dipold / vraptor-shiro Goto Github PK

It would be a bad practice if the shiro session would be available to be used inside JSP?

Something like putting a Named annotation in getSession method of SecurityFacade.
Is it a bad idea?

Strange behavior: org.apache.shiro.UnavailableSecurityManagerException blows up when trying to access @secured methods, but it stops after a sequence of user's actions.

 No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.

Details described in this forum thread in pt-br (GUJ):

http://www.guj.com.br/java/308952-vraptor-4--apache-shiro--unavailablesecuritymanagerexception

I'm trying to use vraptor-shiro (using vraptor4) but I think that SecurityFacade class should be loaded when the application starts running. But as the initial config aren't being setup, even methods annotated with @secured and @RequiresAuthentication aren't being intercepted.

I suppose we need to create some VRaptorInitialized Observer to start shiro setup or I'm doing something wrong.

As Alberto Magno Xavier Soares said in this thread (pt-br), the VRaptor plugin is not working as expected. What happens, in my case, the user gets logged off after some request to an @Secured resource.

I tried <shiro:principal/> and it returns object name. <shiro:principal property="username"/> and it returns nothing.
I also tried to @Inject Subject into vraptor @Controller, and it returns this:

        logger.debug("Subject: " + subject.toString());
\\2015-12-22 18:18:16,481 DEBUG [IndexController     ] (IndexController.java:46) - Subject: br.com.caelum.vraptor.security.produces.SafeSubject@56ce277b
        logger.debug("Subject principal: " + subject.getPrincipal().toString());
\\User object description, instead of name

I guess this is a problem with vraptor-shiro plugin.

Estou testando o vraptor4 rc1 e usei o vraptor-shiro beta1 e o metodo abaixo nao fica protegido:

@Get("/")
@Secured
@RequiresUser
public void index() {

}

O interceptor após verificar que o usuário não esta autenticado continua a execução da lógica do controller mesmo depois que a vraptor ja redirecionou para tela de login.
Entendo que o cdx.proceed(); deveria ser invocado dentro do try.

@AroundInvoke public Object check(InvocationContext ctx) throws Exception { try { assertAuthorized(new InvocationContextToMethodInvocationConverter(ctx)); } catch(AuthorizationException e) { listener.onAuthorizationRestriction(e); } return ctx.proceed(); }