Securing Tynamo tapestry-resteasy with Shiro

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Securing Tynamo tapestry-resteasy with Shiro

Richard Frovarp
I'm wondering if there is a straightforward way to secure
tapestry-resteasy with Shiro. We're already using tapestry-security. I
have a student doing some work to do this, and it doesn't seem like the
two work together. We can protect the URL path from the AppModule using
the Shiro code like we do everywhere else. However, we can't get
annotations to work on the REST "pages" or methods. I would like to be
able to do things like access level access control and permission based
control based on the authenticated user through the same Shiro tools
that we have been using.

It feels like we're missing something. I can probably build my own
integration, but if it is already solved and we are just missing it, I
would rather do it the correct way.

Thanks,

Richard


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing Tynamo tapestry-resteasy with Shiro

fjfalcon
Hi there, Richard.

I created securityrequestfilter that reads header for auth token and
autorize/or not. Than it pass request to other filters.
Some part of code for example:

public class SecurityRequestFilter implements HttpServletRequestFilter
{

@Inject
private SecurityService securityService;

@Override
public boolean service(HttpServletRequest request, HttpServletResponse
response, HttpServletRequestHandler handler) throws IOException
{
    if (request.getHeader("Authorization") != null)
        login(request.getHeader("Authorization"));
    else
        slog.info("Anonymous request detected.");
    return handler.service(request, response);

}

As for application module(Main tapestry configuration class):

@Contribute(HttpServletRequestHandler.class)
public static void
httpServletRequestHandler(OrderedConfiguration<HttpServletRequestFilter>
configuration,

@InjectService("ServletRequestFilter")

HttpServletRequestFilter servletRequestFilter,
@InjectService("SecurityRequestFilter") HttpServletRequestFilter
securityRequestFilter)
{
    configuration.add("SecurityRequestFilter", securityRequestFilter,
"after:SecurityConfiguration", "before:ResteasyRequestFilter");
    configuration.add("ServletRequestFilter", servletRequestFilter,
"after:ResteasyRequestFilter", "before:GZIP");
}


I can't say that a right thing to do. But my way works fine to use
tapestry-security with tapestry-resteasy.

Good luck.


On 5 May 2017 at 23:49, Richard Frovarp <[hidden email]> wrote:

> I'm wondering if there is a straightforward way to secure
> tapestry-resteasy with Shiro. We're already using tapestry-security. I have
> a student doing some work to do this, and it doesn't seem like the two work
> together. We can protect the URL path from the AppModule using the Shiro
> code like we do everywhere else. However, we can't get annotations to work
> on the REST "pages" or methods. I would like to be able to do things like
> access level access control and permission based control based on the
> authenticated user through the same Shiro tools that we have been using.
>
> It feels like we're missing something. I can probably build my own
> integration, but if it is already solved and we are just missing it, I
> would rather do it the correct way.
>
> Thanks,
>
> Richard
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


--
With best regards,
Pavel Chernyak