The appropriate set-up for a web-enabled application is to use the JSecurityFilter in web.xml.  It will set up a DefaultWebSecurityManager and do Request binding automatically:

http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html

After the filter is defined, just do this anywhere in code:

SecurityUtils.getSubject();

You shouldn't interact with the SecurityManager directly unless you're programming infrastructure/framework code.

Check out the sample web application in the jsecurity distribution and look at its web.xml file and applicationContext.xml file.  It shows you how to configure Realms and other things in Spring which will then be accessible to the JSecurityFilter at runtime.

Cheers,

Les

On Tue, Feb 3, 2009 at 12:17 PM, jvreeker <[hidden email]> wrote:

Hi,

I have a tomcat server, with spring using cxf to enable the soap calls.

So I have a soap call login. when I call securityManager.getSubject() I get
always the same subject back.
I though it was because I am using org.jsecurity.mgt.DefaultSecurityManager.

So I tried DefaultWebSecurityManager but then I am getting errors.
No ServletRequest found in ThreadContext. Make sure WebUtils.bind() is being
called.

But in the first option if I use getSubject().GetSession it returns
different sessions.
should I then use SessionManager and the correct sessionID.

Is this the correct way?
Thanks,
Jelle
--
View this message in context: http://n2.nabble.com/using-CXF-with-JSecurity-tp2264471p2264471.html
Sent from the JSecurity User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: using CXF with JSecurity

jvreeker
Hi Les,

So I build in the JSecurityFilter, but If I use SecurityUtils.getSubject().getSession() I still get different sessions. I am need the same session, because if I am logged in I use the function setAttribute.
TRACE org.jsecurity.session.mgt.DefaultSessionManager  - Creating session for originating host [/192.168.0.37]

Why is it still creating new sessions.?

Jelle

Les Hazlewood-2 wrote
Hi Jelle,

The appropriate set-up for a web-enabled application is to use the
JSecurityFilter in web.xml.  It will set up a DefaultWebSecurityManager and
do Request binding automatically:

http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html

After the filter is defined, just do this anywhere in code:

SecurityUtils.getSubject();

You shouldn't interact with the SecurityManager directly unless you're
programming infrastructure/framework code.

Check out the sample web application in the jsecurity distribution and look
at its web.xml file and applicationContext.xml file.  It shows you how to
configure Realms and other things in Spring which will then be accessible to
the JSecurityFilter at runtime.

Cheers,

Les

On Tue, Feb 3, 2009 at 12:17 PM, jvreeker <jvreeker@vangennep.nl> wrote:

>
> Hi,
>
> I have a tomcat server, with spring using cxf to enable the soap calls.
>
> So I have a soap call login. when I call securityManager.getSubject() I get
> always the same subject back.
> I though it was because I am using
> org.jsecurity.mgt.DefaultSecurityManager.
>
> So I tried DefaultWebSecurityManager but then I am getting errors.
> No ServletRequest found in ThreadContext. Make sure WebUtils.bind() is
> being
> called.
>
> But in the first option if I use getSubject().GetSession it returns
> different sessions.
> should I then use SessionManager and the correct sessionID.
>
> Is this the correct way?
> Thanks,
> Jelle
> --
> View this message in context:
> http://n2.nabble.com/using-CXF-with-JSecurity-tp2264471p2264471.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: using CXF with JSecurity

Les Hazlewood-2
Can we see the relevant parts of your web.xml and Spring xml configuration?  Its hard to say without it...

On Wed, Feb 4, 2009 at 12:07 PM, jvreeker <[hidden email]> wrote:

Hi Les,

So I build in the JSecurityFilter, but If I use
SecurityUtils.getSubject().getSession() I still get different sessions. I am
need the same session, because if I am logged in I use the function
setAttribute.
TRACE org.jsecurity.session.mgt.DefaultSessionManager  - Creating session
for originating host [/192.168.0.37]

Why is it still creating new sessions.?

Jelle


Les Hazlewood-2 wrote:
>
> Hi Jelle,
>
> The appropriate set-up for a web-enabled application is to use the
> JSecurityFilter in web.xml.  It will set up a DefaultWebSecurityManager
> and
> do Request binding automatically:
>
> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>
> After the filter is defined, just do this anywhere in code:
>
> SecurityUtils.getSubject();
>
> You shouldn't interact with the SecurityManager directly unless you're
> programming infrastructure/framework code.
>
> Check out the sample web application in the jsecurity distribution and
> look
> at its web.xml file and applicationContext.xml file.  It shows you how to
> configure Realms and other things in Spring which will then be accessible
> to
> the JSecurityFilter at runtime.
>
> Cheers,
>
> Les
>
> On Tue, Feb 3, 2009 at 12:17 PM, jvreeker <[hidden email]> wrote:
>
>>
>> Hi,
>>
>> I have a tomcat server, with spring using cxf to enable the soap calls.
>>
>> So I have a soap call login. when I call securityManager.getSubject() I
>> get
>> always the same subject back.
>> I though it was because I am using
>> org.jsecurity.mgt.DefaultSecurityManager.
>>
>> So I tried DefaultWebSecurityManager but then I am getting errors.
>> No ServletRequest found in ThreadContext. Make sure WebUtils.bind() is
>> being
>> called.
>>
>> But in the first option if I use getSubject().GetSession it returns
>> different sessions.
>> should I then use SessionManager and the correct sessionID.
>>
>> Is this the correct way?
>> Thanks,
>> Jelle
>> --
>> View this message in context:
>> http://n2.nabble.com/using-CXF-with-JSecurity-tp2264471p2264471.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
>

--
View this message in context: http://n2.nabble.com/using-CXF-with-JSecurity-tp2264471p2270012.html
Sent from the JSecurity User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: using CXF with JSecurity

jvreeker
Spring xml looks like this

 <bean id="securityManager" class="org.jsecurity.web.DefaultWebSecurityManager">   
        <property name="realm" ref="poloRealm"/>
      <property name="sessionMode" value="jsecurity"/>
    </bean>

        <bean id="poloCredentialsMatcher" class="polo.security.PoloCredentialsMatcher">
                <property name="userController" ref="userController"/>
        </bean>
   
     <bean id="poloRealm" class="polo.security.PoloRealm">
    <property name="credentialsMatcher" ref="poloCredentialsMatcher"/>
    </bean>
   
    <bean id="lifecycleBeanPostProcessor" class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>

web.xml like this

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
    "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
        <context-param>
                <param-name>contextConfigLocation</param-name>
                <param-value>WEB-INF/beans.xml</param-value>
        </context-param>

        <listener>
                <listener-class>
                        org.springframework.web.context.ContextLoaderListener
                </listener-class>
        </listener>

<filter>
<filter-name>JSecurityFilter</filter-name>
<filter-class>org.jsecurity.spring.SpringJSecurityFilter</filter-class>
 <init-param><param-name>config</param-name><param-value>
[main]

 </param-value></init-param>
 </filter>

 <filter-mapping>
 <filter-name>JSecurityFilter</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>

<servlet>
 <servlet-name>CXFServlet</servlet-name>
 <display-name>CXF Servlet</display-name>
 <servlet-class>
  org.apache.cxf.transport.servlet.CXFServlet
 </servlet-class>
 <load-on-startup>1</load-on-startup>
</servlet>

<servlet>
 <servlet-name>service</servlet-name>
 <display-name>Dispatcher Servlet</display-name>
 <servlet-class>
  org.springframework.web.servlet.DispatcherServlet
 </servlet-class>
 <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
 <servlet-name>CXFServlet</servlet-name>
 <url-pattern>/*</url-pattern>
</servlet-mapping>

<servlet-mapping>
 <servlet-name>service</servlet-name>
 <url-pattern>/service/*</url-pattern>
</servlet-mapping>
</web-app>


thanks,
Jelle

Les Hazlewood-2 wrote
Can we see the relevant parts of your web.xml and Spring xml configuration?
Its hard to say without it...

On Wed, Feb 4, 2009 at 12:07 PM, jvreeker <jvreeker@vangennep.nl> wrote:

>
> Hi Les,
>
> So I build in the JSecurityFilter, but If I use
> SecurityUtils.getSubject().getSession() I still get different sessions. I
> am
> need the same session, because if I am logged in I use the function
> setAttribute.
> TRACE org.jsecurity.session.mgt.DefaultSessionManager  - Creating session
> for originating host [/192.168.0.37]
>
> Why is it still creating new sessions.?
>
> Jelle
>
>
> Les Hazlewood-2 wrote:
> >
> > Hi Jelle,
> >
> > The appropriate set-up for a web-enabled application is to use the
> > JSecurityFilter in web.xml.  It will set up a DefaultWebSecurityManager
> > and
> > do Request binding automatically:
> >
> >
> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
> >
> > After the filter is defined, just do this anywhere in code:
> >
> > SecurityUtils.getSubject();
> >
> > You shouldn't interact with the SecurityManager directly unless you're
> > programming infrastructure/framework code.
> >
> > Check out the sample web application in the jsecurity distribution and
> > look
> > at its web.xml file and applicationContext.xml file.  It shows you how to
> > configure Realms and other things in Spring which will then be accessible
> > to
> > the JSecurityFilter at runtime.
> >
> > Cheers,
> >
> > Les
> >
> > On Tue, Feb 3, 2009 at 12:17 PM, jvreeker <jvreeker@vangennep.nl> wrote:
> >
> >>
> >> Hi,
> >>
> >> I have a tomcat server, with spring using cxf to enable the soap calls.
> >>
> >> So I have a soap call login. when I call securityManager.getSubject() I
> >> get
> >> always the same subject back.
> >> I though it was because I am using
> >> org.jsecurity.mgt.DefaultSecurityManager.
> >>
> >> So I tried DefaultWebSecurityManager but then I am getting errors.
> >> No ServletRequest found in ThreadContext. Make sure WebUtils.bind() is
> >> being
> >> called.
> >>
> >> But in the first option if I use getSubject().GetSession it returns
> >> different sessions.
> >> should I then use SessionManager and the correct sessionID.
> >>
> >> Is this the correct way?
> >> Thanks,
> >> Jelle
> >> --
> >> View this message in context:
> >> http://n2.nabble.com/using-CXF-with-JSecurity-tp2264471p2264471.html
> >> Sent from the JSecurity User mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://n2.nabble.com/using-CXF-with-JSecurity-tp2264471p2270012.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: using CXF with JSecurity

Les Hazlewood-2
<property name="sessionMode" value="jsecurity"/>

This is required if the same session must be accessible across client technologies (web browser + Java Swing application + etc).  If you don't require this, you should remove that property.  Let me know if that works.

Regards,

Les

On Wed, Feb 4, 2009 at 12:46 PM, jvreeker <[hidden email]> wrote:

Spring xml looks like this

 <bean id="securityManager"
class="org.jsecurity.web.DefaultWebSecurityManager">
       <property name="realm" ref="poloRealm"/>
       <property name="sessionMode" value="jsecurity"/>
   </bean>

       <bean id="poloCredentialsMatcher"
class="polo.security.PoloCredentialsMatcher">
               <property name="userController" ref="userController"/>
       </bean>

    <bean id="poloRealm" class="polo.security.PoloRealm">
       <property name="credentialsMatcher" ref="poloCredentialsMatcher"/>
   </bean>

   <bean id="lifecycleBeanPostProcessor"
class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>

web.xml like this

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
   PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
   "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
       <context-param>
               <param-name>contextConfigLocation</param-name>
               <param-value>WEB-INF/beans.xml</param-value>
       </context-param>

       <listener>
               <listener-class>
                       org.springframework.web.context.ContextLoaderListener
               </listener-class>
       </listener>

<filter>
<filter-name>JSecurityFilter</filter-name>
<filter-class>org.jsecurity.spring.SpringJSecurityFilter</filter-class>
 <init-param><param-name>config</param-name><param-value>
[main]

 </param-value></init-param>
 </filter>

 <filter-mapping>
 <filter-name>JSecurityFilter</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>

<servlet>
 <servlet-name>CXFServlet</servlet-name>
 <display-name>CXF Servlet</display-name>
 <servlet-class>
 org.apache.cxf.transport.servlet.CXFServlet
 </servlet-class>
 <load-on-startup>1</load-on-startup>
</servlet>

<servlet>
 <servlet-name>service</servlet-name>
 <display-name>Dispatcher Servlet</display-name>
 <servlet-class>
 org.springframework.web.servlet.DispatcherServlet
 </servlet-class>
 <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
 <servlet-name>CXFServlet</servlet-name>
 <url-pattern>/*</url-pattern>
</servlet-mapping>

<servlet-mapping>
 <servlet-name>service</servlet-name>
 <url-pattern>/service/*</url-pattern>
</servlet-mapping>
</web-app>


thanks,
Jelle


Les Hazlewood-2 wrote:
>
> Can we see the relevant parts of your web.xml and Spring xml
> configuration?
> Its hard to say without it...
>
> On Wed, Feb 4, 2009 at 12:07 PM, jvreeker <[hidden email]> wrote:
>
>>
>> Hi Les,
>>
>> So I build in the JSecurityFilter, but If I use
>> SecurityUtils.getSubject().getSession() I still get different sessions. I
>> am
>> need the same session, because if I am logged in I use the function
>> setAttribute.
>> TRACE org.jsecurity.session.mgt.DefaultSessionManager  - Creating session
>> for originating host [/192.168.0.37]
>>
>> Why is it still creating new sessions.?
>>
>> Jelle
>>
>>
>> Les Hazlewood-2 wrote:
>> >
>> > Hi Jelle,
>> >
>> > The appropriate set-up for a web-enabled application is to use the
>> > JSecurityFilter in web.xml.  It will set up a DefaultWebSecurityManager
>> > and
>> > do Request binding automatically:
>> >
>> >
>> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>> >
>> > After the filter is defined, just do this anywhere in code:
>> >
>> > SecurityUtils.getSubject();
>> >
>> > You shouldn't interact with the SecurityManager directly unless you're
>> > programming infrastructure/framework code.
>> >
>> > Check out the sample web application in the jsecurity distribution and
>> > look
>> > at its web.xml file and applicationContext.xml file.  It shows you how
>> to
>> > configure Realms and other things in Spring which will then be
>> accessible
>> > to
>> > the JSecurityFilter at runtime.
>> >
>> > Cheers,
>> >
>> > Les
>> >
>> > On Tue, Feb 3, 2009 at 12:17 PM, jvreeker <[hidden email]>
>> wrote:
>> >
>> >>
>> >> Hi,
>> >>
>> >> I have a tomcat server, with spring using cxf to enable the soap
>> calls.
>> >>
>> >> So I have a soap call login. when I call securityManager.getSubject()
>> I
>> >> get
>> >> always the same subject back.
>> >> I though it was because I am using
>> >> org.jsecurity.mgt.DefaultSecurityManager.
>> >>
>> >> So I tried DefaultWebSecurityManager but then I am getting errors.
>> >> No ServletRequest found in ThreadContext. Make sure WebUtils.bind() is
>> >> being
>> >> called.
>> >>
>> >> But in the first option if I use getSubject().GetSession it returns
>> >> different sessions.
>> >> should I then use SessionManager and the correct sessionID.
>> >>
>> >> Is this the correct way?
>> >> Thanks,
>> >> Jelle
>> >> --
>> >> View this message in context:
>> >> http://n2.nabble.com/using-CXF-with-JSecurity-tp2264471p2264471.html
>> >> Sent from the JSecurity User mailing list archive at Nabble.com.
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/using-CXF-with-JSecurity-tp2264471p2270012.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
>

--
View this message in context: http://n2.nabble.com/using-CXF-with-JSecurity-tp2264471p2270221.html
Sent from the JSecurity User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: using CXF with JSecurity

jvreeker
I tried that but that is not working, but what I found out is that I have 2 servlets
CXFServlet using for soap calls for real desktop applications
using org.apache.cxf.transport.servlet.CXFServlet
this is giving message like this
attempting to get session; create = true; session is null = true; session has id = false

Dispatcher Servlet is for a webbased application
using   org.springframework.web.servlet.DispatcherServlet

but this one is working.
So It has to do something with the CXFServlet.
hmm...

Jelle
Reply | Threaded
Open this post in threaded view
|

Re: using CXF with JSecurity

Les Hazlewood-2
Its probably not the servlet - its probably the desktop application.  The desktop application needs to send back the session id to the server with each remote method invocation, otherwise the server does not know which session to make available.

Also, if you're using a desktop application sharing session state with a web app, then you'll definitely need to set the session mode = "jsecurity".

See the Spring/Webstart application in our Subversion repository for ideas.

This will be significantly improved and more 'hands off' for desktop applications when JSecurity 1.0 is released.

Cheers,

Les

On Wed, Feb 4, 2009 at 1:52 PM, jvreeker <[hidden email]> wrote:

I tried that but that is not working, but what I found out is that I have 2
servlets
CXFServlet using for soap calls for real desktop applications
using org.apache.cxf.transport.servlet.CXFServlet
this is giving message like this
attempting to get session; create = true; session is null = true; session
has id = false

Dispatcher Servlet is for a webbased application
using   org.springframework.web.servlet.DispatcherServlet

but this one is working.
So It has to do something with the CXFServlet.
hmm...

Jelle

--
View this message in context: http://n2.nabble.com/using-CXF-with-JSecurity-tp2264471p2270686.html
Sent from the JSecurity User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: using CXF with JSecurity

jvreeker
Every SOAP function has a param sessionid, but jsecurity is retrieving the session by the id in the HTTP request or something. And the SOAP call is HTTP, but not really webbased.
So I have a sessionID, how can I get the current session and don't let jsecurity do that.

Jelle

BTW
Thanks for all the help so far.


Les Hazlewood-2 wrote
Its probably not the servlet - its probably the desktop application.  The
desktop application needs to send back the session id to the server with
each remote method invocation, otherwise the server does not know which
session to make available.

Also, if you're using a desktop application sharing session state with a web
app, then you'll definitely need to set the session mode = "jsecurity".

See the Spring/Webstart application in our Subversion repository for ideas.

This will be significantly improved and more 'hands off' for desktop
applications when JSecurity 1.0 is released.

Cheers,

Les

On Wed, Feb 4, 2009 at 1:52 PM, jvreeker <jvreeker@vangennep.nl> wrote:

>
> I tried that but that is not working, but what I found out is that I have 2
> servlets
> CXFServlet using for soap calls for real desktop applications
> using org.apache.cxf.transport.servlet.CXFServlet
> this is giving message like this
> attempting to get session; create = true; session is null = true; session
> has id = false
>
> Dispatcher Servlet is for a webbased application
> using   org.springframework.web.servlet.DispatcherServlet
>
> but this one is working.
> So It has to do something with the CXFServlet.
> hmm...
>
> Jelle
>
> --
> View this message in context:
> http://n2.nabble.com/using-CXF-with-JSecurity-tp2264471p2270686.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>