How to configure Apache Shiro properly and get proper results?

Vishal Srivastav

Ranch Hand

Posts: 48

I like...

posted 13 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Hi Friends,

I am trying to use apache shiro into my project as I have to create a role based mechanism into my project. I created a demo project with following configurations...

I created following files into my project -
index.jsp

login.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
	pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Shiro Web Test : Login Page</title>
</head>
<body>

<%! String errorMessage = null; %>
	<% 
		errorMessage = (String) request.getAttribute("shiroLoginFailure");
		if (errorMessage != null) { %>
			<font color="red">Invalid Login: ${errorMessage}</font><br/>
			<font color="black"><h3>Enter login information...</h3></font>
	<% } else { %>
		<font color="black"><h3>Enter login information...</h3></font>
	<% } %>

<form action="loginTest.do" method="POST">
		<table>
 			<tr>
 				<td>Username:</td>
 				<td><input type="text" name="username" placeholder="username" /></td>
 			</tr>
 			<tr>
 				<td>Password:</td>
 				<td><input type="password" name="password" placeholder="password" /></td>
 			</tr>
 		</table>
		<input type="checkbox" value="true" name="rememberMe" />Remember Me?<br />
		<input type="submit" value="Sign In" />
	</form>
</body>
</html>

success.jsp

denied.jsp

logout.jsp

showUser.jsp

My shiro.ini configuration is as follows -

I am using a servlet LoginTestServlet.java to dispatch to login.jsp page or success.jsp after authentication is successful/unsuccessful -

public class LoginTestServlet extends HttpServlet {
	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		generateResponse(request, response);
	}

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		generateResponse(request, response);
	}
	protected void generateResponse(HttpServletRequest request, HttpServletResponse response) 
		throws IOException, ServletException {
		UserCredentials user = new UserCredentials();
		user.setUserName(request.getParameter("username"));
		user.setPassword(request.getParameter("password"));
		
		if (user.getUserName() != null && user.getPassword() != null) {
			Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
			SecurityManager securityManager = factory.getInstance();
			SecurityUtils.setSecurityManager(securityManager);
			Subject currentUser = SecurityUtils.getSubject();
			
			UsernamePasswordToken token = new UsernamePasswordToken(user.getUserName(), user.getPassword());
			
			try {
				currentUser.login(token);
				Session session = currentUser.getSession();
				session.setAttribute("user", user.getUserName());
			} catch (UnknownAccountException uae) {
//				uae.printStackTrace();
				request.setAttribute("shiroLoginFailure", uae.getMessage());
				System.err.println("Exception type: " + uae.getClass().getName());
				System.err.println("Error due to: " + uae.getMessage());
		    } catch (IncorrectCredentialsException iae) {
//		    	iae.printStackTrace();
		    	request.setAttribute("shiroLoginFailure", iae.getMessage());
		    	System.err.println("Exception type: " + iae.getClass().getName());
		    	System.err.println("Error due to: " + iae.getMessage());
		    } catch (LockedAccountException lae) {
//		    	lae.printStackTrace();
		    	request.setAttribute("shiroLoginFailure", lae.getMessage());
		    	System.err.println("Exception type: " + lae.getClass().getName());
		    	System.err.println("Error due to: " + lae.getMessage());
		    } catch (AuthenticationException ae) {
		    	request.setAttribute("shiroLoginFailure", ae.getMessage());
		    	System.err.println("Exception type: " + ae.getClass().getName());
		    	System.err.println("Error due to: " + ae.getMessage());
//		    	ae.printStackTrace();
		    } catch (Exception e) {
		    	request.setAttribute("shiroLoginFailure", e.getMessage());
		    	System.err.println("Exception type: " + e.getClass().getName());
		    	System.err.println("Error due to: " + e.getMessage());
//		    	e.printStackTrace();
		    }
			
			RequestDispatcher view = null;
			
			if (currentUser.isAuthenticated()) {
				view = request.getRequestDispatcher("success.jsp");
				view.forward(request, response);
			} else {
				view = request.getRequestDispatcher("login.jsp");
				view.forward(request, response);
			}
		}
	}//end of generateResponse()

}//end of class

I am using TOMCAT 6.0.

My problem is -
1. Whenever I am trying to enter credentials at login.jsp page, its automatically taking me to the respective page for the credentials I enter. Ex., if I try to enter ROLE_MEMBER credentials after clicking for success.jsp, its taking me to success.jsp page. But if I try to enter ROLE_ADMIN after clicking for same success.jsp, its automatically taking me to secret.jsp as per the servlet code written instead of going to denied.jsp.
2. How to make a generic code without writing a separate servlet for each resource to show login success or denied page?

Also, is there any way to create custom permissions in shiro for every resource? If yes, then how. If there is any link to this, I would be grateful to you.

Thanks all.

Vishal Srivastava, Software Engineer (Android), Paradigm Creatives
SCJP 5, SCWCD 5 - http://in.linkedin.com/in/srivastavavishal

Don't get me started about those stupid light bulbs.