Authentication with Shiro on Zeppelin : principal argument cannot be null - ldap

I want to configure my Zeppelin to make an authentication to my AD with ldap. I've configured in conf/shiro.ini following informations :
ldapRealmExtern = org.apache.zeppelin.realm.LdapRealm
ldapRealmExtern.contextFactory.url = ldap://authentication.mycompany.com:389
ldapRealmExtern.contextFactory.systemUsername = CN=user,OU=XX_Func,OU=XX_Users,OU=XX_ACC,OU=XX,DC=xx,DC=FR
ldapRealmExtern.contextFactory.systemPassword = ******
ldapRealmExtern.contextFactory.authenticationMechanism = simple
ldapRealmExtern.authorizationEnabled = true
ldapRealmExtern.userSearchBase = dc=xx,dc=FR
#ldapRealmExtern.userSearchFilter = (&(cn={0})(objectclass=organizationalPerson))
ldapRealmExtern.userSearchFilter = cn={0}
ldapRealmExtern.userObjectClass = organizationalPerson
ldapRealmExtern.userSearchAttributeName = cn
ldapRealmExtern.groupObjectClass = group
ldapRealmExtern.memberAttribute = member
ldapRealmExtern.groupSearchBase = dc=xx,dc=FR
ldapRealmExtern.groupSearchFilter = member={0}
ldapRealmExtern.memberAttributeValueTemplate=cn={0},OU=XX_Intern,OU=XX_Users,OU=XX_ACC,OU=XX,DC=xx,DC=FR
When I start Zeppelin, I can make a login, but following exception is thrown :
WARN [2020-12-03 06:16:56,887] ({qtp1580893732-92} ModularRealmAuthenticator.java[doMultiRealmAuthentication]:224) - Realm [org.apache.zeppelin.realm.LdapRealm#33f9f341] threw an exception during a multi-realm authentication attempt:
java.lang.IllegalArgumentException: principal argument cannot be null.
at org.apache.shiro.subject.SimplePrincipalCollection.add(SimplePrincipalCollection.java:104)
at org.apache.shiro.subject.SimplePrincipalCollection.<init>(SimplePrincipalCollection.java:59)
at org.apache.shiro.authc.SimpleAuthenticationInfo.<init>(SimpleAuthenticationInfo.java:93)
at org.apache.zeppelin.realm.LdapRealm.createAuthenticationInfo(LdapRealm.java:985)
at org.apache.shiro.realm.ldap.DefaultLdapRealm.queryForAuthenticationInfo(DefaultLdapRealm.java:377)
at org.apache.zeppelin.realm.LdapRealm.queryForAuthenticationInfo(LdapRealm.java:268)
at org.apache.shiro.realm.ldap.DefaultLdapRealm.doGetAuthenticationInfo(DefaultLdapRealm.java:295)
at org.apache.zeppelin.realm.LdapRealm.doGetAuthenticationInfo(LdapRealm.java:217)
at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269)
at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53)
at org.apache.shiro.web.filter.authc.FormAuthenticationFilter.onAccessDenied(FormAuthenticationFilter.java:154)
at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133)
at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)
at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)
at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1588)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1557)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:502)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.lang.Thread.run(Thread.java:748)
I've also a log which say that I don't have any role :
WARN [2020-12-03 06:16:56,947] ({qtp1580893732-92} LoginRestApi.java[postLogin]:206) - {"status":"OK","message":"","body":{"principal":"myuser","ticket":"cb575d5e-a170-4e5f-9160-8350b3853943","roles":"[]"}}
Do you have any idea of what is wrong in this configuration ? How can I get the groups with my AD ?
Thanks

One solution was to upgrade Apache Zeppelin to 0.9.0-preview2. Then the login on active directory work again.

We also faced same error.We still getting exception , but we managed to get roles populating for user and authorization is working .We changed many properties, but The property which makes difference is :
ldapRealm.groupSearchEnableMatchingRuleInChain = true

Related

Getting error when removing the defalt apiAuthentication handler and adding myCustomhandler, any idea?

(previously it was working fine but don't what is changed )
When i am removing the default handler from synapse configs and adding my custom handler it is giving this error
[2022-01-13 10:44:41,924] ERROR - ServerWorker Error processing POST request for : /dev/21.2/ext-rt/publish/TestTenant/SmooksProviderTranslation.csv.
java.lang.NullPointerException: null
at org.wso2.carbon.apimgt.gateway.handlers.throttling.ThrottleHandler.doRoleBasedAccessThrottlingWithCEP_aroundBody0(ThrottleHandler.java:193) ~[org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.throttling.ThrottleHandler.doRoleBasedAccessThrottlingWithCEP(ThrottleHandler.java:145) ~[org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.throttling.ThrottleHandler.doThrottle_aroundBody12(ThrottleHandler.java:585) ~[org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.throttling.ThrottleHandler.doThrottle(ThrottleHandler.java:562) ~[org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.throttling.ThrottleHandler.handleRequest_aroundBody8(ThrottleHandler.java:522) ~[org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.throttling.ThrottleHandler.handleRequest(ThrottleHandler.java:503) ~[org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.apache.synapse.rest.API.process(API.java:373) ~[synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:144) ~[synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.rest.RESTRequestHandler.identifyAPI(RESTRequestHandler.java:164) ~[synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) ~[synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:73) ~[synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:331) ~[synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:99) ~[synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) ~[axis2_1.6.1.wso2v41.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367) [synapse-nhttp-transport_2.1.7.wso2v183.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:426) [synapse-nhttp-transport_2.1.7.wso2v183.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:181) [synapse-nhttp-transport_2.1.7.wso2v183.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) [axis2_1.6.1.wso2v41.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:834) [?:?]
Below is the authenticate() method from myCustomHandler.java class, which has the AuthenticationContext object
public boolean authenticate(MessageContext synCtx) throws APISecurityException {
Map headers = getTransportHeaders(synCtx);
String authHeader = getAuthorizationHeader(headers);
String postmanToken = getPostmanToken(headers);
String clientIP = "10.110.67.195";
org.apache.axis2.context.MessageContext axis2MessageContext = ((Axis2MessageContext) synCtx)
.getAxis2MessageContext();
AuthenticationContext authContext = new AuthenticationContext();
authContext.setAuthenticated(true);
// Can modify to support scopes based throttle policy selection
authContext.setTier(APIConstants.UNLIMITED_TIER);
authContext.setStopOnQuotaReach(true);
authContext.setApiKey(clientIP);
authContext.setKeyType(APIConstants.API_KEY_TYPE_PRODUCTION);
authContext.setUsername((String) axis2MessageContext.getProperty("user"));
authContext.setCallerToken(null);
authContext.setApplicationName(null);
authContext.setApplicationId(clientIP);
authContext.setConsumerKey(null);
log.debug("**** applicationID is --- " + authContext.getApplicationId());
APISecurityUtils.setAuthenticationContext(synCtx, authContext, null);
System.out.println("**** TE is HERE");
log.debug("**** TE is HERE2");
log.debug("**** Header is --- " + headers);
log.debug("**** AuthHeader is --- " + authHeader);
log.debug("**** Postman token is --- " + postmanToken);
return true;
/*
* if (authHeader.startsWith("Bearer ")) { return true; } return false;
*/
}
I think the problem is with the AuthenticationContext object. We populate the authContext object at the Authentication handler(in each authenticator [1]) and this object is used at the throttle handler[2]. when you replaced the Authentication handler with your custom handler, you might have missed populating this object. Try populating this object as [1].
[1] - https://github.com/wso2/carbon-apimgt/blob/v6.7.206/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/oauth/OAuthAuthenticator.java#L301
[2] - https://github.com/wso2/carbon-apimgt/blob/v6.7.206/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/throttling/ThrottleHandler.java#L193

NPE while deserializing avro messages in kafka streams

I wrote a small java class to test the consumption of Avro encoded Kafka topic.
Properties appProps = new Properties();
appProps.put(ConsumerConfig.BOOTSTRAP_SERVERS_CONFIG, "http://***kfk14bro1.lc:9092");
appProps.put(AbstractKafkaAvroSerDeConfig.SCHEMA_REGISTRY_URL_CONFIG, "http://***kfk14str1.lc:8081");
appProps.put(StreamsConfig.APPLICATION_ID_CONFIG, "consumer");
appProps.put(ConsumerConfig.AUTO_OFFSET_RESET_CONFIG, "latest");
appProps.put(StreamsConfig.DEFAULT_DESERIALIZATION_EXCEPTION_HANDLER_CLASS_CONFIG,LogAndContinueExceptionHandler.class);
StreamsBuilder streamsBuilder = new StreamsBuilder();
streamsBuilder.stream(
"coordinates", Consumed.with(Serdes.String(), new GenericAvroSerde()))
.peek((key, value) -> System.out.println("key=" + key + ", value=" + value));
new KafkaStreams(streamsBuilder.build(), appProps).start();
When I run this class, SerdeConfigs are being logged alright which can be seen in the below log:
[consumer-56b0e0ca-d336-45cc-b388-46a68dbfab8b-StreamThread-1] INFO io.confluent.kafka.serializers.KafkaAvroSerializerConfig - KafkaAvroSerializerConfig values:
schema.registry.url = [http://***kfk14str1.lc:8081]
basic.auth.user.info = [hidden]
auto.register.schemas = true
max.schemas.per.subject = 1000
basic.auth.credentials.source = URL
schema.registry.basic.auth.user.info = [hidden]
value.subject.name.strategy = class io.confluent.kafka.serializers.subject.TopicNameStrategy
key.subject.name.strategy = class io.confluent.kafka.serializers.subject.TopicNameStrategy
[normal-consumer-56b0e0ca-d336-45cc-b388-46a68dbfab8b-StreamThread-1] INFO io.confluent.kafka.serializers.KafkaAvroDeserializerConfig - KafkaAvroDeserializerConfig values:
schema.registry.url = [http://***kfk14str1.lc:8081]
basic.auth.user.info = [hidden]
auto.register.schemas = true
max.schemas.per.subject = 1000
basic.auth.credentials.source = URL
schema.registry.basic.auth.user.info = [hidden]
specific.avro.reader = false
value.subject.name.strategy = class io.confluent.kafka.serializers.subject.TopicNameStrategy
key.subject.name.strategy = class io.confluent.kafka.serializers.subject.TopicNameStrategy
but messages are not being consumed and generates the below log for every message:
[normal-consumer-56b0e0ca-d336-45cc-b388-46a68dbfab8b-StreamThread-1] WARN org.apache.kafka.streams.errors.LogAndContinueExceptionHandler - Exception caught during Deserialization, taskId: 0_0, topic: coordinates, partition: 0, offset: 782205986
org.apache.kafka.common.errors.SerializationException: Error deserializing Avro message for id 83
Caused by: java.lang.NullPointerException
at io.confluent.kafka.serializers.AbstractKafkaAvroDeserializer.deserialize(AbstractKafkaAvroDeserializer.java:116)
at io.confluent.kafka.serializers.AbstractKafkaAvroDeserializer.deserialize(AbstractKafkaAvroDeserializer.java:88)
at io.confluent.kafka.serializers.KafkaAvroDeserializer.deserialize(KafkaAvroDeserializer.java:55)
at io.confluent.kafka.streams.serdes.avro.GenericAvroDeserializer.deserialize(GenericAvroDeserializer.java:63)
at io.confluent.kafka.streams.serdes.avro.GenericAvroDeserializer.deserialize(GenericAvroDeserializer.java:39)
at org.apache.kafka.common.serialization.Deserializer.deserialize(Deserializer.java:58)
at org.apache.kafka.streams.processor.internals.SourceNode.deserializeValue(SourceNode.java:60)
But I am able to read just fine from the avro console consumer, so I know there is nothing wrong with the data written to the topic. Below command prints logs alright:
~/kafka/confluent-5.1.2/bin/kafka-avro-console-consumer --bootstrap-server http://***kfk14bro1.lc:9092 --topic coordinates --property schema.registry.url=http://***kfk14str1.lc:8081 --property auto.offset.reset=latest
When you instantiate an Avro Serde yourself it is not configured automatically with the schema-registry URL.
So either you have to configure it yourself or you define default serdes by adding:
appProps.setProperty(StreamsConfig.DEFAULT_KEY_SERDE_CLASS_CONFIG, Serdes.String().getClass().getName());
appProps.setProperty(StreamsConfig.DEFAULT_VALUE_SERDE_CLASS_CONFIG, GenericAvroSerde.class.getName());
And by removing
Consumed.with(Serdes.String(), new GenericAvroSerde())
To configure Serde use following code (adapt it to your situation):
GenericAvroSerde genericAvroSerde = new GenericAvroSerde();
boolean isKeySerde = false;
genericAvroSerde.configure(
Collections.singletonMap(
AbstractKafkaAvroSerDeConfig.SCHEMA_REGISTRY_URL_CONFIG,
"http://confluent-schema-registry-server:8081/"),
isKeySerde);

Gerrit LDAP mandatoryGroup

How do config mandatoryGroup in Gerrit's LDAP? My gerrit.conf is currently like this... I'm not sure if the mandatoryGroup value should be LDAP syntax or plan text. I can not figure this out based on documentation.
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#ldap
ldap.mandatoryGroup
All users must be a member of this group to allow account creation or authentication.
Setting mandatoryGroup implies enabling of ldap.fetchMemberOfEagerly
By default, unset.
gerrit.config
[ldap]
server = ldaps://company.com
sslVerify = false
username = ldapUsername
password = ldapPassword
accountBase = DC=COMPANY_DOMAIN,DC=LOCAL
groupBase = DC=COMPANY_DOMAIN,DC=LOCAL
referral = follow
accountPattern = (sAMAccountName=${username})
groupPattern = (cn=${groupname})
accountFullName = displayName
accountMemberField = memberOf
accountEmailAddress = mail
mandatoryGroup = grp_IT_SourceCode
mandatoryGroup = ldap/"AD_Group_Name" worked for me... I'm not sure why but the "ldap/" was required before the AD group and all is good now.

Implementing Poor Man's SSO in Apache Shiro

Good day. I have a scenario where we have multiple web applications running on the same server and we would like one login to serve all applications. Currently, if you switch applications, you need to be re-authenticated. Try as I may, I can not get this resolved.
I went through the session management page to try and implement what they call Poor Man's SSO (https://shiro.apache.org/session-management.html)
Here is my shiro.ini:
[main]
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
contextFactory.url = ldap://1.2.3.4:389
contextFactory.systemUsername = me#testdomain.local
contextFactory.systemPassword = Password
realm = com.me.shared.security.shiro.meADRealm
realm.ldapContextFactory = $contextFactory
realm.searchBase = OU=ME,DC=testdomain,DC=local
securityManager.realms = $realm
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionIdCookie=org.apache.shiro.web.servlet.SimpleCookie
sessionIdCookie.name=sid
sessionIdCookie.maxAge=1800
sessionIdCookie.httpOnly=true
sessionManager.sessionIdCookie=$sessionIdCookie
sessionManager.sessionIdCookieEnabled=true
securityManager.sessionManager = $sessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
sessionValidationScheduler = org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
sessionValidationScheduler.interval = 3600000
securityManager.sessionManager.sessionValidationScheduler = $sessionValidationScheduler
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager
URL mapping is done in a custom java IniWebEnvironment and looks like this
/faces/common/Login.xhtml = authc
/faces/common/unauthorized.xhtml = anon
/faces/secured/** = authc
/faces/myAdmin/** = roles[administrator]
/faces/myManagement/** = roles[administrator]
/faces/people/** = roles[administrator]
I have a custom JSF bean where I perform login like this:
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(getUserName(), getPassword());
subject.login(token);
I am open to doing SSO in a different fashion, but this is an internal application and doesn't need much. Any ideas?

Apache Shiro, isPermitted() isnĀ“t working

I'm making some testing with Apache Shiro just for learn, and i have a problem with permissions. The method isPermitted() just not work I mean, it's always return false.
shiro.ini
[main]
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName=SHA-256
authc.loginUrl = /faces/views/login.xhtml
authc.successUrl = /faces/views/index.xhtml
builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $builtInCacheManager
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = select senha from VUsuarioPerfil where usuario = ?
jdbcRealm.userRolesQuery = select perfil from VUsuarioPerfil where usuario = ?
jdbcRealm.permissionsQuery = select permissoes from VUsuarioPerfil where usuario = ?
jdbcRealm.credentialsMatcher = $sha256Matcher
ds = com.microsoft.sqlserver.jdbc.SQLServerConnectionPoolDataSource
ds.serverName = 192.168.50.254
ds.user = xx
ds.password = xxx
ds.databaseName = shiro
jdbcRealm.dataSource = $ds
Each user should have his own permission, so on the view(VUsuarioPerfil) there is a column called permissoes where I placed a string, like "clientes:visualizar".
And on code I test this way
public void test() {
System.out.println(SecurityUtils.getSubject().hasRole("usuario"));
System.out.println(SecurityUtils.getSubject().isPermitted("clientes:visualizar"));
}
Result is output:
true
false
I don't now why just the permission isn't caught on database.
In the JDBC realm, the permissions query is not expected to map users->roles, it is expected to map roles->permissions.
So essentially, the query that is getting called is:
select permissoes from VUsuarioPerfil where usuario = usuario
And, as you would expect, it returns nothing. Therefore the role has no permissions, and the user has no permissions.
Perhaps considering the default permissions query would help you think about how to map a query to your data structure?
select permission from roles_permissions where role_name = ?
Check out your property:
select permissoes from VUsuarioPerfil
You need to correct permissions