Search code examples
securityjsf-2java-ee-6shiro

Shiro annotation not working on JavaEE6 project

Question: Where is the implementation for JavaEE6?

I'm currently working on a JavaEE6 project and I found out that Shiro's annotation is not working out of the box even though I already configured web.xml and shiro.ini base on the documentation.

This is what I have:

1.) A page:

<h:form>
  <h:commandLink action="#{userBean.action1()}" value="Action 1"></h:commandLink>
</h:form>

2.) Backing bean:

@Stateless
@Named
public class UserBean {
    @Inject
    private Logger log;

    @RequiresAuthentication
    public void action1() {
        log.debug("action.1");
    }
}

3.) web.xml

<listener>
    <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>

<filter>
    <filter-name>ShiroFilter</filter-name>
    <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>ShiroFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

4.) shiro.ini

[main]
# listener = org.apache.shiro.config.event.LoggingBeanListener

shiro.loginUrl = /login.xhtml

[users]
# format: username = password, role1, role2, ..., roleN
root = secret,admin
guest = guest,guest
presidentskroob = 12345,president
darkhelmet = ludicrousspeed,darklord,schwartz
lonestarr = vespa,goodguy,schwartz

[roles]
# format: roleName = permission1, permission2, ..., permissionN
admin = *
schwartz = lightsaber:*
goodguy = winnebago:drive:eagle5

[urls]
# The /login.jsp is not restricted to authenticated users (otherwise no one could log in!), but
# the 'authc' filter must still be specified for it so it can process that url's
# login submissions. It is 'smart' enough to allow those requests through as specified by the
# shiro.loginUrl above.
/login.xhtml = authc
/logout = logout
/account/** = authc
/remoting/** = authc, roles[b2bClient], perms["remote:invoke:lan,wan"]

But when I click the button, it still performs the action. It should throw unauthorizede exception right? The same is true with other shiro annotations.

Note that if I manually performs the check, it works:

public void action1() {
    Subject currentUser = SecurityUtils.getSubject();
    AuthenticationToken token = new UsernamePasswordToken("guest", "guest");
    currentUser.login(token);

    log.debug("user." + currentUser);
    if (currentUser.isAuthenticated()) {
        log.debug("action.1");
    } else {
        log.debug("not authenticated");
    }
}

Thanks,
czetsuya

Solution

  • Basically, what I'm missing is the implementation for Shiro's Requires* interfaces so I implemented depending on my needs. For those of you who are interested you can find it here: http://czetsuya-tech.blogspot.com/2012/10/how-to-integrate-apache-shiro-with.html