Blog do projektu Open Source JavaHotel

czwartek, 30 maja 2013

MVP Jython framework and shiro authentication

Introduction
Next step in implementing Shiro authentication for JavaHotel application. Previously I developed an administrator module to add new users, hotels and to set permissions for each user in a particular hotel. Source code is available here.
This module is available in Google App Engine environment. English version and Polish version. User/Password : admin/admin. This module uses standard text based Shiro realm.
[main]
securityManager.sessionManager.sessionValidationSchedulerEnabled = false
[users]
admin=admin
[roles]
securityManager.sessionManager.sessionValidationSchedulerEnabled is disabled because it launches a thread to control session expire time but Google App Engine does not support threads.
Security implementation
After setting hotels and users next step is implemented. User can launch an application for a particular hotel and start activity for this hotel using credential implemented before. For the time being only one functionality is implemented (hotel services).
For accessing a particular hotel URL query hotel parameter is used. Example.
http://testjavahotel.appspot.com/?hotel=hotel
http://testjavahotel.appspot.com/?hotel=hotel1
Application uses another Shiro realm for this purpose.
Shiro realm
[main]
securityManager.sessionManager.sessionValidationSchedulerEnabled = false
hRealm=com.gwthotel.auth.HotelAuthRealm
inject=com.gwthotel.hotel.server.guice.HotelAuthResources
hRealm.iRes=$inject
Test
A simple test scenario can be performed.
  1. Launch http://testjavahotel.appspot.com/?start=admin.xml
  2. Add two hotels : hotel1 and hotel2
  3. Add two users: user1 and user2 (don't forget to set a password for them)
  4. Add user1 access to both hotels and and user2 only to hotel1.
  5. Launch http://testjavahotel.appspot.com/?hotel=hotel1
  6. Make sure that user1 and user2 can logon.
  7. Launch http://testjavahotel.appspot.com/?hotel=hotel2
  8. Make sure that user1 can logon and user2 cannot.
Future
Credentials setting should be modified. The solution that administrator is setting a password is invalid. Another method should be implemented, for instance:  sending a mail containing a temporary password or URL link to set the password for the first time or after resetting the password.

Problem
This application is using two different Shiro realm. During a test I found that I cannot use SecurityUtils.getSubject because after changing the realm a next call to getSubject retrieves users from the previous realm and I was unable to overcome it. The only solution I found was to give up SecurityUtils.getSubject and build Subject directly.
 private static Subject buildSubject() {
        Subject currentUser = new Subject.Builder().buildSubject();
        return currentUser;        
    }

    private Result authenticate(SessionEntry se, String tokenS) {
        SecurityManager securityManager = constructManager(se.getRealm());
        SecurityUtils.setSecurityManager(securityManager);
//        Subject currentUser = SecurityUtils.getSubject();
//        currentUser = new Subject.Builder().buildSubject();
        Subject currentUser = buildSubject();

Brak komentarzy:

Publikowanie komentarza