Tynamo Security w/ custom Realm

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Tynamo Security w/ custom Realm

Adam X
Howdy !

I followed tynamo setup guide
(http://www.tynamo.org/tapestry-security+guide/) combined with
federated accounts example
(https://github.com/tynamo/tynamo-federatedaccounts). I believe I have
the setup hooked up correctly as my annotated page with
@RequiresRoles("administrator") is not intercepted by tynamo and a
login page appears. The problem I'm having is that when I enter valid
credentials tynamo is not authenticating. Below is my custom realm.
UserManagementDao is just an interface, but the implementation I'm
injecting is a simple in-memory hash map impl with a unit test
verifyinig it's correctness (in reality we're authenticating against
AWS IAM but I'm usinig mock to get things working initially). However,
I'm not sure if I'm constructing SimpleAuthenticationInfo correctly.
Another thing is that my passwords (for now) are clear text and I'm
not sure if by default Tynamo uses clear text comparison of if it
hashes the passwords.

Any help would be highly appreciated!

public class MyCustomRealm extends AuthorizingRealm {

    private UserManagementDao dao;


    public XappmCoreRealm(UserManagementDao dao) {

        super(new MemoryConstrainedCacheManager());
        setName("awsiamaccounts");
        setAuthenticationTokenClass(UsernamePasswordToken.class);
        //setCredentialsMatcher(new
HashedCredentialsMatcher(Sha1Hash.ALGORITHM_NAME));

        this.dao = dao;
    }

    @Override
    protected AuthorizationInfo
doGetAuthorizationInfo(PrincipalCollection principals) {

        if(principals == null) throw new
AuthorizationException(String.format("null %s! (should not happen)",
PrincipalCollection.class.getSimpleName()));
        if(principals.isEmpty()) return null;
        if(principals.fromRealm(getName()).size() <= 0) return null;

        String username = (String)
principals.fromRealm(getName()).iterator().next();
        if(username == null) return null;

        List<XapGroup> groups = dao.getUserGroups(username);
        Set<String> roles = new HashSet<>();

        for(XapGroup group : groups) {
            roles.add(group.getId());
        }

        return new SimpleAuthorizationInfo(roles);
    }

    @Override
    protected AuthenticationInfo
doGetAuthenticationInfo(AuthenticationToken token) throws
AuthenticationException {

        UsernamePasswordToken upToken = (UsernamePasswordToken) token;
        String userName = upToken.getUsername();

        if(userName == null) throw new AccountException("Null
usernames are not allowed by this realm.");

        XapUser user = dao.getUser(userName);
        if(user == null) return null;

//        if (user.isAccountLocked()) { throw new
LockedAccountException("Account [" + username + "] is locked."); }
//        if (user.isCredentialsExpired()) {
//            String msg = "The credentials for account [" + username
+ "] are expired";
//            throw new ExpiredCredentialsException(msg);
//        }

        String password = dao.getUserPassword(userName);

        return new SimpleAuthenticationInfo(userName, password, getName());
    }
}

Adam

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tynamo Security w/ custom Realm

Kalle Korhonen-2
Looks fine at a quick glance. As I recall, an AuthenticatingRealm uses
SimpleCredentialsMatcher by so it should match plain text passwords. Are
you sure it's not authenticating, or is doGetAuthenticationInfo invoked at
all? Do you have any other realms configured? Get the simple, single realm
use case working first and work from there.

Kalle

On Tue, Nov 8, 2016 at 10:16 AM, Adam X <[hidden email]> wrote:

> Howdy !
>
> I followed tynamo setup guide
> (http://www.tynamo.org/tapestry-security+guide/) combined with
> federated accounts example
> (https://github.com/tynamo/tynamo-federatedaccounts). I believe I have
> the setup hooked up correctly as my annotated page with
> @RequiresRoles("administrator") is not intercepted by tynamo and a
> login page appears. The problem I'm having is that when I enter valid
> credentials tynamo is not authenticating. Below is my custom realm.
> UserManagementDao is just an interface, but the implementation I'm
> injecting is a simple in-memory hash map impl with a unit test
> verifyinig it's correctness (in reality we're authenticating against
> AWS IAM but I'm usinig mock to get things working initially). However,
> I'm not sure if I'm constructing SimpleAuthenticationInfo correctly.
> Another thing is that my passwords (for now) are clear text and I'm
> not sure if by default Tynamo uses clear text comparison of if it
> hashes the passwords.
>
> Any help would be highly appreciated!
>
> public class MyCustomRealm extends AuthorizingRealm {
>
>     private UserManagementDao dao;
>
>
>     public XappmCoreRealm(UserManagementDao dao) {
>
>         super(new MemoryConstrainedCacheManager());
>         setName("awsiamaccounts");
>         setAuthenticationTokenClass(UsernamePasswordToken.class);
>         //setCredentialsMatcher(new
> HashedCredentialsMatcher(Sha1Hash.ALGORITHM_NAME));
>
>         this.dao = dao;
>     }
>
>     @Override
>     protected AuthorizationInfo
> doGetAuthorizationInfo(PrincipalCollection principals) {
>
>         if(principals == null) throw new
> AuthorizationException(String.format("null %s! (should not happen)",
> PrincipalCollection.class.getSimpleName()));
>         if(principals.isEmpty()) return null;
>         if(principals.fromRealm(getName()).size() <= 0) return null;
>
>         String username = (String)
> principals.fromRealm(getName()).iterator().next();
>         if(username == null) return null;
>
>         List<XapGroup> groups = dao.getUserGroups(username);
>         Set<String> roles = new HashSet<>();
>
>         for(XapGroup group : groups) {
>             roles.add(group.getId());
>         }
>
>         return new SimpleAuthorizationInfo(roles);
>     }
>
>     @Override
>     protected AuthenticationInfo
> doGetAuthenticationInfo(AuthenticationToken token) throws
> AuthenticationException {
>
>         UsernamePasswordToken upToken = (UsernamePasswordToken) token;
>         String userName = upToken.getUsername();
>
>         if(userName == null) throw new AccountException("Null
> usernames are not allowed by this realm.");
>
>         XapUser user = dao.getUser(userName);
>         if(user == null) return null;
>
> //        if (user.isAccountLocked()) { throw new
> LockedAccountException("Account [" + username + "] is locked."); }
> //        if (user.isCredentialsExpired()) {
> //            String msg = "The credentials for account [" + username
> + "] are expired";
> //            throw new ExpiredCredentialsException(msg);
> //        }
>
>         String password = dao.getUserPassword(userName);
>
>         return new SimpleAuthenticationInfo(userName, password,
> getName());
>     }
> }
>
> Adam
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Tynamo Security w/ custom Realm

Adam X
Hi Kyle,

Thanks for taking a look. Indeed, I made the assumption that
SimpleCredentialsMatcher is used by default, but as part of my
troubleshooting I explicitly set it. doGetAuthenticationInfo is
invoked for sure, because my logs show it (I also stepped thru with
the debugger):

[WARN] org.tynamo.security.services.SecurityModule.RememberMeManager
(buildRememberMeManager:111) - Symbol 'security.remembermecipherkey'
is not set, using 'tapestry.hmac-passphrase' as the cipher. Beware
that changing the value will invalidate rememberMe cookies
[ERROR] org.apache.tapestry5.modules.AssetsModule.AssetSource
(invoke:237) - Packaging of classpath assets has changed in release
5.4; Assets should no longer be on the main classpath, but should be
moved to 'META-INF/assets/' or a sub-folder. Future releases of
Tapestry may no longer support assets on the main classpath.
[WARN] org.apache.tapestry5.modules.AssetsModule.AssetSource
(invoke:245) - Classpath asset '/org/tynamo/security/img/login-bg.png'
should be moved to folder
'/META-INF/assets/security/org/tynamo/security/img/'.
[DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
(getUser:444) - userId: donkey
[DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
(getUserPassword:451) - userId: donkey

As you can see my mock dao is correctly being called and it is
returning the correct password because I saw it in the debugger.

Am I instantiating SimpleAuthenticationInfo correctly? This API is all
new to me (never worked with Shiro) so I'm learning as I go.

Also, here is what my AppModule contribution looks like:

    @Contribute(WebSecurityManager.class)
    public static void addRealms(Configuration<Realm> configuration,
@Inject @FromFactory UserManagementDao dao) {
        Realm realm = new FooBarCoreRealm(dao);
        configuration.add(realm);
    }

Obviously replaced company name with FooBar etc.

Adam

On Tue, Nov 8, 2016 at 7:55 PM, Kalle Korhonen
<[hidden email]> wrote:

> Looks fine at a quick glance. As I recall, an AuthenticatingRealm uses
> SimpleCredentialsMatcher by so it should match plain text passwords. Are
> you sure it's not authenticating, or is doGetAuthenticationInfo invoked at
> all? Do you have any other realms configured? Get the simple, single realm
> use case working first and work from there.
>
> Kalle
>
> On Tue, Nov 8, 2016 at 10:16 AM, Adam X <[hidden email]> wrote:
>
>> Howdy !
>>
>> I followed tynamo setup guide
>> (http://www.tynamo.org/tapestry-security+guide/) combined with
>> federated accounts example
>> (https://github.com/tynamo/tynamo-federatedaccounts). I believe I have
>> the setup hooked up correctly as my annotated page with
>> @RequiresRoles("administrator") is not intercepted by tynamo and a
>> login page appears. The problem I'm having is that when I enter valid
>> credentials tynamo is not authenticating. Below is my custom realm.
>> UserManagementDao is just an interface, but the implementation I'm
>> injecting is a simple in-memory hash map impl with a unit test
>> verifyinig it's correctness (in reality we're authenticating against
>> AWS IAM but I'm usinig mock to get things working initially). However,
>> I'm not sure if I'm constructing SimpleAuthenticationInfo correctly.
>> Another thing is that my passwords (for now) are clear text and I'm
>> not sure if by default Tynamo uses clear text comparison of if it
>> hashes the passwords.
>>
>> Any help would be highly appreciated!
>>
>> public class MyCustomRealm extends AuthorizingRealm {
>>
>>     private UserManagementDao dao;
>>
>>
>>     public XappmCoreRealm(UserManagementDao dao) {
>>
>>         super(new MemoryConstrainedCacheManager());
>>         setName("awsiamaccounts");
>>         setAuthenticationTokenClass(UsernamePasswordToken.class);
>>         //setCredentialsMatcher(new
>> HashedCredentialsMatcher(Sha1Hash.ALGORITHM_NAME));
>>
>>         this.dao = dao;
>>     }
>>
>>     @Override
>>     protected AuthorizationInfo
>> doGetAuthorizationInfo(PrincipalCollection principals) {
>>
>>         if(principals == null) throw new
>> AuthorizationException(String.format("null %s! (should not happen)",
>> PrincipalCollection.class.getSimpleName()));
>>         if(principals.isEmpty()) return null;
>>         if(principals.fromRealm(getName()).size() <= 0) return null;
>>
>>         String username = (String)
>> principals.fromRealm(getName()).iterator().next();
>>         if(username == null) return null;
>>
>>         List<XapGroup> groups = dao.getUserGroups(username);
>>         Set<String> roles = new HashSet<>();
>>
>>         for(XapGroup group : groups) {
>>             roles.add(group.getId());
>>         }
>>
>>         return new SimpleAuthorizationInfo(roles);
>>     }
>>
>>     @Override
>>     protected AuthenticationInfo
>> doGetAuthenticationInfo(AuthenticationToken token) throws
>> AuthenticationException {
>>
>>         UsernamePasswordToken upToken = (UsernamePasswordToken) token;
>>         String userName = upToken.getUsername();
>>
>>         if(userName == null) throw new AccountException("Null
>> usernames are not allowed by this realm.");
>>
>>         XapUser user = dao.getUser(userName);
>>         if(user == null) return null;
>>
>> //        if (user.isAccountLocked()) { throw new
>> LockedAccountException("Account [" + username + "] is locked."); }
>> //        if (user.isCredentialsExpired()) {
>> //            String msg = "The credentials for account [" + username
>> + "] are expired";
>> //            throw new ExpiredCredentialsException(msg);
>> //        }
>>
>>         String password = dao.getUserPassword(userName);
>>
>>         return new SimpleAuthenticationInfo(userName, password,
>> getName());
>>     }
>> }
>>
>> Adam
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tynamo Security w/ custom Realm

Adam X
So I set org.apache.shiro to DEBUG level and discovered that Shiro is
actually correctly authenticating but for some reason displays
"Unauthorized" page:

[DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
(getUser:444) - userId: donkey
[DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
(getUserPassword:451) - userId: donkey
[DEBUG] org.apache.shiro.realm.AuthenticatingRealm
(getAuthenticationInfo:569) - Looked up AuthenticationInfo [donkey]
from doGetAuthenticationInfo
[DEBUG] org.apache.shiro.realm.AuthenticatingRealm
(cacheAuthenticationInfoIfPossible:507) - AuthenticationInfo caching
is disabled for info [donkey].  Submitted token:
[org.apache.shiro.authc.UsernamePasswordToken - donkey,
rememberMe=false].
[DEBUG] org.apache.shiro.authc.credential.SimpleCredentialsMatcher
(equals:95) - Performing credentials equality check for
tokenCredentials of type [[C and accountCredentials of type
[java.lang.String]
[DEBUG] org.apache.shiro.authc.credential.SimpleCredentialsMatcher
(equals:101) - Both credentials arguments can be easily converted to
byte arrays.  Performing array equals comparison
[DEBUG] org.apache.shiro.authc.AbstractAuthenticator
(authenticate:233) - Authentication successful for token
[org.apache.shiro.authc.UsernamePasswordToken - donkey,
rememberMe=false].  Returned account [donkey]
[DEBUG] org.apache.shiro.subject.support.DefaultSubjectContext
(resolveSecurityManager:102) - No SecurityManager available in subject
context map.  Falling back to SecurityUtils.getSecurityManager()
lookup.
[DEBUG] org.apache.shiro.subject.support.DefaultSubjectContext
(resolveSecurityManager:102) - No SecurityManager available in subject
context map.  Falling back to SecurityUtils.getSecurityManager()
lookup.
[DEBUG] org.apache.shiro.web.servlet.SimpleCookie
(addCookieHeader:226) - Added HttpServletResponse Cookie
[rememberMe=deleteMe; Path=/bip; Max-Age=0; Expires=Tue, 08-Nov-2016
12:28:52 GMT]
[DEBUG] org.apache.shiro.mgt.AbstractRememberMeManager
(onSuccessfulLogin:290) - AuthenticationToken did not indicate
RememberMe is requested.  RememberMe functionality will not be
executed for corresponding account.
[DEBUG] org.apache.shiro.realm.AuthorizingRealm
(getAuthorizationCacheLazy:234) - No authorizationCache instance set.
Checking for a cacheManager...
[DEBUG] org.apache.shiro.realm.AuthorizingRealm
(getAuthorizationCacheLazy:242) - CacheManager
[MemoryConstrainedCacheManager with 0 cache(s)): []] has been
configured.  Building authorization cache named
[awsiamaccounts.authorizationCache]

So I must have a misconfiguration somewhere but am stuck as I can't
figure out where. I just thought that tapestry-security automagically
handles redirect after login. My page is very simple:

@RequiresRoles("administrator")
public class Contact {
}


On Tue, Nov 8, 2016 at 8:30 PM, Adam X <[hidden email]> wrote:

> Hi Kyle,
>
> Thanks for taking a look. Indeed, I made the assumption that
> SimpleCredentialsMatcher is used by default, but as part of my
> troubleshooting I explicitly set it. doGetAuthenticationInfo is
> invoked for sure, because my logs show it (I also stepped thru with
> the debugger):
>
> [WARN] org.tynamo.security.services.SecurityModule.RememberMeManager
> (buildRememberMeManager:111) - Symbol 'security.remembermecipherkey'
> is not set, using 'tapestry.hmac-passphrase' as the cipher. Beware
> that changing the value will invalidate rememberMe cookies
> [ERROR] org.apache.tapestry5.modules.AssetsModule.AssetSource
> (invoke:237) - Packaging of classpath assets has changed in release
> 5.4; Assets should no longer be on the main classpath, but should be
> moved to 'META-INF/assets/' or a sub-folder. Future releases of
> Tapestry may no longer support assets on the main classpath.
> [WARN] org.apache.tapestry5.modules.AssetsModule.AssetSource
> (invoke:245) - Classpath asset '/org/tynamo/security/img/login-bg.png'
> should be moved to folder
> '/META-INF/assets/security/org/tynamo/security/img/'.
> [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
> (getUser:444) - userId: donkey
> [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
> (getUserPassword:451) - userId: donkey
>
> As you can see my mock dao is correctly being called and it is
> returning the correct password because I saw it in the debugger.
>
> Am I instantiating SimpleAuthenticationInfo correctly? This API is all
> new to me (never worked with Shiro) so I'm learning as I go.
>
> Also, here is what my AppModule contribution looks like:
>
>     @Contribute(WebSecurityManager.class)
>     public static void addRealms(Configuration<Realm> configuration,
> @Inject @FromFactory UserManagementDao dao) {
>         Realm realm = new FooBarCoreRealm(dao);
>         configuration.add(realm);
>     }
>
> Obviously replaced company name with FooBar etc.
>
> Adam
>
> On Tue, Nov 8, 2016 at 7:55 PM, Kalle Korhonen
> <[hidden email]> wrote:
>> Looks fine at a quick glance. As I recall, an AuthenticatingRealm uses
>> SimpleCredentialsMatcher by so it should match plain text passwords. Are
>> you sure it's not authenticating, or is doGetAuthenticationInfo invoked at
>> all? Do you have any other realms configured? Get the simple, single realm
>> use case working first and work from there.
>>
>> Kalle
>>
>> On Tue, Nov 8, 2016 at 10:16 AM, Adam X <[hidden email]> wrote:
>>
>>> Howdy !
>>>
>>> I followed tynamo setup guide
>>> (http://www.tynamo.org/tapestry-security+guide/) combined with
>>> federated accounts example
>>> (https://github.com/tynamo/tynamo-federatedaccounts). I believe I have
>>> the setup hooked up correctly as my annotated page with
>>> @RequiresRoles("administrator") is not intercepted by tynamo and a
>>> login page appears. The problem I'm having is that when I enter valid
>>> credentials tynamo is not authenticating. Below is my custom realm.
>>> UserManagementDao is just an interface, but the implementation I'm
>>> injecting is a simple in-memory hash map impl with a unit test
>>> verifyinig it's correctness (in reality we're authenticating against
>>> AWS IAM but I'm usinig mock to get things working initially). However,
>>> I'm not sure if I'm constructing SimpleAuthenticationInfo correctly.
>>> Another thing is that my passwords (for now) are clear text and I'm
>>> not sure if by default Tynamo uses clear text comparison of if it
>>> hashes the passwords.
>>>
>>> Any help would be highly appreciated!
>>>
>>> public class MyCustomRealm extends AuthorizingRealm {
>>>
>>>     private UserManagementDao dao;
>>>
>>>
>>>     public XappmCoreRealm(UserManagementDao dao) {
>>>
>>>         super(new MemoryConstrainedCacheManager());
>>>         setName("awsiamaccounts");
>>>         setAuthenticationTokenClass(UsernamePasswordToken.class);
>>>         //setCredentialsMatcher(new
>>> HashedCredentialsMatcher(Sha1Hash.ALGORITHM_NAME));
>>>
>>>         this.dao = dao;
>>>     }
>>>
>>>     @Override
>>>     protected AuthorizationInfo
>>> doGetAuthorizationInfo(PrincipalCollection principals) {
>>>
>>>         if(principals == null) throw new
>>> AuthorizationException(String.format("null %s! (should not happen)",
>>> PrincipalCollection.class.getSimpleName()));
>>>         if(principals.isEmpty()) return null;
>>>         if(principals.fromRealm(getName()).size() <= 0) return null;
>>>
>>>         String username = (String)
>>> principals.fromRealm(getName()).iterator().next();
>>>         if(username == null) return null;
>>>
>>>         List<XapGroup> groups = dao.getUserGroups(username);
>>>         Set<String> roles = new HashSet<>();
>>>
>>>         for(XapGroup group : groups) {
>>>             roles.add(group.getId());
>>>         }
>>>
>>>         return new SimpleAuthorizationInfo(roles);
>>>     }
>>>
>>>     @Override
>>>     protected AuthenticationInfo
>>> doGetAuthenticationInfo(AuthenticationToken token) throws
>>> AuthenticationException {
>>>
>>>         UsernamePasswordToken upToken = (UsernamePasswordToken) token;
>>>         String userName = upToken.getUsername();
>>>
>>>         if(userName == null) throw new AccountException("Null
>>> usernames are not allowed by this realm.");
>>>
>>>         XapUser user = dao.getUser(userName);
>>>         if(user == null) return null;
>>>
>>> //        if (user.isAccountLocked()) { throw new
>>> LockedAccountException("Account [" + username + "] is locked."); }
>>> //        if (user.isCredentialsExpired()) {
>>> //            String msg = "The credentials for account [" + username
>>> + "] are expired";
>>> //            throw new ExpiredCredentialsException(msg);
>>> //        }
>>>
>>>         String password = dao.getUserPassword(userName);
>>>
>>>         return new SimpleAuthenticationInfo(userName, password,
>>> getName());
>>>     }
>>> }
>>>
>>> Adam
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tynamo Security w/ custom Realm

Adam X
Hello All - just want to say everything in Shiro was configured ok.
The bug was in the implementation of my mock dao.

All works nicely

On Wed, Nov 9, 2016 at 2:49 PM, Adam X <[hidden email]> wrote:

> So I set org.apache.shiro to DEBUG level and discovered that Shiro is
> actually correctly authenticating but for some reason displays
> "Unauthorized" page:
>
> [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
> (getUser:444) - userId: donkey
> [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
> (getUserPassword:451) - userId: donkey
> [DEBUG] org.apache.shiro.realm.AuthenticatingRealm
> (getAuthenticationInfo:569) - Looked up AuthenticationInfo [donkey]
> from doGetAuthenticationInfo
> [DEBUG] org.apache.shiro.realm.AuthenticatingRealm
> (cacheAuthenticationInfoIfPossible:507) - AuthenticationInfo caching
> is disabled for info [donkey].  Submitted token:
> [org.apache.shiro.authc.UsernamePasswordToken - donkey,
> rememberMe=false].
> [DEBUG] org.apache.shiro.authc.credential.SimpleCredentialsMatcher
> (equals:95) - Performing credentials equality check for
> tokenCredentials of type [[C and accountCredentials of type
> [java.lang.String]
> [DEBUG] org.apache.shiro.authc.credential.SimpleCredentialsMatcher
> (equals:101) - Both credentials arguments can be easily converted to
> byte arrays.  Performing array equals comparison
> [DEBUG] org.apache.shiro.authc.AbstractAuthenticator
> (authenticate:233) - Authentication successful for token
> [org.apache.shiro.authc.UsernamePasswordToken - donkey,
> rememberMe=false].  Returned account [donkey]
> [DEBUG] org.apache.shiro.subject.support.DefaultSubjectContext
> (resolveSecurityManager:102) - No SecurityManager available in subject
> context map.  Falling back to SecurityUtils.getSecurityManager()
> lookup.
> [DEBUG] org.apache.shiro.subject.support.DefaultSubjectContext
> (resolveSecurityManager:102) - No SecurityManager available in subject
> context map.  Falling back to SecurityUtils.getSecurityManager()
> lookup.
> [DEBUG] org.apache.shiro.web.servlet.SimpleCookie
> (addCookieHeader:226) - Added HttpServletResponse Cookie
> [rememberMe=deleteMe; Path=/bip; Max-Age=0; Expires=Tue, 08-Nov-2016
> 12:28:52 GMT]
> [DEBUG] org.apache.shiro.mgt.AbstractRememberMeManager
> (onSuccessfulLogin:290) - AuthenticationToken did not indicate
> RememberMe is requested.  RememberMe functionality will not be
> executed for corresponding account.
> [DEBUG] org.apache.shiro.realm.AuthorizingRealm
> (getAuthorizationCacheLazy:234) - No authorizationCache instance set.
> Checking for a cacheManager...
> [DEBUG] org.apache.shiro.realm.AuthorizingRealm
> (getAuthorizationCacheLazy:242) - CacheManager
> [MemoryConstrainedCacheManager with 0 cache(s)): []] has been
> configured.  Building authorization cache named
> [awsiamaccounts.authorizationCache]
>
> So I must have a misconfiguration somewhere but am stuck as I can't
> figure out where. I just thought that tapestry-security automagically
> handles redirect after login. My page is very simple:
>
> @RequiresRoles("administrator")
> public class Contact {
> }
>
>
> On Tue, Nov 8, 2016 at 8:30 PM, Adam X <[hidden email]> wrote:
>> Hi Kyle,
>>
>> Thanks for taking a look. Indeed, I made the assumption that
>> SimpleCredentialsMatcher is used by default, but as part of my
>> troubleshooting I explicitly set it. doGetAuthenticationInfo is
>> invoked for sure, because my logs show it (I also stepped thru with
>> the debugger):
>>
>> [WARN] org.tynamo.security.services.SecurityModule.RememberMeManager
>> (buildRememberMeManager:111) - Symbol 'security.remembermecipherkey'
>> is not set, using 'tapestry.hmac-passphrase' as the cipher. Beware
>> that changing the value will invalidate rememberMe cookies
>> [ERROR] org.apache.tapestry5.modules.AssetsModule.AssetSource
>> (invoke:237) - Packaging of classpath assets has changed in release
>> 5.4; Assets should no longer be on the main classpath, but should be
>> moved to 'META-INF/assets/' or a sub-folder. Future releases of
>> Tapestry may no longer support assets on the main classpath.
>> [WARN] org.apache.tapestry5.modules.AssetsModule.AssetSource
>> (invoke:245) - Classpath asset '/org/tynamo/security/img/login-bg.png'
>> should be moved to folder
>> '/META-INF/assets/security/org/tynamo/security/img/'.
>> [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
>> (getUser:444) - userId: donkey
>> [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
>> (getUserPassword:451) - userId: donkey
>>
>> As you can see my mock dao is correctly being called and it is
>> returning the correct password because I saw it in the debugger.
>>
>> Am I instantiating SimpleAuthenticationInfo correctly? This API is all
>> new to me (never worked with Shiro) so I'm learning as I go.
>>
>> Also, here is what my AppModule contribution looks like:
>>
>>     @Contribute(WebSecurityManager.class)
>>     public static void addRealms(Configuration<Realm> configuration,
>> @Inject @FromFactory UserManagementDao dao) {
>>         Realm realm = new FooBarCoreRealm(dao);
>>         configuration.add(realm);
>>     }
>>
>> Obviously replaced company name with FooBar etc.
>>
>> Adam
>>
>> On Tue, Nov 8, 2016 at 7:55 PM, Kalle Korhonen
>> <[hidden email]> wrote:
>>> Looks fine at a quick glance. As I recall, an AuthenticatingRealm uses
>>> SimpleCredentialsMatcher by so it should match plain text passwords. Are
>>> you sure it's not authenticating, or is doGetAuthenticationInfo invoked at
>>> all? Do you have any other realms configured? Get the simple, single realm
>>> use case working first and work from there.
>>>
>>> Kalle
>>>
>>> On Tue, Nov 8, 2016 at 10:16 AM, Adam X <[hidden email]> wrote:
>>>
>>>> Howdy !
>>>>
>>>> I followed tynamo setup guide
>>>> (http://www.tynamo.org/tapestry-security+guide/) combined with
>>>> federated accounts example
>>>> (https://github.com/tynamo/tynamo-federatedaccounts). I believe I have
>>>> the setup hooked up correctly as my annotated page with
>>>> @RequiresRoles("administrator") is not intercepted by tynamo and a
>>>> login page appears. The problem I'm having is that when I enter valid
>>>> credentials tynamo is not authenticating. Below is my custom realm.
>>>> UserManagementDao is just an interface, but the implementation I'm
>>>> injecting is a simple in-memory hash map impl with a unit test
>>>> verifyinig it's correctness (in reality we're authenticating against
>>>> AWS IAM but I'm usinig mock to get things working initially). However,
>>>> I'm not sure if I'm constructing SimpleAuthenticationInfo correctly.
>>>> Another thing is that my passwords (for now) are clear text and I'm
>>>> not sure if by default Tynamo uses clear text comparison of if it
>>>> hashes the passwords.
>>>>
>>>> Any help would be highly appreciated!
>>>>
>>>> public class MyCustomRealm extends AuthorizingRealm {
>>>>
>>>>     private UserManagementDao dao;
>>>>
>>>>
>>>>     public XappmCoreRealm(UserManagementDao dao) {
>>>>
>>>>         super(new MemoryConstrainedCacheManager());
>>>>         setName("awsiamaccounts");
>>>>         setAuthenticationTokenClass(UsernamePasswordToken.class);
>>>>         //setCredentialsMatcher(new
>>>> HashedCredentialsMatcher(Sha1Hash.ALGORITHM_NAME));
>>>>
>>>>         this.dao = dao;
>>>>     }
>>>>
>>>>     @Override
>>>>     protected AuthorizationInfo
>>>> doGetAuthorizationInfo(PrincipalCollection principals) {
>>>>
>>>>         if(principals == null) throw new
>>>> AuthorizationException(String.format("null %s! (should not happen)",
>>>> PrincipalCollection.class.getSimpleName()));
>>>>         if(principals.isEmpty()) return null;
>>>>         if(principals.fromRealm(getName()).size() <= 0) return null;
>>>>
>>>>         String username = (String)
>>>> principals.fromRealm(getName()).iterator().next();
>>>>         if(username == null) return null;
>>>>
>>>>         List<XapGroup> groups = dao.getUserGroups(username);
>>>>         Set<String> roles = new HashSet<>();
>>>>
>>>>         for(XapGroup group : groups) {
>>>>             roles.add(group.getId());
>>>>         }
>>>>
>>>>         return new SimpleAuthorizationInfo(roles);
>>>>     }
>>>>
>>>>     @Override
>>>>     protected AuthenticationInfo
>>>> doGetAuthenticationInfo(AuthenticationToken token) throws
>>>> AuthenticationException {
>>>>
>>>>         UsernamePasswordToken upToken = (UsernamePasswordToken) token;
>>>>         String userName = upToken.getUsername();
>>>>
>>>>         if(userName == null) throw new AccountException("Null
>>>> usernames are not allowed by this realm.");
>>>>
>>>>         XapUser user = dao.getUser(userName);
>>>>         if(user == null) return null;
>>>>
>>>> //        if (user.isAccountLocked()) { throw new
>>>> LockedAccountException("Account [" + username + "] is locked."); }
>>>> //        if (user.isCredentialsExpired()) {
>>>> //            String msg = "The credentials for account [" + username
>>>> + "] are expired";
>>>> //            throw new ExpiredCredentialsException(msg);
>>>> //        }
>>>>
>>>>         String password = dao.getUserPassword(userName);
>>>>
>>>>         return new SimpleAuthenticationInfo(userName, password,
>>>> getName());
>>>>     }
>>>> }
>>>>
>>>> Adam
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [hidden email]
>>>> For additional commands, e-mail: [hidden email]
>>>>
>>>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]