3 Replies Latest reply on Mar 1, 2013 5:40 AM by edewit

    Errai + Apache Shiro, integration points?

    simon-lindgren
    simon-lindgren Feb 27, 2013 5:39 AM

      Hi,

       

      We are currently considering migrating a gwt application to use some Errai features (calling remote ejbs directly being the prime reason).

       

      We currently use Shiro for authentication and authorization and we would like to continue doing this if possible.

       

      However: Shiro typically works by associating the session with the running thread, using (I believe) a threadlocal variable. This is done automatically by a servlet filter, but I have a hunch that things like ErraiBus and other asynchronous code will be problematic with this approach.

       

      Typically this is also a problem with remote ejb method invocations, but so far we have used only local interfaces and we have therefore not bothered looking at that much.

       

      To make this work, I suspect there will have to be some additional work to pass the session around, but I don't know where to start looking, basically. Any advice on how to proceed?

       

      PS

      Shiro has implementations of Executor, ExecutorService and ScheduledExecutorService, which manages the session transparently. Perhaps this could be useful? DS.

        • 1. Re: Errai + Apache Shiro, integration points?
          edewit
          edewit Mar 1, 2013 3:19 AM (in response to simon-lindgren)

          Hi,

           

          Gwt is asynchronus Errai doesn't introduce that, so that should not be the problem. From the description of your shiro setup, I get that you are using shiro's session management, this is not the same as http session. Saving stuff into thread local to 'rember' the user does not work in a web container! If the load on the server gets high the web container will create more threads to help with the load, so this will result in that the user is sudenly not logged in anymore. You will need to configure shiro to use the http session.

           

          Cheers,

                Erik Jan

            • Actions
          • 2. Re: Errai + Apache Shiro, integration points?
            simon-lindgren
            simon-lindgren Mar 1, 2013 5:30 AM (in response to edewit)

            Ah, yes. Shiros web support does use the http session (it is still a little unclear to me exactly how it uses it though), but there is a servlet filter which sets and unsets this thread local state for each request on the assumption that there is a 1-to-1 each thread handles a single request at a time. The core of shiro's access control handling is then based on the thread local state. It is made this way to not be dependent directly on a container.

             

            The problem becomes how to make sure this state is set correctly when ErraiBus is used, since (as far as I understand) request processing does not neccessarily happen on a thread where the servlet filter has run.

             

            I've looked a bit more, and my current idea is to make an ejb interceptor that does this, but for that I need to be able to access some of the web container things but that seems like it could be a problem given that it is a different container. Perhaps Errai has something that could help with handling this, which I haven't found yet

              • Actions
            • 3. Re: Errai + Apache Shiro, integration points?
              edewit
              edewit Mar 1, 2013 5:40 AM (in response to simon-lindgren)

              Right so you are using shiro web support and that does not use threat local to store session information. I have used shiro as well and had this problem so just wanted to warn you not to make the same mistake that I did. Only I just don't see why there would be a problem using this with errai if shiro is using a servlet filter then errai's bus calls will also pass through it.

                • Actions