无法在自定义ApacheShiro授权域中@InjectMy DAO
我正试图将我的UserDAO注入到ApacheShiro正在使用的自定义授权域中,但是。。。我得到空值。
我做错了什么?
西罗。伊尼
[main]
user = demo.shiro.security.FacesAjaxAwareUserFilter
realmA = demo.shiro.security.JpaRealm
credentialsMatcher = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
realmA.credentialsMatcher = $credentialsMatcher
securityManager.realms = $realmA
user.loginUrl = /pages/public/login.xhtml
[users]
admin = admin
user = user
[urls]
# public files and folders
/index.html = anon
/resources/** = anon
/pages/public/** = anon
# restricted files and folders
/pages/admin/** = user
/pages/user/** = user
jparelm。JAVA
public class JpaRealm extends AuthorizingRealm {
@Inject
private UserDao userDao;
public JpaRealm() {
setCredentialsMatcher(new Sha256CredentialsMatcher());
}
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authToken;
User user = userDao.getForUsername(token.getUsername());
if (user != null) {
return new SimpleAuthenticationInfo(user.getId(), user.getPassword(), getName());
} else {
return null;
}
}
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
Long userId = (Long) principals.fromRealm(getName()).iterator().next();
User user = userDao.findByKey(userId);
if (user != null) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
for (Role role : user.getRoles()) {
info.addRole(role.getDescription());
for (Permition permition : role.getPermitions()) {
info.addStringPermission(permition.getDescription());
}
}
return info;
} else {
return null;
}
}
}
我必须做些什么才能让CDI在我的自定义域中意识到@Inject并正确地注入我的UserDAO?
共有3个答案
使用ShiroWebMoules注入您的自定义领域
public class PocShiroModule extends ShiroWebModule {
public PocShiroModule(ServletContext servletContext) {
super(servletContext);
}
@Override
protected void configureShiroWeb() {
bindConstant().annotatedWith(Names.named("shiro.globalSessionTimeout"))
.to(30000L);
bind(Realm.class).to(JPARealm.class);
}
@Provides
@Singleton
Set<Realm> provideRealmSet(Realm realm) {
Set<Realm> result = new HashSet<Realm>();
result.add(realm);
return result;
}
}
在上下文监听器中注册此模块
public class PocGuiceServletConfig extends GuiceServletContextListener {
private ServletContext context = null;
@Override
public void contextInitialized(ServletContextEvent servletContextEvent) {
this.context = servletContextEvent.getServletContext();
super.contextInitialized(servletContextEvent);
}
@Override
protected synchronized Injector getInjector() {
return Guice.createInjector(
new PocModule(),
new PocShiroModule(context),
new ShiroAopModule());
}
}
jpaRealm恰好在Custom环境LoaderListener中为空。我尝试在JpaRealm类上设置@Service("JpaRealm")注释,以便容器可能知道注入,但仍然没有运气。JpaRealm在这两种情况下都是空的。
如果我们允许注入在定制领域中工作,还需要做什么。
Apache Shiro使用的默认环境LoaderListener不支持CDI。解决方案是构建一个新的引用,并替换web中的原始引用。xml指向您定制的一个。
注意:侦听器自动支持CDI注入,但侦听器必须通过CDI机制请求bean。自定义侦听器将使用@Inject请求bean,并将创建JpaRealm作为CDI bean,它将注入所有依赖项。默认的Shire侦听器不会通过@Inject将JpaRealm创建为启用CDI的bean。
客户认证匹配器。JAVA
public class CustomCredentialsMatcher extends SimpleCredentialsMatcher {
}
CustomEnvironmentLoaderListener。JAVA
public class CustomEnvironmentLoaderListener extends EnvironmentLoaderListener {
@Inject
private JpaRealm jpaRealm;
@Override
protected WebEnvironment createEnvironment(ServletContext pServletContext) {
WebEnvironment environment = super.createEnvironment(pServletContext);
RealmSecurityManager rsm = (RealmSecurityManager) environment.getSecurityManager();
PasswordService passwordService = new DefaultPasswordService();
PasswordMatcher passwordMatcher = new PasswordMatcher();
passwordMatcher.setPasswordService(passwordService);
jpaRealm.setCredentialsMatcher(passwordMatcher);
rsm.setRealm(jpaRealm);
((DefaultWebEnvironment) environment).setSecurityManager(rsm);
return environment;
}
}
FacesAjaxAwareUserFilter。JAVA
public class FacesAjaxAwareUserFilter extends UserFilter {
private static final String FACES_REDIRECT_XML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><partial-response><redirect url=\"%s\"></redirect></partial-response>";
@Override
protected void redirectToLogin(ServletRequest req, ServletResponse res) throws IOException {
HttpServletRequest request = (HttpServletRequest) req;
if ("partial/ajax".equals(request.getHeader("Faces-Request"))) {
res.setContentType("text/xml");
res.setCharacterEncoding("UTF-8");
res.getWriter().printf(FACES_REDIRECT_XML, request.getContextPath() + getLoginUrl());
} else {
super.redirectToLogin(req, res);
}
}
}
jparelm。JAVA
public class JpaRealm extends AuthorizingRealm {
private static String REALM_NAME = "jpaRealm";
@Inject
private UserDao userDao;
@Inject
private RoleDao roleDao;
@Inject
private PermissionDao permissionDao;
public JpaRealm() {
setName(REALM_NAME); // This name must match the name in the User class's getPrincipals() method
}
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authToken;
User user = userDao.getForUsername(token.getUsername());
if (user != null) {
return new SimpleAuthenticationInfo(user.getId(), user.getPassword(), getName());
} else {
return null;
}
}
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
Long userId = (Long) principals.fromRealm(getName()).iterator().next();
User user = userDao.findByKey(userId);
if (user != null) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
for (Role role : roleDao.getForUser(user)) {
info.addRole(role.getDescription());
for (Permition permition : permissionDao.getForRole(role)) {
info.addStringPermission(permition.getDescription());
}
}
return info;
} else {
return null;
}
}
}
西罗。伊尼
[main]
user = com.boss.mrfoods.security.FacesAjaxAwareUserFilter
user.loginUrl = /pages/public/login.xhtml
[urls]
/index.html = anon
/pages/index.xhtml = anon
/pages/public/** = anon
/pages/admin/** = user, roles[ADMIN]
/pages/user/** = user, roles[USER]
网状物xml
...
<listener>
<listener-class>com.boss.mrfoods.security.CustomEnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.html" target="_blank">servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
-
在我正在构建的应用程序中,我们使用直Java6 EE和JBoss(没有Spring等),以及JPA/Hibernate、JSF、CDI和EJB。 我还没有找到很多好的通用安全解决方案(欢迎推荐),但我找到的最佳选择是ApacheShiro。 然而,这似乎有一些缺点。您可以在Balus C的网站上阅读其中一些内容: http://balusc.blogspot.com/2013/01/apache-
-
功能说明 目睹直播提供了一系列的授权观看方式,如密码验证,付费观看等,然而由于客户业务的多样性,实现如:接入客户自身账户体系,登陆OA系统后再跳转到目睹观看直播等一系列更高级的授权观看方式,此时就需要使用自定义授权。 自定义授权逻辑图 功能设置 首先,需在 某个频道 - 频道管理 - 授权观看 - 授权类型 中点击自定义授权,并输入您希望在观众进入观看页时跳转的链接,如: http://your-
-
技术栈在前端是reactJS,后端由APIGateway和Lambda供电。我正在使用Auth0作为我的react应用程序中的身份服务。通过Auth0提供的一个社交登录进行身份验证时,我会返回、和。此外,我可以使用获取用户信息,例如。现在,我需要保护/阻止对我的后端即APIGateway和lambda的访问。 有很多选项来保护对AWS APIGateway的访问,如IAM授权器、自定义授权器。有一
-
在我的一个Rest API调用中,我需要添加标题“Authorization:partner_id:timestamp signature” 如果公司名称是静态字符串,则可以对其进行硬编码,其中作为合作伙伴的id是查询参数的一部分,用户输入它,签名计算为sha256(机密,密码)。消化编码('base64') 我现在看到只有api_密钥,而且在swagger ui中允许基本授权,我如何以及在哪里实
-
null 我尝试将@priority(interceptor.priority.platform_beform)和@prematching也放入我的过滤器中,但即使是在OIDC启动后也会调用。 另外,是否有任何方法支持扩展quarkus oidc逻辑以包括自定义代码? 我无法获得oidc和keycloak-auth拦截器的优先级(知道这些可以帮助我决定过滤器的优先级)。请帮忙。