[aerogear-dev] aerogear security and android

Bruno Oliveira bruno at abstractj.org
Mon Apr 7 13:00:25 EDT 2014


Hi Marcelo, that example is not fully complete, was just to showcase that the same could be achieved without AG Security. Also, I strongly recommend you to change and adapt to your real scenario.

I did the test to reproduce the issue here (https://github.com/abstractj/example-jaxrs-shiro):

- Register Lisa and Bart
curl -3 -v -b cookies.txt -c cookies.txt -H "Accept: application/json" -H "Content-type: application/json" -d '{"loginName":"bart","password":"123"}' -X POST http://localhost:8080/example-jaxrs-shiro/rest/auth/enroll
curl -3 -v -b cookies.txt -c cookies.txt -H "Accept: application/json" -H "Content-type: application/json" -d '{"loginName":"lisa","password":"123"}' -X POST http://localhost:8080/example-jaxrs-shiro/rest/auth/enroll

- Login with Lisa and Bart
curl -3 -v -b cookies.txt -c cookies.txt -H "Accept: application/json" -H "Content-type: application/json" -d '{"loginName":"bart","password":"123"}' -X POST http://localhost:8080/example-jaxrs-shiro/rest/auth/login
curl -3 -v -b cookies.txt -c cookies.txt -H "Accept: application/json" -H "Content-type: application/json" -d '{"loginName":"lisa","password":"123"}' -X POST http://localhost:8080/example-jaxrs-shiro/rest/auth/login


Maybe the session is not being closed during logout, not sure. For specifics to Shiro, please ask at http://shiro-user.582556.n2.nabble.com

--  
abstractj

On April 7, 2014 at 1:24:03 PM, marceloheck (marceloheck at gmail.com) wrote:
> hello , sorry , i will try to explain
>  
> a changed project jaxrs shiro to running WildFly 8.0.0.Final:
>  
> remove interface IdentityManagement
>  
> interceptor jar web.xml
>  
>  
> org.jboss.aerogear.security.interceptor.SecurityInterceptor  
>  
>  
> and change IdentityManagementImpl
>  
>  
> @ShiroSecurity //for Secure.java
> @Default
> @ApplicationScoped
> public class* IdentityManagementImpl* implements IdentityManagement {
>  
>  
> @Override
> public boolean hasRoles(Set roles) {
>  
> return subject.hasAllRoles(roles);
> }
> ...
>  
> i changed service/
>  
> @GET
> @Path("/bacon")
> @Produces(MediaType.APPLICATION_JSON)
> @Secure("simple")
> public List bacons() {
> return Arrays.asList(new String[]{"bacon", "Jowl", "Canadian",
> "Speck", "Pancetta"});
> }
>  
> @GET
> @Path("/livre")
> @Produces(MediaType.APPLICATION_JSON)
> public List livre() {
> return Arrays.asList(new String[]{"livre", "Jowl", "Canadian",
> "Speck", "Pancetta"});
> }
>  
> @GET
> @Path("/cerveja")
> @Produces(MediaType.APPLICATION_JSON)
> @Secure("admin")
> public List beers() {
> return Arrays.asList(new String[]{"cerveja", "California",
> "Michigan", "Ireland", "British"});
> }
>  
>  
> my problem in login and autorization service
>  
> i login (mar is role "simple")
> curl -3 -v -b cookies.txt -c cookies.txt -H "Accept: application/json" -H
> "Content-type: application/json" -d '{"loginName":"mar","password":"123"}'  
> -X POST http://localhost:8080/appteste/rest/auth/login
> HTTP 200: Authorized
> curl -b --cookie -v -X GET http://localhost:8080/appteste/rest/list/bacon
> HTTP 401: Unauthorized
> curl -b --cookie -v -X GET http://localhost:8080/appteste/rest/list/cerveja
> and is ok
> but
> another pc
> i login (adm is role "adm")
> curl -3 -v -b cookies.txt -c cookies.txt -H "Accept: application/json" -H
> "Content-type: application/json" -d '{"loginName":"adm","password":"123"}'  
> -X POST http://localhost:8080/appteste/rest/auth/login
> HTTP 200: Authorized
> curl -b --cookie -v -X GET http://localhost:8080/appteste/rest/list/cerveja
> HTTP 401: Unauthorized
> curl -b --cookie -v -X GET http://localhost:8080/appteste/rest/list/bacon
> is ok
>  
> now i request again user mar , mar not access rest
>  
> two users not login in one application
>  
> in mobile too
>  
>  
>  
>  
>  
>  
>  
>  
> --
> View this message in context: http://aerogear-dev.1069024.n5.nabble.com/aerogear-security-and-android-tp6703p7397.html  
> Sent from the aerogear-dev mailing list archive at Nabble.com.
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>  




More information about the aerogear-dev mailing list