All geek questions in one place

Apache Shiro and Google Guice: Investing Dependencies in the Realm

I am developing abi-ring with Jersey and want to use Google Guice for dependency injection and Apache Shiro as a security framework.

For authentication, I created a custom Realm to which I must add a custom Authenticator that is connected to the EntityManager.

However, addiction is not introduced into the kingdom. I assume that shiro.ini (in which I have to determine the area used) is not guice controlled.

How can I embed dependencies in Apache Shiro, especially the one used by Realm?

My web.xml has only a filter displayed as

<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <filter> <filter-name>guiceFilter</filter-name> <filter-class>com.google.inject.servlet.GuiceFilter</filter-class> </filter> <filter-mapping> <filter-name>guiceFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>GuiceServletConfig</listener-class> </listener> </web-app>

My GuiceServletConfig configures all dependencies, including CustomRealm

 public class GuiceServletConfig extends GuiceServletContextListener { @Override protected Injector getInjector() { return Guice.createInjector(new DbModule(), new JerseyServletModule() { @Override protected void configureServlets() { // ... // CustomRealm is only used when i use it as an eager singleton bind(CustomRealm.class).asEagerSingleton(); bind(org.apache.shiro.web.servlet.IniShiroFilter.class).in(Singleton.class); filter("/*").through(org.apache.shiro.web.servlet.IniShiroFilter.class); serve("/api/*").with(GuiceContainer.class); } }); } }

Shiro only defines the area

 [main] myRealm = CustomRealm [users] # for testing root = secret,admin [roles] # for testing admin = * [urls] /api/** = authcBasic
+4
source share
1 answer

Configuring Apache Shiro INI is great for many use cases, but if you have the full power of an IoC infrastructure like Spring or Guice, it's usually best to configure all of Syro as part of the IoC mechanism directly. A good example for this is the Shiro Spring integration: http://shiro.apache.org/spring.html . It is recommended that you do something almost identical to your Guice environment.

If you do not want to do this and prefer to stay with INI, Shiro has the concept of RealmFactory.

You can create a realistic RealmFactory implementation that communicates with your Guice environment and pulls out your customized Guice Realm (s). Then you define the RealmFactory implementation in Shiro INI:

 [main] ... guiceRealmFactory = com.foo.bar.shiro.GuiceRealmFactory ...

Note, however, that Shiro INI only supports the acquisition of Realm instances outside of INI through RealmFactory β€” all other referenced objects must be defined in the INI. You might want to open the Shiro Jira problem to ask for more general Factory support outside the realms.

Ultimately, since Guice is more powerful than INI, it is recommended, if possible, to configure everything in Shiro in Guice (SecurityManager, realms, ShiroFilter, etc.)

+5
source

Source: https://habr.com/ru/post/1337776/

More articles:


All Articles