shiro

问题 If a user has a permissions user:edit:1 and I'm using the annotation driven @RequiresPermissions("user:edit") why is shiro throwing an exception? Shouldn't that permission be implied by the fact that they have user:edit:1 ? If I put @RequriesPermissions("user:edit:1") then it works fine but during the context of operation I won't know what 1 is yet so that will be checked later in the method, but I'd like to avoid going into the method at all if they don't have the user:edit permission at all

问题 I'm trying to secure my rest services written using dropwizard by Apache Shiro. First I initialized the security manager in the main method. Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini"); SecurityManager securityManager = factory.getInstance(); SecurityUtils.setSecurityManager(securityManager); Then I wrote a service for user login. if (!currentUser.isAuthenticated()) { UsernamePasswordToken token = new UsernamePasswordToken(username, password); token

问题 i have a uri such as someController/someAction?param1=aa&param2=bb is there some method of grails can extract controller name and action name from this uri. or shiro has any method to detect this uri is permitted? i have a domain Menu(name,url), and now want to get the menu list which is permitted for current user. url such as /auth/login(may be mapping as user:login), /user/login so 2 days ago i ask this question. now i change the menu to (name,controller,action,param),and filter the

问题 public void doRegister() throws SQLException{ String password = "test"; PasswordService dps = new DefaultPasswordService(); String temp = dps.encryptPassword(password); System.out.println("AAAA "+dps.passwordsMatch(password, temp)); } this outputs AAAA false What is the problem? 回答1: I solved the problem. My default locale is TR_tr . When i run the program without changing the default locale it outputs false . But when i run the program as below (it sets the default locale to ENGLISH) it

问题 I'm using Spring's @EnableAsync feature to execute methods asynchronously. For security I'm using Apache Shiro. In the code that is executed asynchronously I need to have access to the Shiro subject that was attached to the thread that triggered the async call. Shiro supports using an existing subject in a different thread by associating the subject with the Callable that is to be executed on the different thread (see here): Subject.associateWith(Callable) Unfortunately I don't have direct

问题 When I'm using AJAX and attempt to login I get a server response code 200 but when I try to access another URL, the Shiro filter always intercepts my request. I'm configuring the filter in the spirng-shiro.xml . This shows the user access, login is ok but the other url gets a 302: get list url function loginUser() { axios.post(`${FOO_API}/login`, { name: "foo", passwd: "123456" }); console.log("1"); } function getUserIndex() { axios.get(`${FOO_API}/list`); } Server controller, redundant code

问题 In a JPA app I have a scenario in which the app is to list all accounts the given user is authorized to withdraw from I have the Account entity and a many-to-many table that lists what authorizations each user has on each account – to implement the above scenario, the app currently just inner-joins the two tables – which is quite quick. Now, I was planning to add an explicit authorization layer (based on apache shiro / spring security / other) to insulate authorization-related logic from the

问题 The question is very simple. I'd like to restrict user access with same login from different machines/browsers: only one live user session is possible. Apache shiro library is used for user authentification and managment. Of course this could be done using simple synchornized maps and etc. But the question is: Has Apache Shiro special mechanisms for that or not? Another variant of this question: how to reveice the list of all subjects who are logged in the system using apache shiro ? UPD: To

问题 setting up shiro session cache with ehcache+terracotta ,putitng these configs in config.groovy - security.shiro.sessionDAO = "org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO" // This name matches a cache name in ehcache.xml: security.shiro.sessionDAO.activeSessionsCacheName = "shiro-activeSessionsCache" security.shiro.securityManager.sessionManager.sessionDAO = "org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO" // Configure The EhCacheManager: security.shiro.cacheManager

问题 What is the best way to integrate social authentication with Apache Shiro? I've search this site as other sites and couldn't find an answer. 回答1: You can have a look at this tutorial: http://mrdwnotes.wordpress.com/2011/11/28/using-apache-shiro-security-to-allow-login-via-facebook-part-2/ It explains how use Shiro to allow Facebook authentication. 回答2: I would recommend using the official extension: https://github.com/bujiio/buji-pac4j which supports OAuth (Facebook, Twitter, Google...), CAS,