On 30/10/2013 3:24 PM, Eric Stein wrote:
> I've got a Jersey API that's protected by Shibboleth, an SSO implementation. Shibboleth puts the id of the logged-in user in a request attribute. On the back end, I'm using Shiro for authorization. Shiro would like to know the logged-in user so it can load up permissions.
>
> What is the correct way to get that userId out of the request attribute and into Shiro? Right now, what I'm trying is:
>
> @Provider
> public final class ShiroLoginFilter implements ContainerRequestFilter {
>
> @Context
> private HttpServletRequest request;
>
> @Override
> public void filter(final ContainerRequestContext requestContext)
> throws IOException {
>
> final String userId = (String) this.request.getAttribute("nameid");
> final Subject subject = SecurityUtils.getSubject();
> subject.login(new LocusAuthenticationToken(userId));
>
> }
> }
>
> Unfortunately, due to JERSEY-1960[1], I can't inject the request context into a filter. Every user needs to "login" in order to load permissions. I'd rather not have to repeat the login code in every method of the API. I am also not permitted to use a web.xml filter (by my boss). Do I have any good option here?
>
> Thanks,
> Eric
>
> [1] https://java.net/jira/browse/JERSEY-1960
>
> (Question also posted to StackOverflow: http://stackoverflow.com/questions/19691753/read-request-attribute-in-a-jersey-containerrequestfilter)
>
>
Eric,
Do you realize that JERSEY-1960 is marked as fixed in Jersey 2.4
(which was recently released)?
Gili