Custom Shiro Plugin issues

[Eugene McKissick]

Hello,

I'm trying to create a custom realm for Shiro to authenticate against an external system.  I've successfully got it working, but not sure it is as intended.

I've created a custom realm that extends IniRealm, because the KillBillShiroModule only binds Ini, Jdbc, and Ldap realms.  I've used the following dependencies for my realms communication with Salesforce for authentication

Dependencies for the jar are below. 

dependencies {
    compile ('org.apache.shiro:shiro-core:1.2.3') {
        exclude group: 'commons-logging', module: 'commons-logging'
    }
    compile 'com.ning:async-http-client:1.9.19'
    compile 'com.fasterxml.jackson.core:jackson-databind:2.4.3'
    compile 'com.fasterxml.jackson.core:jackson-annotations:2.4.3'

    runtime 'org.slf4j:slf4j-simple:1.7.12'
    runtime 'org.slf4j:jcl-over-slf4j:1.7.12'
}

I've installed KillBill via kpm, and so far the only way to get my custom jar to be registered with KillBill is to place the custom.jar in 

/webapps/ROOT/WEB-INF/lib

I would imagine I should be able to put my jar in the tomcat /lib folder, but when I do KillBill fails to start. 

Any thoughts or pointers in the right direction would be appreciated.

Regards,

Eugene

[Pierre-Alexandre Meyer]

Hi Eugene,

On Tue, Nov 1, 2016 at 11:53 AM, Eugene McKissick <eugene.m...@gmail.com> wrote:

I've created a custom realm that extends IniRealm, because the KillBillShiroModule only binds Ini, Jdbc, and Ldap realms.

That makes sense. Maybe we should find a way to make this more extensible (I believe you are the first one with this use-case today). We would gladly accept a PR along these lines (we can talk in more details if you're interested in contributing).

 

I've used the following dependencies for my realms communication with Salesforce for authentication

All of these dependencies should already be bundled with Kill Bill. It sounds like the Salesforce extension is pretty lightweight? If so, we could also consider integrating it into the core.

I've installed KillBill via kpm, and so far the only way to get my custom jar to be registered with KillBill is to place the custom.jar in 

/webapps/ROOT/WEB-INF/lib

I would imagine I should be able to put my jar in the tomcat /lib folder, but when I do KillBill fails to start. 

What is the error you are getting?

--

Pierre

[Eugene McKissick]

Hello,

On Wednesday, November 2, 2016 at 7:52:08 AM UTC-4, Pierre-Alexandre Meyer wrote:

Hi Eugene,

On Tue, Nov 1, 2016 at 11:53 AM, Eugene McKissick <eugene.m...@gmail.com> wrote:

I've created a custom realm that extends IniRealm, because the KillBillShiroModule only binds Ini, Jdbc, and Ldap realms.

That makes sense. Maybe we should find a way to make this more extensible (I believe you are the first one with this use-case today). We would gladly accept a PR along these lines (we can talk in more details if you're interested in contributing).

I'll think about how I would phrase the use case, but I always thought IniRealms were for text based configuration and in my case I'm only using it to point to my custom class.  I'd definitely be up talking about the best way of doing this.

 

I've used the following dependencies for my realms communication with Salesforce for authentication

All of these dependencies should already be bundled with Kill Bill. It sounds like the Salesforce extension is pretty lightweight? If so, we could also consider integrating it into the core.

I tried to make it as lightweight as possible.  Its essentially validating an oauth access token and retrieving the user information via Salesforce's Oauth UserInfo Api.  If others would find this beneficial i'm all for contributing it, but i'm not sure its generic or configurable enough for core at this point.

I've installed KillBill via kpm, and so far the only way to get my custom jar to be registered with KillBill is to place the custom.jar in 

/webapps/ROOT/WEB-INF/lib

I would imagine I should be able to put my jar in the tomcat /lib folder, but when I do KillBill fails to start. 

What is the error you are getting?

So I needed to remote debug my killbill instance to see the exceptions.  Is there anyway to get the userExceptions from startup to dump to a log.  The error i'm getting is below

java.lang.ClassCastException: com.carfax.security.SalesforceRealm cannot be cast to org.apache.shiro.realm.Realm

However I have the following in the killbill/lib folder

shiro-core-1.2.3.jar

shiro-salesforce-plugin.jar

slf4j-api-1.7.21.jar

The crazy thing is that this works when I place it in the Applications lib.  My only thought now is that there is another shiro jar I need in the Tomcat Common library. 

Regards,

Eugene

--

Pierre

[Pierre-Alexandre Meyer]

On Wed, Nov 2, 2016 at 8:55 AM, Eugene McKissick <eugene.m...@gmail.com> wrote:

I'll think about how I would phrase the use case, but I always thought IniRealms were for text based configuration

Yup, it's for configuration via the shiro.ini file.

in my case I'm only using it to point to my custom class.  I'd definitely be up talking about the best way of doing this.

We could maybe have a new config option to specify the class name (something along the lines of https://github.com/killbill/killbill-platform/blob/master/osgi/src/main/java/org/killbill/billing/osgi/glue/OSGIDataSourceConfig.java#L109-L112)? The initialization code would simply load it via Class.forName().

I tried to make it as lightweight as possible.  Its essentially validating an oauth access token and retrieving the user information via Salesforce's Oauth UserInfo Api.  If others would find this beneficial i'm all for contributing it, but i'm not sure its generic or configurable enough for core at this point.

I think being able to authenticate against Salesforce Identity would be useful for the overall community (the feature should be generic and doesn't need any custom Salesforce schema). I'll let you be the judge whether your implementation is generic / configurable enough though.

So I needed to remote debug my killbill instance to see the exceptions.  Is there anyway to get the userExceptions from startup to dump to a log.

Aren't they in the catalina logs (it's probably outside of killbill.out though because it's so early in the boot process)?

 

 The error i'm getting is below

java.lang.ClassCastException: com.carfax.security.SalesforceRealm cannot be cast to org.apache.shiro.realm.Realm

This sounds like a classloader issue. Depending on where you place the jar, I'm guessing the tomcat classloader or the webapp one is used. Not sure what the best practice is though - maybe worth opening a thread with us...@tomcat.apache.org?

--

Pierre

[Eugene McKissick]

The config that specifies the class name for the Realm would be great.  Thinking about this more I really like the idea of having a plugin for Authentication and Authorization.  It allows for those non-standard authentication and authorization scenarios to be met in an isolated way.  Has that every been thought of for Killbill?

Regards,

Eugene

On Thursday, November 3, 2016 at 6:35:24 AM UTC-4, Pierre-Alexandre Meyer wrote:

[Pierre-Alexandre Meyer]

Not really. The in-db configuration (http://docs.killbill.io/0.16/user_management.html#_configuration_of_the_user_role_permissions) is by far the most popular option, and we've seen some deployments with LDAP.

We'd also like to support eventually Okta and ActiveDirectory (both requested in the past).

--
You received this message because you are subscribed to the Google Groups "Kill Bill users mailing-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to killbilling-users+unsubscribe@googlegroups.com.
To post to this group, send email to killbilling-users@googlegroups.com.
Visit this group at https://groups.google.com/group/killbilling-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/killbilling-users/fc258bfb-7dda-4cc6-8f02-9f9db49b5d1c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Pierre