Need help with Pac4j integration with vaadin and shiro

[frédéric francis]

Hi all !!

I'm a bit confused in my development on how to use Pac4j with my setup.

I've got a Vaadin 7 app running, I added shiro to it to manage security login and autorization.

I'd like to modify my Shiro configuration to be able to log to the app through OAuth. the ultimate purpose is to use my own OAuth provider (already running), so I already know I'll have to create my own client and stuff.

So the first thing I was gonna try was to create a dummy Google project and OAuth provider in order to just test the login procedure first.

But I'm stuck at that first step, I mean all the examples I found involved servlet and jsp, but I have no idea on how to make the equivalent with vaadin. 

Previously I had a login page, that uses Shiro mecanism to login into the app (meaning created my own realm to connect to my db and validate user credentials).

Maybe I should look into the filters of my ini file ?

Any help would be highly appreciated !!

Thanks

[Jérôme LELEU]

Hi,

pac4j is a generic security engine with multiple implementations for J2E, Play, Spring MVC... When it comes to a security library, pac4j becomes an extension (buji-pac4j) to bring missing supports.

I don't know Vaadin, how is the integration with Shiro working? If Vaadin supports J2E filter, you can use the j2e-pac4j library. Maybe we need a vaadin-pac4j specific implementation.

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[frédéric francis]

Hi ! 

First thanks for the quick reply ;-) 

So a quick link to vaadin https://vaadin.com/framework, it's a UI framework for java web applications.

As for the shiro integration with Vaadin, I just had to add the shiro.ini file as well as a web.xml configuration file to my project, and a bit of implementation to connect to my own db to validate user and retreive their informations (such as role).

The web.xml basically looks like that : 

<?xml version="1.0" encoding="UTF-8"?>

<web-app id="vaadin-uitest" version="3.0"

xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

<display-name>assembly</display-name>

<context-param>

<description>

Vaadin production mode</description>

<param-name>productionMode</param-name>

<param-value>false</param-value>

</context-param>

<listener>

<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>

</listener>

<filter>

<filter-name>ShiroFilter</filter-name>

<filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>

</filter>

<!-- Make sure any request you want accessible to Shiro is filtered. /* 

catches all -->

<!-- requests. Usually this filter mapping is defined first (before all 

others) to -->

<!-- ensure that Shiro works in subsequent filters in the filter chain: -->

<filter-mapping>

<filter-name>ShiroFilter</filter-name>

<url-pattern>/*</url-pattern>

<dispatcher>REQUEST</dispatcher>

<dispatcher>FORWARD</dispatcher>

<dispatcher>INCLUDE</dispatcher>

<dispatcher>ERROR</dispatcher>

</filter-mapping>

</web-app>

Then I had to implement my own realm in order to validate user connection (with db request to get the informations). And finally in my login page, just retrieving the current subject, and call the login method.

I tried changing the shiro.ini file with something like this : 

[main]

Google2Client = org.pac4j.oauth.client.Google2Client

Google2Client.key = xxx

Google2Client.secret = xxx

clients = org.pac4j.core.client.Clients

clients.callbackUrl = http://localhost:8080/myorpheostudio-ui/

clients.clientsList = $Google2Client

clientsFilter = io.buji.pac4j.ClientFilter

clientsFilter.clients = $clients

clientsRealm = io.buji.pac4j.ClientRealm

clientsRealm.defaultRoles = ROLE_USER

clientsRealm.clients = $clients

subjectFactory = io.buji.pac4j.ClientSubjectFactory

securityManager.subjectFactory = $subjectFactory

clientsFilter = io.buji.pac4j.ClientFilter

clientsFilter.clients = $clients

clientsFilter.failureUrl = /error500.jsp

clientsRealm = io.buji.pac4j.ClientRealm

clientsRealm.defaultRoles = ROLE_USER

clientsRealm.clients = $clients

subjectFactory = io.buji.pac4j.ClientSubjectFactory

securityManager.subjectFactory = $subjectFactory

In the browser I can see communications with the google servers (with 302 and 200 codes which sounds ok) but cannot get to my views with a nice error like : "Failed to load the bootstrap javascript: ./VAADIN/vaadinBootstrap.js?v=7.5.7"

I'm a bit lost on where should I start looking...

Thanks 

[Jérôme LELEU]

Hi,

OK. So you can use J2E filters from the j2e-pac4j library. See the README: https://github.com/pac4j/j2e-pac4j, it should be straightforward.

Taken from the https://github.com/pac4j/j2e-pac4j-demo. Protect an url:

    <filter>

        <filter-name>FacebookFilter</filter-name>

        <filter-class>org.pac4j.j2e.filter.RequiresAuthenticationFilter</filter-class>

        <init-param>

        <param-name>clientName</param-name>

        <param-value>FacebookClient</param-value>

        </init-param>

        <init-param>

            <param-name>configFactory</param-name>

            <param-value>org.pac4j.demo.j2e.config.DemoConfigFactory</param-value>

        </init-param>

    </filter>

    <filter-mapping>

        <filter-name>FacebookFilter</filter-name>

        <url-pattern>/facebook/*</url-pattern>

        <dispatcher>REQUEST</dispatcher>

    </filter-mapping>

With a callback url to make it work:

    <filter>

        <filter-name>callbackFilter</filter-name>

        <filter-class>org.pac4j.j2e.filter.CallbackFilter</filter-class>

    </filter>

    <filter-mapping>

        <filter-name>callbackFilter</filter-name>

        <url-pattern>/callback</url-pattern>

        <dispatcher>REQUEST</dispatcher>

    </filter-mapping>

And the configuration for Google:

public class DemoConfigFactory implements ConfigFactory {

    @Override

    public Config build() {

        final Google2Client googleClient = new Google2Client("key", "secret");

        final Clients clients = new Clients("http://localhost:8080/callback", googleClient);

        return config;

    }

}

Enable DEBUG logs on org.pac4j...

Thanks.

Best regards,

Jérôme

[frédéric francis]

Jerome, you're a master !! 

Thanks a lot for the orientation, I successfully plugged my app to the google Oauth.

Now my next step is to implement my own client, hope it's gonna be smooth !

Thanks a lot for your help again...

Fred

[Jérôme LELEU]

You're welcome.

You should take a look at the documentation to create your client: https://github.com/pac4j/pac4j/wiki/Clients#creating-your-own-client ...

Best regards,

Jérôme

[frédéric francis]

Hi Jerome, 

thanks for the tip, I think I manage to build my client, at least the beginning of it. 

I have another quick question, you might have some info. 

In my current vaadin application, I was using shiro through a security manager that was initialisating shiro with the shiro.ini file, the initialisation of the class looks like :

    private static final String INI_RESOURCE_PATH = "classpath:shiro.ini";

    private static SecurityManager securityManager = managerFromIni();

    private static SecurityManager managerFromIni() {

        IniSecurityManagerFactory iniSecurityManagerFactory = new IniSecurityManagerFactory(INI_RESOURCE_PATH);

        DefaultSecurityManager manager = (DefaultSecurityManager) iniSecurityManagerFactory.getInstance();

So I wonder if I could define my client in the shiro.ini file instead of using the ConfigFactory. 

I'm also a bit confuse about my realm, but I'll see that after.. 

Thanks again !!

Fred

[frédéric francis]

In fact I'd rather say that I'm a bit confuse between using j2e-pac4j and buji-pac4j..

Because the Oauth mecanism seems to work well with j2e-pac4j, but I loose the connection with shiro...

And when I look at buji-pac4j, the configuration looks a bit more like what we wanted to achieve...

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

[Jérôme LELEU]

Hi,

If you use Shiro (shiro filter in your web.xml), you must use a shiro.ini file with clients defined inside.

Thanks.

Best regards,

Jérôme

[Jérôme LELEU]

Hi,

Shiro is a security library with minimal dependencies and J2E web integration. You can use it in any J2E application and there are integrations for several frameworks. It's fairly easy.

pac4j is born as a generic authentication delegation engine (for OAuth, CAS...), meant to be used in Shiro or CAS. I had in mind to create something easier than other security frameworks (Shiro but above all Spring Security). As it was generic enough, it started to fit in other frameworks: ratpack, Vertx, Spring Security, Sparkjava...

Then, people started asking why it didn't support LDAP and pac4j v1.8 was born to support most authentication mechanisms (for web services and UI) and authorizations, following the same guidelines whatever the implementation.

So j2e-pac4j is a full security library on its own, with a security model: direct / indirect clients, authorizers, RequiresAuthenticationFilter to protect urls and CallbackFilter to handle remote authentications. You can use it alone without Shiro. And if you moved to Spring Web MVC, you could keep your pac4j configuration and use very similar mechanisms: a RequiresAuthenticationInterceptor and a CallbackController.

buji-pac4j does not bring authorizations support, nor direct clients support (let's say web services, LDAP authentication...) It only adds remote authentication support (CAS, OAuth, SAML...) on top of Shiro, reusing the concepts of Shiro: realm, filters... You cannot use it without Shiro.

Hope it make things clearer.

Thanks.

Best regards,

Jérôme