I’ve created a JavaEE6 project and currently I’m using Shiro for authentication and authorization. Using this article as a reference (Using Shiro for Authorization via CDI Interceptors then Easily Test with Arquillian), I’ve integrated Shiro with CDI. Everything works fine except for sometimes Subject.getPrincipal is null.
Further, investigations shows that sometimes I have at least 2 Subject.getSession().getId().
How I encounter the problem:
- Login -> ok with sessionA
- Click a link that is secured (pageA) -> ok
- Tried to insert a record in the database that failed
- Click the same secured link (pageA) -> failed, looking at the trace it produced a different session id sessionB
- Refresh and refresh until page (pageA) is ok. Got the same session id during login sessionA.
What could be wrong?
My shiro.ini file
[main]
saltedJdbcRealm=com.sido.commons.web.security.shiro.JdbcRealmImpl
# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName=Portal
# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled=true
# If not filled, subclasses of JdbcRealm assume "select password from users where username = ?"
# first result column is password, second result column is salt
saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM users WHERE username = ?
# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?"
saltedJdbcRealm.userRolesQuery = SELECT name FROM roles a INNER JOIN user_roles b ON a.id=b.role_id INNER JOIN users c ON c.id=b.user_id WHERE c.username = ?
# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?"
saltedJdbcRealm.permissionsQuery = SELECT action FROM permissions WHERE role = ?
# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName=SHA-256
sha256Matcher.hashIterations=1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
cacheManager=org.apache.shiro.cache.ehcache.EhCacheManager
cacheManager.cacheManagerConfigFile=classpath:shiro-ehcache.xml
securityManager.cacheManager=$cacheManager
shiro.loginUrl = /login.xhtml
[urls]
/login.xhtml = authc
/logout = logout
web.xml
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Production</param-value>
</context-param>
<context-param>
<param-name>primefaces.THEME</param-name>
<param-value>south-street</param-value>
</context-param>
<!-- Welcome page -->
<welcome-file-list>
<welcome-file>home.xhtml</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Map these files with JSF -->
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
SecurityProducer, a Singleton bean where I instantiate the security manager. It should be available and unique to the entire application right?
@Singleton
public class SecurityProducer {
@Inject
private Logger log;
private SecurityManager securityManager;
@PostConstruct
public void init() {
final String iniFile = "classpath:shiro.ini";
log.debug("Initializing Shiro INI SecurityManager using " + iniFile);
securityManager = new IniSecurityManagerFactory(iniFile).getInstance();
SecurityUtils.setSecurityManager(securityManager);
}
..
}
Binding the SecurityManager nor Subject on initialization (Singleton bean) doesn’t fixed the problem.
final String iniFile = "classpath:shiro.ini";
securityManager = new IniSecurityManagerFactory(iniFile).getInstance();
SecurityUtils.setSecurityManager(securityManager);
ThreadContext.bind(SecurityUtils.getSubject()); or ThreadContext.bind(securityManager);
Thanks,
czetsuya
I think I’ve solved the intermittent session issue by configuring the web.xml base here: http://shiro.apache.org/web.html.
Currently here’s how it looks:
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd”
version=”3.0″>
But is that really the solution? Any ideas?