Apache Shiro 和 Google Guice:将依赖项注入领域
我使用 Jersey 开发了一个 REST API,并希望使用 Google Guice 进行依赖注入,并使用 Apache Shiro 作为安全框架。
对于身份验证,我创建了一个自定义领域,我必须向其中注入一个连接到 EntityManager 的自定义身份验证器。
但是,依赖项不会注入到 Realm 中。 我猜想 shiro.ini (我必须在其中定义使用的领域)不是由 guice 管理的。
如何将依赖项注入 Apache Shiro,特别是注入到使用的 Realm 中?
我的 web.xml 只有一个映射到 guice 的过滤器
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<filter>
<filter-name>guiceFilter</filter-name>
<filter-class>com.google.inject.servlet.GuiceFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>guiceFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>GuiceServletConfig</listener-class>
</listener>
</web-app>
我的 GuiceServletConfig 配置所有依赖项,包括 CustomRealm
public class GuiceServletConfig extends GuiceServletContextListener {
@Override
protected Injector getInjector() {
return Guice.createInjector(new DbModule(), new JerseyServletModule() {
@Override
protected void configureServlets() {
// ...
// CustomRealm is only used when i use it as an eager singleton
bind(CustomRealm.class).asEagerSingleton();
bind(org.apache.shiro.web.servlet.IniShiroFilter.class).in(Singleton.class);
filter("/*").through(org.apache.shiro.web.servlet.IniShiroFilter.class);
serve("/api/*").with(GuiceContainer.class);
}
});
}
}
shiro ini 仅定义领域
[main]
myRealm = CustomRealm
[users] # for testing
root = secret,admin
[roles] # for testing
admin = *
[urls]
/api/** = authcBasic
I develop a rest api with Jersey and want to use Google Guice for Dependency Injection and Apache Shiro as a security framwork.
For Authentication i created a custom Realm to which I have to inject an custom Authenticator which is connected to the EntityManager.
However the dependency is not injected into the Realm.
I guess that shiro.ini (in which I have to define the used realm) is not managed by guice.
How can I inject dependencies into Apache Shiro, especially into the used Realm?
My web.xml only has a filter mapped to guice
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<filter>
<filter-name>guiceFilter</filter-name>
<filter-class>com.google.inject.servlet.GuiceFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>guiceFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>GuiceServletConfig</listener-class>
</listener>
</web-app>
My GuiceServletConfig configures all dependencies including the CustomRealm
public class GuiceServletConfig extends GuiceServletContextListener {
@Override
protected Injector getInjector() {
return Guice.createInjector(new DbModule(), new JerseyServletModule() {
@Override
protected void configureServlets() {
// ...
// CustomRealm is only used when i use it as an eager singleton
bind(CustomRealm.class).asEagerSingleton();
bind(org.apache.shiro.web.servlet.IniShiroFilter.class).in(Singleton.class);
filter("/*").through(org.apache.shiro.web.servlet.IniShiroFilter.class);
serve("/api/*").with(GuiceContainer.class);
}
});
}
}
The shiro ini only defines the realm
[main]
myRealm = CustomRealm
[users] # for testing
root = secret,admin
[roles] # for testing
admin = *
[urls]
/api/** = authcBasic
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Apache Shiro 的 INI 配置非常适合许多用例,但如果您拥有 Spring 或 Guice 等 IoC 框架的全部功能,通常最好直接在 IoC 机制中配置所有 Shiro。 Shiro 的 Spring 集成就是一个很好的例子: http://shiro.apache.org/spring.html< /a> 建议对 Guice 环境执行几乎相同的操作。
如果您不想这样做而宁愿继续使用 INI,Shiro 有一个 RealmFactory 概念。
您可以创建一个 RealmFactory 实现,它与您的 Guice 环境进行通信并“拉取”您的 Guice 配置的 Realm。然后在 Shiro INI 中定义 RealmFactory 实现:
但是请注意,Shiro 的 INI 仅支持通过 RealmFactory 从 INI 外部获取 Realm 实例 - 所有其他引用的对象必须在 INI 中定义。您可能想打开 Shiro Jira 问题来请求超出领域的更一般的 Factory 支持。
最终,因为 Guice 比 INI 更强大,所以建议如果可能的话,在 Guice 中配置 Shiro 中的所有内容(SecurityManager、领域、ShiroFilter 等)
Apache Shiro's INI configuration is great for many use cases, but if you have the full power of an IoC framework like Spring or Guice, it is usually better to configure all of Shiro within the IoC mechanism directly. Shiro's Spring integration serves as a good example for this: http://shiro.apache.org/spring.html It is recommended to do something nearly identical for Guice environments.
If you don't want to do this and would rather stay with INI, Shiro has a RealmFactory concept.
You can create a RealmFactory implementation that communicates with your Guice environment and 'pulls' your Guice-configured Realm(s). Then you define your RealmFactory implementation in the Shiro INI:
Note however that Shiro's INI only supports acquiring Realm instances from outside of INI via the RealmFactory - all other referenced objects must be be defined in INI. You might want to open a Shiro Jira issue to ask for more general Factory support beyond just realms.
Ultimately, because Guice is more powerful than INI, it is recommended to configure everything in Shiro in Guice if possible (SecurityManager, realms, the ShiroFilter, etc)