guice3 with jersey + spring security on top

[pepperbob]

I run a web application with guice2 + warp persist (multiple datasources) including spring security & jersey. I'm trying to migrate to guice3 + guice-persist and made the following observation:

due to the setup, it is required to run the persist filter at first, then spring security and finally the jersey relevant part (via my guice servlet module). As the warp-filter has been setup through web.xml this has not been a problem so far.

With guice3 the persistence filter is setup in my servlet module which also takes care about jersey (jersey-guice integration). This means that I cannot run the spring security filter in between as it needs to be setup via web.xml (and esp. after the persistence filter as it uses guice managed beans).

Any pointers or ideas how this could still work out? The only way I could think is to de-couple spring security from the guice managed persistence but I don't really like that. Maybe I should move to Apache Shiro as there is a guice integration.

[Matías Williams]

Any answer on this?

I'm having the same problem.

[pepperbob]

Alright, in favor of a better integration I threw away the whole Spring-thing and replaced it with Apache Shiro.

[pepperbob]

If your Spring does not rely on the persistence managed by Guice, it should be sufficient to place the Spring filter before the Guice filter in web.xml.

However, *if it depends* on Guice-managed persistence, the persistence filter would need to span the Spring filter which would only be possible if you could setup the Spring filter in you Servlet Module - which I don't know how to manage..

Finally the Shiro aproach is way cleaner as there is an existing Guice integration. And it works pretty well.

[Matías Williams]

Do you have to change too much of your code? Because I have jdbc authentication with Spring Security (not working), and I'll want to keep it that way. For example: I have a user that implements userdeatails, and some permits that implements grantedauthority. Is there a simple way to get from here to Apache Shiro?

Thanks,

Matias

[pepperbob]

Well, it took me a day or two to get my head around this, esp. as there is sparse documentation about Shiro and Guice. However, as I'm using Jersey's "RolesAllowedResourceFilterFactory" that intercepts resources and methods to check the @RolesAllowed Annotation against the SecurityContext it worked instantly. Of course I had to re-work every part that uses Spring artifacts (UserDetails, GrantedAuthority) but in the end, it was worth it - clean code and esp. less dependencies and no xml configurations...

I'm gonna write down how I set this up to provide furhter documentation and a real life example.

[pepperbob]

I wrote down what's required to get this working as I found the Shiro/Guice Documentation a little too shallow.

So maybe it helps a little: http://readyareyou.blogspot.de/2012/03/guice-jersey-shiro.html