I am constructing my own AuthorizingRealm subclass, and am having a tough time wiring it up to my SecurityManager.
The essence of my realm:
public class MyRealm extends AuthorizingRealm {
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
try {
// My custom logic here
} catch(Throwable t) {
System.out.println(t.getMessage());
}
SimpleAuthenticationInfo authn = new SimpleAuthenticationInfo(new MyUser(), "somePassword");
return authn;
}
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
try {
// My custom logic here
} catch(Throwable t) {
System.out.println(t.getMessage());
}
return new SimpleAuthorizationInfo();
}
}
Then in my 'shiro.ini':
# =======================
# Shiro INI configuration
# =======================
[main]
myRealm = com.me.myapp.security.MyRealm
Then in my Driver class/main method (that I'm using for testing):
public class Driver {
public static void main(String[] args) {
Driver d = new Driver();
d.test();
}
public void test() {
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
UsernamePasswordToken token = new UsernamePasswordToken("", "");
token.setRememberMe(true);
System.out.println("Shiro props:");
System.out.println(securityManager.getProperties());
Subject currentUser = SecurityUtils.getSubject()
try {
currentUser.login(token)
println "I think this worked!"
} catch (UnknownAccountException uae) {
println "Exception: ${uae}"
} catch (IncorrectCredentialsException ice) {
println "Exception: ${ice}"
} catch (LockedAccountException lae) {
println "Exception: ${lae}"
} catch (ExcessiveAttemptsException eae) {
println "Exception: ${eae}"
} catch (AuthenticationException ae) {
println "Exception: ${ae}"
}
}
}
When I run this I get:
Shiro props:
[class:class org.apache.shiro.mgt.DefaultSecurityManager, cacheManager:null, subjectFactory:org.apache.shiro.mgt.DefaultSubjectFactory#6a2b8b42, authorizer:org.apache.shiro.authz.ModularRealmAuthorizer#50c3d082, realms:[com.me.myapp.security.MyRealm#67ae303a], subjectDAO:org.apache.shiro.mgt.DefaultSubjectDAO#5ce06503, rememberMeManager:null, authenticator:org.apache.shiro.authc.pam.ModularRealmAuthenticator#1007d798, sessionManager:org.apache.shiro.session.mgt.DefaultSessionManager#72db4460]
Exception: org.apache.shiro.authc.AuthenticationException: Authentication failed for token submission [org.apache.shiro.authc.UsernamePasswordToken - , rememberMe=true]. Possible unexpected error? (Typical or expected login exceptions should extend from AuthenticationException).
So it looks like its reading my shiro.ini because its picking up the correct realm, but MyRealm doesn't do anything except stub out dummy users that should authenticated regardless of the username/password supplied. Any ideas as to where I'm going awry?
add this to your shiro.ini: securityManager.realms = $myRealm then in your Driver class
UsernamePasswordToken token = new UsernamePasswordToken("", "somePassword");
instead of an empty passowrd.
I think this worked!
I have not done this myself, but here are a couple of things you can try:
If you don't need authorization logic, consider subclassing AuthenticatingRealm instead of AuthorizingRealm
In method doGetAuthenticationInfo, consider using this code:
SimpleAuthenticationInfo authn = new SimpleAuthenticationInfo(token.getPrincipal(), token.getCredentials(), "myRealm");
You seem to have created a Realm properly but have not told the SecurityManager that it is one the realms to be used. In that way, it is just another object created in the main section of shiro.ini.
To tell Shiro's SecurityManager that it needs to use myRealm as a Realm, you need to add this to your shiro.ini:
securityManager.realms = $myRealm
Related
I am attempting to implement a login step with a REST API using the Serenity Screenplay Pattern. For this to work I need to be able to grab a JWT token that was returned from one Task, and use it to authenticate other tasks. I know how to do this in theory. Please consider the following Groovy code.
class ActorInTheSpotlight {
String actor
String token
#Step("{0} is an actor using the system under test")
ActorInTheSpotlight whoIsNamed(String actor) {
this.actor = actor
theActorCalled(actor)
return this
}
#Step("#actor who can authenticate with credentials")
ActorInTheSpotlight whoCanAuthenticateWith(String email, String password) {
theActor().whoCan(Authenticate.withCredentials(email, password))
return this
}
#Step("#actor who can call the admin API")
ActorInTheSpotlight whoCanCallTheAdminApi() {
theActor().whoCan(CallAnApi.at("http://localhost:3000"))
return this
}
#Step("#actor was able to login to API with credentials")
ActorInTheSpotlight wasAbleToLoginToApi() {
return wasAbleTo(LoginWithApi.usingCredentials())
}
ActorInTheSpotlight wasAbleTo(Performable... todos) {
theActor().wasAbleTo(todos)
return this
}
}
class LoginWithApi implements Task {
#Shared
ActorInTheSpotlight theActor
static LoginWithApi usingCredentials() {
return instrumented(LoginWithApi.class);
}
#Step("{0} logs into api using credentials")
<T extends Actor> void performAs(T actor) {
def auth = Authenticate.asPrincipal(actor)
actor.attemptsTo(
// NOTE: PostToApi is an alias for Post, renaming `with` to `withRequest`
// so that Groovy does not attempt to match it to the default `with(Closure closure)`
PostToApi.at("/login").withRequest({ RequestSpecification req ->
req.header("Content-Type", "application/json")
.body([email: auth.email, password: auth.password])
})
)
}
}
class AdminApiStepDefinitions {
#Shared
ActorInTheSpotlight theActor
#Before
void set_the_stage(){
OnStage.setTheStage(new OnlineCast())
}
#Given(/^that "([^"]*)" is an Admin who may call the rest api$/)
void is_an_admin_who_may_call_the_rest_api(String actor) {
theActor.whoIsNamed(actor)
.whoCanCallTheAdminApi()
}
#Given(/^s?he was able to login to the api with the credentials$/)
void was_able_to_login_to_the_api_with_the_credentials(Map<String, String> credentials) {
def email = credentials.get('email')
def password = credentials.get('password')
theActor
.whoCanAuthenticateWith(email, password)
.wasAbleToLoginToApi()
}
}
So, in theory, I should be able to share the ActorInTheSpotlight steps between tasks, using it to store/retrieve my JWT token. I also see that I can grab the token value like so:
String token = SerenityRest.lastResponse()
.jsonPath()
.getObject("token", String.class);
The problem is that I'm not exactly sure where to put this code within the context of the step definitions. Should I implement the retrieving of this token as its own step, or is there a way to hide this implementation detail within the LoginToApi task itself?
Thanks for your time!
Update
Here is the Authenticate ability class, which would probably be a good place to implement this functionality, but the same timing issues as above still apply. IE, how would I update an ability "mid-flight" so that it's available at the correct time for consuption in other tasks.
class Authenticate implements Ability {
String email
String password
// instantiates the Ability and enables fluent DSL
static Authenticate withCredentials(String email, String password) {
return new Authenticate(email, password)
}
// NOTE: custom exception class not shown
static Authenticate asPrincipal(Actor actor) throws CannotAuthenticateException {
// complain if someone's asking the impossible
if(!actor.abilityTo(Authenticate.class)){
throw new CannotAuthenticateException(actor.getName())
}
return actor.abilityTo(Authenticate.class)
}
Authenticate(String email, String password) {
this.email = email
this.password = password
}
}
Update 2
I was able to implement this as its own step, but I really dislike my implementation details leaking into the step definitions like this. I would except any answer that allows me to implement this without the was_able_to_get_a_valid_jwt_token step shown below.
note: only showing additions to original code
class ActorInTheSpotlight {
#Step("#actor has a valid JWT token")
ActorInTheSpotlight whoHasTheToken(String token) {
this.token = token
theActor().whoCan(AuthenticateApi.withToken(token))
return this
}
}
class AuthenticateApi implements Ability {
String token
static AuthenticateApi withToken(String token) {
return new AuthenticateApi(token)
}
static AuthenticateApi asPrincipal(Actor actor) throws CannotAuthenticateException {
// complain if someone's asking the impossible
if(!actor.abilityTo(AuthenticateApi.class)){
throw new CannotAuthenticateException(actor.getName())
}
return actor.abilityTo(AuthenticateApi.class)
}
static <T extends Actor> void attempt(final T actor, final RequestSpecification req) {
AuthenticateApi auth = null
try {
auth = AuthenticateApi.asPrincipal(actor)
}
catch(CannotAuthenticateException e) {
// swallow error
}
if(auth) {
req.header("Authorization", "Bearer ${auth.token}")
}
}
AuthenticateApi(String token) {
this.token = token
}
}
class AdminApiStepDefinitions {
// This is what I want to get rid of!
#Given(/^s?he was able to get a valid JWT token$/)
void was_able_to_get_a_valid_jwt_token() {
theActor.whoHasTheToken(SerenityRest.lastResponse().jsonPath()
.getObject("token", String.class))
}
}
And here is an example of a Task using the JWT token to authenticate requests:
class ApiGet implements Task {
static ApiGet from(String resource) {
return instrumented(ApiGet.class, resource)
}
String resource
ApiGet(String resource) {
this.resource = resource
}
#Step("{0} attempts to GET #resource")
<T extends Actor> void performAs(T actor) {
actor.attemptsTo(
// NOTE: GetFromApi is an alias for Get, renaming `with` to `withRequest`
// so that Groovy does not attempt to match it to the default `with(Closure closure)`
GetFromApi.at(resource).withRequest({ RequestSpecification req ->
AuthenticateApi.attempt(actor, req)
req.header("Content-Type", "application/json")
})
)
}
}
Well it doesn't seem very thread safe, but none of this really is, so... meh. Here is what I came up with.
class AdminApiStepDefinitions {
#Given(/^s?he was able to login to the api with the credentials$/)
void was_able_to_login_to_the_api_with_the_credentials(Map<String, String> credentials) {
def email = credentials.get('email')
def password = credentials.get('password')
theActor
.whoCanAuthenticateWith(email, password)
.wasAbleToLoginToApi()
theActor.whoHasTheToken(SerenityRest.lastResponse().jsonPath().getString("token"))
}
}
I have the following code inside MyDataService.svc.cs (This is an example from DevExpress):
namespace MyDataService {
[System.ServiceModel.ServiceBehavior(IncludeExceptionDetailInFaults = true)]
[JSONPSupportBehavior]
public class DataService : DataService<TestDataEntities>, IServiceProvider {
public static void InitializeService(DataServiceConfiguration config) {
config.SetEntitySetAccessRule("*", EntitySetRights.AllRead);
config.DataServiceBehavior.MaxProtocolVersion = DataServiceProtocolVersion.V3;
}
public object GetService(Type serviceType) {
if (serviceType == typeof(IDataServiceStreamProvider)) {
return new ImageStreamProvider();
}
return null;
}
protected override void OnStartProcessingRequest(ProcessRequestArgs args) {
CustomBasicAuth.Authenticate(HttpContext.Current);
if (HttpContext.Current.User == null)
throw new DataServiceException(401, "Invalid login or password");
base.OnStartProcessingRequest(args);
}
}
}
So while this is will check the Entity for a username and password, how safe is it that config.SetEntitySetAccessRule is set to AllRead. Wouldn't someone just be able to see this information on a url such as www.website.com/MyDataService.svc/Customer (where Customer is the table). If this is not so can someone please fill in the conceptual gap I am facing. Thanks!
You are correct that all entities will be returned when queried - AllRead just disallows insert updates and deletes.
You will need to use Query Interceptor to add your logic to restrict users to the set of data they have permission to view, for example adding a check user id to the query.
I wanted to debug the Seed() method in my Entity Framework database configuration class when I run Update-Database from the Package Manager Console but didn't know how to do it. I wanted to share the solution with others in case they have the same issue.
Here is similar question with a solution that works really well.
It does NOT require Thread.Sleep.
Just Launches the debugger using this code.
Clipped from the answer
if (!System.Diagnostics.Debugger.IsAttached)
System.Diagnostics.Debugger.Launch();
The way I solved this was to open a new instance of Visual Studio and then open the same solution in this new instance of Visual Studio. I then attached the debugger in this new instance to the old instance (devenv.exe) while running the update-database command. This allowed me to debug the Seed method.
Just to make sure I didn't miss the breakpoint by not attaching in time I added a Thread.Sleep before the breakpoint.
I hope this helps someone.
If you need to get a specific variable's value, a quick hack is to throw an exception:
throw new Exception(variable);
A cleaner solution (I guess this requires EF 6) would IMHO be to call update-database from code:
var configuration = new DbMigrationsConfiguration<TContext>();
var databaseMigrator = new DbMigrator(configuration);
databaseMigrator.Update();
This allows you to debug the Seed method.
You may take this one step further and construct a unit test (or, more precisely, an integration test) that creates an empty test database, applies all EF migrations, runs the Seed method, and drops the test database again:
var configuration = new DbMigrationsConfiguration<TContext>();
Database.Delete("TestDatabaseNameOrConnectionString");
var databaseMigrator = new DbMigrator(configuration);
databaseMigrator.Update();
Database.Delete("TestDatabaseNameOrConnectionString");
But be careful not to run this against your development database!
I know this is an old question, but if all you want is messages, and you don't care to include references to WinForms in your project, I made some simple debug window where I can send Trace events.
For more serious and step-by-step debugging, I'll open another Visual Studio instance, but it's not necessary for simple stuff.
This is the whole code:
SeedApplicationContext.cs
using System;
using System.Data.Entity;
using System.Diagnostics;
using System.Drawing;
using System.Windows.Forms;
namespace Data.Persistence.Migrations.SeedDebug
{
public class SeedApplicationContext<T> : ApplicationContext
where T : DbContext
{
private class SeedTraceListener : TraceListener
{
private readonly SeedApplicationContext<T> _appContext;
public SeedTraceListener(SeedApplicationContext<T> appContext)
{
_appContext = appContext;
}
public override void Write(string message)
{
_appContext.WriteDebugText(message);
}
public override void WriteLine(string message)
{
_appContext.WriteDebugLine(message);
}
}
private Form _debugForm;
private TextBox _debugTextBox;
private TraceListener _traceListener;
private readonly Action<T> _seedAction;
private readonly T _dbcontext;
public Exception Exception { get; private set; }
public bool WaitBeforeExit { get; private set; }
public SeedApplicationContext(Action<T> seedAction, T dbcontext, bool waitBeforeExit = false)
{
_dbcontext = dbcontext;
_seedAction = seedAction;
WaitBeforeExit = waitBeforeExit;
_traceListener = new SeedTraceListener(this);
CreateDebugForm();
MainForm = _debugForm;
Trace.Listeners.Add(_traceListener);
}
private void CreateDebugForm()
{
var textbox = new TextBox {Multiline = true, Dock = DockStyle.Fill, ScrollBars = ScrollBars.Both, WordWrap = false};
var form = new Form {Font = new Font(#"Lucida Console", 8), Text = "Seed Trace"};
form.Controls.Add(tb);
form.Shown += OnFormShown;
_debugForm = form;
_debugTextBox = textbox;
}
private void OnFormShown(object sender, EventArgs eventArgs)
{
WriteDebugLine("Initializing seed...");
try
{
_seedAction(_dbcontext);
if(!WaitBeforeExit)
_debugForm.Close();
else
WriteDebugLine("Finished seed. Close this window to continue");
}
catch (Exception e)
{
Exception = e;
var einner = e;
while (einner != null)
{
WriteDebugLine(string.Format("[Exception {0}] {1}", einner.GetType(), einner.Message));
WriteDebugLine(einner.StackTrace);
einner = einner.InnerException;
if (einner != null)
WriteDebugLine("------- Inner Exception -------");
}
}
}
protected override void Dispose(bool disposing)
{
if (disposing && _traceListener != null)
{
Trace.Listeners.Remove(_traceListener);
_traceListener.Dispose();
_traceListener = null;
}
base.Dispose(disposing);
}
private void WriteDebugText(string message)
{
_debugTextBox.Text += message;
Application.DoEvents();
}
private void WriteDebugLine(string message)
{
WriteDebugText(message + Environment.NewLine);
}
}
}
And on your standard Configuration.cs
// ...
using System.Windows.Forms;
using Data.Persistence.Migrations.SeedDebug;
// ...
namespace Data.Persistence.Migrations
{
internal sealed class Configuration : DbMigrationsConfiguration<MyContext>
{
public Configuration()
{
// Migrations configuration here
}
protected override void Seed(MyContext context)
{
// Create our application context which will host our debug window and message loop
var appContext = new SeedApplicationContext<MyContext>(SeedInternal, context, false);
Application.Run(appContext);
var e = appContext.Exception;
Application.Exit();
// Rethrow the exception to the package manager console
if (e != null)
throw e;
}
// Our original Seed method, now with Trace support!
private void SeedInternal(MyContext context)
{
// ...
Trace.WriteLine("I'm seeding!")
// ...
}
}
}
Uh Debugging is one thing but don't forget to call:
context.Update()
Also don't wrap in try catch without a good inner exceptions spill to the console.
https://coderwall.com/p/fbcyaw/debug-into-entity-framework-code-first
with catch (DbEntityValidationException ex)
I have 2 workarounds (without Debugger.Launch() since it doesn't work for me):
To print message in Package Manager Console use exception:
throw new Exception("Your message");
Another way is to print message in file by creating a cmd process:
// Logs to file {solution folder}\seed.log data from Seed method (for DEBUG only)
private void Log(string msg)
{
string echoCmd = $"/C echo {DateTime.Now} - {msg} >> seed.log";
System.Diagnostics.Process.Start("cmd.exe", echoCmd);
}
i have written a small grails webapp. I am using milton.io to access some content via webdav.
So webdav is still working and i am able to put, get, delete files - and so on.
But now i want to add authentication and authorization. And here is the problem:
The Resource Interface gives me 2 methods:
Object authenticate(String user, String password);
boolean authorise(Request request, Request.Method method, Auth auth);
So my Resource classes implements the Resource Interface, but the method authenticate is never called by the framework. Do i have to implement Auth Basic by my self?
My knowledge about milton is very poor. May be i forgot something, cause my webdav client (e.g. cadaver) never asks for a username / password.
Thanks for any help
Peter Waver
Signature of my Resource Classes:
class SResource implements GetableResource, PropFindableResource, Resource, DeletableResource, MoveableResource, ReportableResource, CopyableResource
class SFileResource extends SResource implements ReplaceableResource
class SFolderResource extends SResource implements PutableResource, MakeCollectionableResource, CollectionResource
And here is the builder to get the HttpManager
class SMiltonConfig implements MiltonConfigurator {
protected HttpManagerBuilder builder;
protected List<Initable> initables;
protected HttpManager httpManager;
public SMiltonConfig(){
try {
// Attempt to use Enterprise edition build if available
Class builderClass = Class.forName("io.milton.ent.config.HttpManagerBuilderEnt");
builder = (HttpManagerBuilder) builderClass.newInstance();
println ("load Ent. HTTP Manager")
} catch (InstantiationException ex) {
builder = new HttpManagerBuilder();
println ("load Std. HTTP Manager")
} catch (IllegalAccessException ex) {
println ("load Std. HTTP Manager")
builder = new HttpManagerBuilder();
} catch (ClassNotFoundException ex) {
println ("load Std. HTTP Manager")
builder = new HttpManagerBuilder();
}
}
#Override
public HttpManager configure(Config arg0) throws ServletException {
ResourceFactory rf = new SResourceFactory();
builder.setMainResourceFactory(rf);
checkAddInitable(initables, builder.getMainResourceFactory());
httpManager = builder.buildHttpManager();
for( Initable i : initables ) {
i.init(config, httpManager);
}
return httpManager;
}
#Override
public void shutdown() {
httpManager.shutdown()
for( Initable i : initables ) {
i.destroy(httpManager);
}
}
private void checkAddInitable(List<Initable> initables, Object o) {
if( o instanceof Initable) {
initables.add((Initable)o);
} else if( o instanceof List ) {
for( Object o2 : (List)o) {
checkAddInitable(initables, o2);
}
}
}
}
And here the ResourceFactory
class SResourceFactory implements ResourceFactory {
def fileSystemService
public SResourceFactory(){
println "loading resource Factory"
def ctx = ServletContextHolder.servletContext.getAttribute(GrailsApplicationAttributes.APPLICATION_CONTEXT)
fileSystemService = ctx.fileSystemService
}
#Override
public Resource getResource(String host, String strPath)
throws NotAuthorizedException, BadRequestException {
SResource sfr
sfr = fileSystemService.getFolderByPath(strPath)
return sfr
}
}
If you need Basic Auth - you have to enable it. So add the following line to the config method of the SMiltonConfig Class.
builder.setEnableOptionsAuth(true); // enables auth
builder.setEnableBasicAuth(true); // optional
Here'S an example of the Resource authorise Method
#Override
public boolean authorise(Request r, Method m, Auth a) {
return a != null;
}
Hope it helps
Florian Pfann
In my MVC 2 project, I originally used Ninject 2 and wrote this version of the NinjectControllerFactory:
public class NinjectControllerFactory : DefaultControllerFactory
{
private IKernel kernel = new StandardKernel(new HandiGamerServices());
protected override IController GetControllerInstance(System.Web.Routing.RequestContext requestContext, Type controllerType)
{
try
{
if (controllerType == null)
{
return base.GetControllerInstance(requestContext, controllerType);
// return null;
}
}
catch (HttpException ex)
{
if (ex.GetHttpCode() == 404)
{
IController errorController = kernel.Get<ErrorController>();
((ErrorController)errorController).InvokeHttp404(requestContext.HttpContext);
return errorController;
}
else
{
throw ex;
}
}
return (IController)kernel.Get(controllerType);
}
Of most importance is the retrieval of my ErrorController, which allows me to gracefully handle a multitude of HTTP errors.
The problem is that I upgraded to the MVC 2 extension via Nuget, so a NinjectControllerFactory is already provided. Would it be possible to use my own override of GetControllerInstance? If so, how?
I do exactly this, and for precisely the same reason. In Global.asax.cs, I add this to my OnApplicationStarted override (declared virtual in NinjectHttpApplication):
ControllerBuilder.Current.SetControllerFactory(
new MyControllerFactory(ControllerBuilder.Current.GetControllerFactory()));
This means you're creating your own controller factory, but providing it with the default implementation to do the heavy lifting.
Then define your controller factory like so:
public class MyControllerFactory : IControllerFactory
{
private IControllerFactory defaultFactory;
public MyControllerFactory(IControllerFactory defaultFactory)
{
this.defaultFactory = defaultFactory;
}
public IController CreateController(RequestContext requestContext, string controllerName)
{
try
{
var controller = defaultFactory.CreateController(requestContext, controllerName);
return controller;
}
catch (HttpException e)
{
// Pasted in your exception handling code here:
if (ex.GetHttpCode() == 404)
{
IController errorController = kernel.Get<ErrorController>();
((ErrorController)errorController).InvokeHttp404(requestContext.HttpContext);
return errorController;
}
else
{
throw ex;
}
}
}
public SessionStateBehavior GetControllerSessionBehavior(RequestContext requestContext, string controllerName)
{
return defaultFactory.GetControllerSessionBehavior(requestContext, controllerName);
}
public void ReleaseController(IController controller)
{
defaultFactory.ReleaseController(controller);
}
}
As you can see, we're just using the default (Ninject) controller factory for most purposes unless it can't find the page. For obtaining the error controller, you can either pass in the kernel as you were already doing, or just call defaultFactory.CreateController using the error controller name.