3

我已经创建了一个 JavaEE6 项目,目前我正在使用 Shiro 进行身份验证和授权。使用本文作为参考(通过 CDI 拦截器使用 Shiro 进行授权,然后使用 Arquillian 轻松测试),我已将 Shiro 与 CDI 集成。一切正常,除了有时 Subject.getPrincipal 为空。

此外,调查表明,有时我至少有 2 个 Subject.getSession().getId()。

我如何遇到问题:

  1. 登录 -> 使用 sessionA 确定
  2. 单击受保护的链接(pageA)-> ok
  3. 试图在数据库中插入一条记录失败
  4. 单击相同的安全链接(pageA)-> 失败,查看它产生不同会话 id sessionB 的跟踪
  5. 刷新再刷新,直到页面(pageA)正常。在登录 sessionA 期间获得了相同的会话 ID。

有什么问题?

我的 shiro.ini 文件

[main]
saltedJdbcRealm=com.sido.commons.web.security.shiro.JdbcRealmImpl

# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName=Portal 

# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled=true

# If not filled, subclasses of JdbcRealm assume "select password from users where username = ?"
# first result column is password, second result column is salt 
saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM users WHERE username = ?

# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?"
saltedJdbcRealm.userRolesQuery = SELECT name FROM roles a INNER JOIN user_roles b ON a.id=b.role_id INNER JOIN users c ON c.id=b.user_id WHERE c.username = ?

# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?"
saltedJdbcRealm.permissionsQuery = SELECT action FROM permissions WHERE role = ?

# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName=SHA-256
sha256Matcher.hashIterations=1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO 

cacheManager=org.apache.shiro.cache.ehcache.EhCacheManager 
cacheManager.cacheManagerConfigFile=classpath:shiro-ehcache.xml
securityManager.cacheManager=$cacheManager 

shiro.loginUrl = /login.xhtml

[urls]
/login.xhtml = authc
/logout = logout

web.xml

<context-param>
    <param-name>javax.faces.PROJECT_STAGE</param-name>
    <param-value>Production</param-value>
</context-param>

<context-param>
    <param-name>primefaces.THEME</param-name>
    <param-value>south-street</param-value>
</context-param>

<!-- Welcome page -->
<welcome-file-list>
    <welcome-file>home.xhtml</welcome-file>
</welcome-file-list>

<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<!-- Map these files with JSF -->
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

SecurityProducer,一个 Singleton bean,我在其中实例化安全管理器。它应该对整个应用程序都可用且唯一吗?

@Singleton
public class SecurityProducer {
    @Inject
    private Logger log;
    private SecurityManager securityManager;

    @PostConstruct
    public void init() {
        final String iniFile = "classpath:shiro.ini";
        log.debug("Initializing Shiro INI SecurityManager using " + iniFile);
        securityManager = new IniSecurityManagerFactory(iniFile).getInstance();
        SecurityUtils.setSecurityManager(securityManager);
    }
    ..
}

在初始化(Singleton bean)时绑定 SecurityManager 或 Subject 并不能解决问题。

final String iniFile = "classpath:shiro.ini";
securityManager = new IniSecurityManagerFactory(iniFile).getInstance();
SecurityUtils.setSecurityManager(securityManager);
ThreadContext.bind(SecurityUtils.getSubject()); or ThreadContext.bind(securityManager);

谢谢,
czetsuya

4

2 回答 2

1

我想我已经通过在此处配置 web.xml 基础解决了间歇性会话问题:http: //shiro.apache.org/web.html

目前它的外观如下:http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">

<!-- Welcome page -->
<welcome-file-list>
    <welcome-file>home.xhtml</welcome-file>
</welcome-file-list>
<listener>
    <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
    <filter-name>ShiroFilter</filter-name>
    <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>ShiroFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>INCLUDE</dispatcher>
    <dispatcher>ERROR</dispatcher>
</filter-mapping>

<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<!-- Map these files with JSF -->
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

但这真的是解决方案吗?有任何想法吗?

于 2012-11-02T03:11:52.447 回答
0

如果要手动构建主题,则应将其绑定到调用线程 ThreadContext.bind(subject)。如果您不这样做,下一次调用SecurityUtils.getSubject()将返回新的主题,而不是您之前创建的主题。

例如,在我的应用程序中,我收到了请求中的会话 ID 并从中创建了一个主题。 

Subject subject = new Subject.Builder().sessionId(sessionId).buildSubject();
ThreadContext.bind(subject);
于 2012-10-31T09:07:40.533 回答