Question

我正在将一些代码从Glassfish 4.1移植到Wildfly 10，并且在Shiro / CDI和java.security.Principal之间出现问题。

import java.security.Principal;
import javax.enterprise.context.SessionScoped;
import javax.inject.Inject;
import javax.inject.Named;

// simple user interface
public interface User {
  public String getId();
}

// user bean
@Named("user")
@SessionScoped
public class UserBean implements User, Serializable {

  private Principal principal;

  @Inject
  private void initialise(Principal principal) {
    this.principal = principal;
  }

  @Override
  public String getId() {
    return principal.getName();
  }

}

// auth filter runs after shiro filters
public class AuthFilter implements javax.servlet.Filter {

  @Inject
  private User user;

  @Override
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    log.debug("doFilter: user={}", user.getId());
    ...
  }

}

会发生什么：

用户请求安全页面。
Shiro拦截并重定向到登录页面。
用户输入凭据（用户名= admin）并提交页面。
Shiro验证并重定向到原始页面。
调用Auth过滤器，并记录用户主体名称。

问题是在Glassfish中，记录的主要名称是从登录页面提交的（正确）名称。然而，Wildfly似乎仍然拥有匿名用户。查看日志，它们对于两个系统都是相同的，包括Shiro验证用户ID的第4行：Authentication successful for token ... admin。只有最后一行是不同的：

-- both
[org.apache.shiro.realm.AuthenticatingRealm] AuthenticationInfo caching is disabled for info [admin].  Submitted token: [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false (127.0.0.1)].
[org.apache.shiro.authc.credential.SimpleCredentialsMatcher] Performing credentials equality check for tokenCredentials of type [[C and accountCredentials of type [java.lang.String]
[org.apache.shiro.authc.credential.SimpleCredentialsMatcher] Both credentials arguments can be easily converted to byte arrays.  Performing array equals comparison
[org.apache.shiro.authc.AbstractAuthenticator] Authentication successful for token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false (127.0.0.1)].  Returned account [admin]
[org.apache.shiro.subject.support.DefaultSubjectContext] No SecurityManager available in subject context map.  Falling back to SecurityUtils.getSecurityManager() lookup.
[org.apache.shiro.mgt.DefaultSecurityManager] Context already contains a session.  Returning.
[org.apache.shiro.subject.support.DefaultSubjectContext] No SecurityManager available in subject context map.  Falling back to SecurityUtils.getSecurityManager() lookup.
[org.apache.shiro.web.servlet.SimpleCookie] Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/tools; Max-Age=0; Expires=Sun, 01-May-2016 10:24:02 GMT]
[org.apache.shiro.mgt.AbstractRememberMeManager] AuthenticationToken did not indicate RememberMe is requested.  RememberMe functionality will not be executed for corresponding account.

-- glassfish
[com.example.servlet.AuthFilter] doFilter: user=admin

-- wildfly
[com.example.servlet.AuthFilter] doFilter: user=anonymous

Java EE 7 Tutorial似乎说我要做的是有效的：

每当访问注入的主体时，它总是代表当前来电者的身份。

所以我对这里的失败感到有些失落。

谢谢，

Answer 1

尝试使用： @Resource主要负责人; 代替。

https://docs.oracle.com/javaee/7/tutorial/cdi-adv004.htm

Shiro / CDI在Glassfish上注入安全主体，但在Wildfly上没有

1 个答案: