Question: Where is the implementation for JavaEE6?
I'm currently working on a JavaEE6 project and I found out that Shiro's annotation is not working out of the box even though I already configured web.xml and shiro.ini base on the documentation.
This is what I have:
1.) A page:
<h:form>
<h:commandLink action="#{userBean.action1()}" value="Action 1"></h:commandLink>
</h:form>
2.) Backing bean:
@Stateless
@Named
public class UserBean {
@Inject
private Logger log;
@RequiresAuthentication
public void action1() {
log.debug("action.1");
}
}
3.) web.xml
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
4.) shiro.ini
[main]
# listener = org.apache.shiro.config.event.LoggingBeanListener
shiro.loginUrl = /login.xhtml
[users]
# format: username = password, role1, role2, ..., roleN
root = secret,admin
guest = guest,guest
presidentskroob = 12345,president
darkhelmet = ludicrousspeed,darklord,schwartz
lonestarr = vespa,goodguy,schwartz
[roles]
# format: roleName = permission1, permission2, ..., permissionN
admin = *
schwartz = lightsaber:*
goodguy = winnebago:drive:eagle5
[urls]
# The /login.jsp is not restricted to authenticated users (otherwise no one could log in!), but
# the 'authc' filter must still be specified for it so it can process that url's
# login submissions. It is 'smart' enough to allow those requests through as specified by the
# shiro.loginUrl above.
/login.xhtml = authc
/logout = logout
/account/** = authc
/remoting/** = authc, roles[b2bClient], perms["remote:invoke:lan,wan"]
But when I click the button, it still performs the action. It should throw unauthorizede exception right? The same is true with other shiro annotations.
Note that if I manually performs the check, it works:
public void action1() {
Subject currentUser = SecurityUtils.getSubject();
AuthenticationToken token = new UsernamePasswordToken("guest", "guest");
currentUser.login(token);
log.debug("user." + currentUser);
if (currentUser.isAuthenticated()) {
log.debug("action.1");
} else {
log.debug("not authenticated");
}
}
Thanks,
czetsuya
Basically, what I'm missing is the implementation for Shiro's Requires* interfaces so I implemented depending on my needs. For those of you who are interested you can find it here: http://czetsuya-tech.blogspot.com/2012/10/how-to-integrate-apache-shiro-with.html