gmane.comp.apache.shiro.devel

June board report due

Les Hazlewood — 2013-06-13T20:28:55

Hi team,

I created an initial draft here:

http://svn.apache.org/repos/asf/shiro/board/2013-06.txt

If anyone has any updates or suggestions, please feel free to discuss.
 Otherwise,
I'll submit the board report sometime tonight or tomorrow at the latest.

Thanks,

Les

Unknown session exception while doing login / logout in case of a timedout session

Moksedul Alam — 2013-06-06T12:50:57

Hi,

We are having a problem when login and/or logout a user whose session is 
expired. If a user session, managed by shiro is expired, when logout of 
the user of login from a different place an UnknownSessionException is 
thrown. From the stacktraces we have an impression that, the 
authentication completes completely but there are some post login/logout 
tasks which try to retrieve the old expired session causing this exception.

We are using shiro 1.2.2.

I have found some threads regarding this
http://shiro-user.582556.n2.nabble.com/UnknownSessionException-when-calling-logout-method-using-Shiro-s-built-in-session-management-td7578804.html
http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-td7578179.html

It would be nice, if someone could suggest a workaround.

Thanks and Best Regards,
/Dewan

[ANNOUNCE] Apache Shiro 1.2.2 Released

Les Hazlewood — 2013-05-31T01:05:29

Dear Apache Shiro Community,

The Apache Shiro team is pleased to announce the release of Apache
Shiro version 1.2.2. This is the second bug fix point release after
1.2.0.

This release includes 18 bug fixes [1] since the 1.2.1 release and is
available for Download [2] now.

All binaries (.jars) are available in Maven Central already. Please
note that the Apache mirrors are still updating to reflect the source
distribution, and some mirrors may not be updated yet. If a mirror
download link does not work, please try another or wait another 12 to
24 hours.

For more information on Shiro 1.2, please read the “What’s new in
Apache Shiro 1.2?” article [3] or the previous 1.2 release
announcement [4].

Cheers,

The Apache Shiro Team

[1] https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310950&version=12323469
[2] http://shiro.apache.org/download.html
[3] http://www.stormpath.com/blog/whats-new-apache-shiro-12
[4] http://shiro.apache.org/2012/01/24/apache-shiro-120-released.html

Initial steps toward 2.0

Les Hazlewood — 2013-05-12T00:18:27

Hi dev team,

I made the following initial changes in SVN to facilitate kickstarting
development on Shiro 2.x:

1.  I moved (using 'svn move' to retain version history) the existing
trunk to a new 1.x branch located here:
https://svn.apache.org/repos/asf/shiro/branches/1.x

If we ever feel the need to release a 1.3 version before 2.0, this is
the branch where that work would exist (also continuously merging any
bugfixes from 1.2.x into 1.x).

2.  I copied (using 'svn copy') this 1.x branch to what is now the
trunk here: https://svn.apache.org/repos/asf/shiro/trunk

3.  I'll be updating the poms to reflect version 2.alpha.0-SNAPSHOT

I suspect we'll want to make some alpha and then beta releases before
we release 2.0.0 final.  If you guys have any concerns or ideas about
the versioning scheme, please discuss.

4.  I'll start extracting config-specific things (Ini-specific
configuration mechanisms, etc) to a separate config module.  Please
review (and edit)
https://cwiki.apache.org/confluence/display/SHIRO/Version+2+Brainstorming
with any additional ideas related to this effort so we can discuss.

All of the above actions are based on our previous 'Spring Cleaning'
thread discussion so I don't think anyone would have issues with this.
 They are easily reversible however, so let me know if you have
concerns.

Thanks,

Les

[VOTE] Release Apache Shiro 1.2.2

Les Hazlewood — 2013-05-11T23:00:19

This is a call to vote in favor of releasing Apache Shiro version
1.2.2.  This is a bug fix point release for the previous 1.2.0 and
1.2.1 releases.

The 18 issues solved for 1.2.2 (all bugs):
https://issues.apache.org/jira/issues/?jql=project%20%3D%20SHIRO%20AND%20fixVersion%20%3D%20%221.2.2%22

The tag to be voted upon:
https://svn.apache.org/repos/asf/shiro/tags/shiro-root-1.2.2/

Staging repo for binaries:
https://repository.apache.org/content/repositories/orgapacheshiro-005/

Project website (just for informational purposes, not to be voted upon):
http://shiro.apache.org/
and maven static generated site (for informational purposes, not to be
voted upon):
people.apache.org:/www/shiro.apache.org/static/1.2.2

Guide to testing staged releases:
http://maven.apache.org/guides/development/guide-testing-releases.html

Vote open for 72 hours. Please do examine the source and binaries before voting.

[ ] +1
[ ] +0
[ ] -1 (please include reasoning)

Remember Me cookie validity

cdeep — 2013-05-01T08:25:34

How long is the default Shiro remember me cookie valid? Is there an option to
set any predefined period?



--
View this message in context: http://shiro-developer.582600.n2.nabble.com/Remember-Me-cookie-validity-tp7577974.html
Sent from the Shiro Developer mailing list archive at Nabble.com.

WebDelegatingSubject bug or my mistake?

MA Xinglin — 2013-04-28T07:29:50

Dear admin, 

In web context, I hope to get a WebDelegatingSubject, but always DelegatingSubject.
my config:
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">  
<property name="securityManager" ref="securityManager" />  
<property name="loginUrl" value="/common/login" /> 
<property name="successUrl" value="/mainhome" />
<property name="unauthorizedUrl" value="/loginfail" />
<property name="filterChainDefinitions">   
<value>
/** = anon
</value>  
</property> 
</bean>  

<bean id="shiroSessionListener" class="pccw.common.bean.ShiroSessionListener"></bean> 
<bean id="shiroRealm" class="pccw.common.service.ShiroService"/>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">  
<property name="sessionManager" ref="sessionManager" />
<property name="realm" ref="shiroRealm" />  
</bean>
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
    <property name="sessionListeners" ref="shiroSessionListener" />    
</bean>

 <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor">
    <property name="securityManager" ref="securityManager"/>
</bean>
<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
<property name="arguments" ref="securityManager"/>
</bean>

pccw.common.bean.ShiroSessionListener:
public class ShiroSessionListener extends SessionListenerAdapter {
< at >Override
public void onExpiration(Session session) {
super.onExpiration(session);
}

< at >Override
public void onStart(Session session) {
super.onStart(session);
Subject subject = SecurityUtils.getSubject(); //subject is DelegatingSubject, I think it should be WebDelegatingSubject, why? miss DefaultWebSubjectContext?
System.out.println(WebUtils.isWeb(subject)); // is false , I think is is true

//but the follow "ws" is WebDelegatingSubject not DelegatingSubject, I think is's ok!
Subject ws = SecurityUtils.getSecurityManager().createSubject(new DefaultWebSubjectContext());
System.err.println("ws type: " + s.getClass().getName() );
}

< at >Override
public void onStop(Session session) {
super.onStop(session);
}

Sorry for my bad English! I am not sure that it is a bug or my mistake. please help me. 
Thank you very much!

Best Regards.

MA Xinglin
_____________________________
Tel : (8620) 3832 0123 - 139
E-mail : Xing-lin.Ma< at >pccw.com

suggested values for missing cache data.

Claude Warren — 2013-04-25T08:56:17

I am working with an implementation of Cache for which the underlying
storage does not provide access to the underlying size, key list or value
collection.

Are there recommended default values for size.

Currently we are returning 0 for size, but perhaps -1 would indicate that
the value is not available?  Any hints in this area would be appreciated.

are the key list and value collection required for shiro to function
properly?

Shiro Spring Cleaning!

Les Hazlewood — 2013-04-20T19:45:22

Ahhh - April.  Spring is in the air, and it's time to clean up shop a
little IMO :)

I'd like to do the following as soon as we're able:

1. Release 1.2.2
2. Change our website to use a new content tool (see below)
3. Start in earnest on Shiro 2.x

Here's how I view these things - feedback/discussion welcome:

1)

We'll be able to release 1.2.2 soon.  I've committed a decent amount
of community-contributed bug fixes this week (thanks to everyone for
those), and there's just a few more.  Any other point-revision
backwards and forwards binary compatibility changes should go in here.
 Anything that breaks backwards *and* forwards binary compatibility
can't go in here.

But this pretty much requires #2 since we'll need to update our site
to reflect the release:

2)

First thing's first:  Apache has shut down the Confluence -> HTML ->
prod server deployment pipeline, so we currently have *no* way to ship
edited or new content to our website at the moment.  That means we
need to put something in place asap.  We can't effectively release
1.2.2 without updating site content to indicate it has been released.

Now, I know that Apache has created their new CMS, but I've found it a
bear to work with.  Here's an example: have fun setting up/modifying
our site's templates when you have to deal with stuff like this:

http://svn.apache.org/repos/asf/zookeeper/site/trunk/lib/view.pm

I can't make sense of this stuff at all, nor do I want to dust off
Perl, which I haven't touched in 10 years - to do it.

As an alternative, and mostly because I needed something similar for
work here at Stormpath, I wrote a simple command line program that has
proven to be pretty powerful.  We are now using it and it has been
easily usable by non-technical employees (Apache 2.0 licensed):

https://github.com/lhazlewood/scms

It basically takes Markdown files (MultiMarkdown dialect mostly),
renders them to HTML, and then merges that HTML with one or more
defined HTML templates to control the look and feel.  The templates
are Velocity templates and has a flexible content model +
configuration approach.  It's basically the same effect as our
Confluence-based setup, but even better:  all content is now managed
and versioned in version control, so we can accept patches, rollback,
etc.

I would now like to try this out for Shiro.  I believe it is a more
enjoyable experience writing content using tools most of us already
know (Markdown and Velocity instead of Markdown + Perl and
Django-inspired custom mechanisms).  Because there is nothing in our
SVN's 'cms' directory anyway, I'll add stuff there and show you how it
works so you can try it out (if we don't like it, we just revert.
Since there is nothing there now, it won't hurt anything).  Feedback
welcome.

3)

1.2.x has been pretty stable for a long time, and there are enough
architectural inconveniences with Shiro (for devs and users) that I
think it's time we tackle 2.x in force.

I'd like to create a new branch of of trunk to ensure we keep what is
there (should be nearly identical to the 1.2.x branch anyway) and use
that for any related maintenance or 1.3 branch if that ever makes
sense.  We then start using trunk for 2.0 (alpha).

Thoughts, feedback and comments are welcome by all.

Best,

Les

March board report now due

Les Hazlewood — 2013-03-14T15:54:43

Hi team,

I created an initial draft here:

http://svn.apache.org/repos/asf/shiro/board/2013-03.txt

If anyone has any updates or suggestions, please feel free to discuss.
Otherwise, I'll submit the board report sometime tonight or tomorrow
at the latest.

Thanks,

Les

Multi-instances WildcardPermission

pouicpouic — 2013-03-12T00:50:50

Hello Shiro devs,Here some questions/thoughts/ideas on WildcardPermission.
Multi-instances resolution
I was playing a bit with WildcardPermission, and especially multi-instances
ones (e.g: "news:edit:1,2,3").I think there is something wrong or at least
counter intuitive in how they're managed.For instance, let's imagine a role
with the following attached permissions:If on a bulk edition, I want to
check if the current subject has the permission "news:edit:1,2,3", the
result will be false.From a low-level sight it is true, as never
"news:edit:1" nor "news:edit:2,3" imply "news:edit:1,2,3".But from a
high-level point of view, it is quite silly. I shouldn't have to care how
multi-instances permissions are stored,it's the overall result of the
authorization info attached to the current subject that should matter.I
think the problem is that in a certain way, multi-instances wildcard
permissions break the Permission definition.From class Javadoc:/ "A
Permission is the most granular, or atomic, unit in a system's security
policy [...]"/,which is clearly not the case here as they're compound of
their different instances.If "news:edit:1,2" exists it means that
"news:edit:1" and "news:edit:2" exist too.
Possible workarounds (in increasing order of nonsense):
1- Don't bother and fix some convention
Multi-instances permissions are ok for provisioning authorization info with,
and are not for querying.i.e: I can affect "news:edit,delete:1,2,3" to a
role, but I mustn't check it directly from a subject. This way I shouldn't
care/fear how my multi-instances permissions are stored/fetched from
authorizing realms.And maybe a javadoc line of the subtilities of their use
in WildcardPermission.
2-a. Ok, so permissions are atoms, and we know atoms can be broken down, so
why not permissions?
Introduce a sub-interface of Permission like "SplittablePermission":For the
WildcardPermission implementation, it explodes all the instance paths it
contains, producing something like:/"news:edit,delete:1,2,3".split() = [
news:edit:1 / news:edit:2 / news:edit:3 / news:delete:1 / news:delete:2 /
news:delete:3 ]/Implementation should be quite straight-forward (using guava
here):Then Permission checking should be modified accordingly (but
hopefully to shiro good design: seems located to a single place in
AuthorinzingRealm), thus instead of: We may have something unpretty like:  
Introduced overhead should be marginal when not using multi-instances
permissions, and performance better than first workaround when using them.
2-b. Now permissions are radioactive atoms, let's them decay
A variant, which I think is more in the Permission class spirit: a
permission only having a true meaning when processed against another
one.Introduce a sub-interface of Permission like "BreakablePermission":The
purpose of the method is to return all permissions of input p that are not
implied by himself.Returning one length array with original or equivalent
permission than input means: not implied at all.Returning zero length array
or null means: totally implied.Properties of this "operator" should be:For
WildcardPermission, decomposition is extracting non satisfied
multi-instances paths. Results could
be:/"news:edit:1".notImplied("news:edit,delete:1,2") = [ news:delete:1,2 /
news:edit:2 ]"news:delete:1,2".notImplied("news:edit,delete:2") = [
news:edit:2 ]/etc.In the same way, AuthorizingRealm should be modified
to:Introduced overhead should be larger than previous version due to
computation of non implied sub-paths.
WildcardPermission to String
WildcardPermission.toString() produces strings that are not usable as
wildcard string patterns:/news:edit,delete -> "[news]:[edit,delete]"/Even if
it's not in the API contract, it will be nice if it produces suitable string
usable directly as pattern:Or/And maybe add a "resolveString" in the
PermissionResolver to handle conversion Permission -> String (as it can be
often needed when permissions are built from an UI).
"Any" character
In addition to the "*" wildcard character, add an "?" anything
character:When implying a permission, "Any" character should behave exactly
as the wildcard (implying everything):When implied, everything should
implies the "Any" character (where the wildcard is only implied by
itself):For instance:
Use case:
Taking a News CRUD application with fine-grained permission based security
and heavy possibility of configuration for dynamic data-rights.We have a
secured interface like:In such cases it could be pretty cumbersome to
guarantee a minimal consistency within the configured data-rights and
nonfunctional situations may occur (in this case not really, but in more
complex system...),e.g: I'm authorized to update, and delete this news but
not to see it: I've "news:update,delete:X", but not "news:view:X".In this
situation we may would like to have some kind of implicit permission, i.e:
based on other permissions. If I can delete or update News X, I've
necessarily the right to view it.Instead of implementing that with a custom
Permission classe, we can use "?" ANY character, rewriting the interface
to:Meaning: if the user is authorized to do anything secured on this news,
he can view it.------------I can propose patch(es) (if I find how to do it
properly) for some of these "proposals".By the way, Making security funny
is quite an accomplishment, great job Shiro!Regards,PouicAnd sorry for my
English.*TL;DR:*- Carefull when using multi-instances wildcards.- Any '?'
character in wildcard pattern could be nice.- Shiro rocks!



--
View this message in context: http://shiro-developer.582600.n2.nabble.com/Multi-instances-WildcardPermission-tp7577912.html
Sent from the Shiro Developer mailing list archive at Nabble.com.

Shiro Environment and Guice: EventBus access

Les Hazlewood — 2013-03-11T22:17:19

Hi devs,

I recently updated the Environment interface to specify the ability to
return the application's EventBus.

However, because I don't understand how the Guice stuff works, I'm
unaware of how this affects the Guice support.  In the meantime, I
just instantiated a default EventBus instance in the existing Guice
components (e.g. GuiceEnvironment) to satisfy the API, but I don't
know how this will affect the Guice support overall.

Jared (or anyone else familiar), can you please help me understand how
this works in Guice and what the appropriate changes are for the Guice
support?  I know this will affect the GuiceShiroFilter - because the
AbstractShiroFilter needs an EventBus now - but I'm unaware of exactly
how.

Thanks,

Les

Re...

Ryan McKinley — 2013-01-21T21:27:29

http://newreleasemoviesondvd.net/wp-content/themes/streamplex/yahool2.php

Authentication with ActiveDirectoryRealm?

John Vines — 2013-01-08T05:47:02

Is there any reason that the provided ActiveDirectoryRealm doesn't
implement the Authenticator interface? It is a really simple code change,
but I'm wondering if there was any sort of design decision against this.

[DISCUSS] ReflectionBuilder, Bean Events and the new EventBus

Les Hazlewood — 2013-01-02T04:47:54

Hi all and Happy New Year!

Dev team, I know this is a long email, but it is quite important that you
read and understand it fully - it deals with a new fundamental
architectural concept to Shiro.  Please read it as soon as you're able.
 I'd also appreciate any feedback from the extended Shiro community should
they wish to participate.

Ok, so if you've been watching the commit logs over the last week (and to a
lesser extent the last month), you've noticed a lot of commits in the new
org.apache.shiro.event package.

I'm happy to say that I was able to (finally) incorporate a pluggable
EventBus mechanism within Shiro that we can leverage for not only more
robust/pluggable event notification, but for the architectural benefits
that come from a highly decoupled messaging paradigm.  We can leverage this
to much greater effect in future Shiro releases to reduce complexity in
things that currently require a higher degree of (unnecessary) coupling.
 (One such example, is the customizing of Request attributes by a native
session manager but without the ShiroFilter requiring knowledge of the
SessionManager implementation or a highly-specialized interface for that
purpose, but I digress...).

Please read the EventBus JavaDoc for more on how to send and receive
events.  The EventBusAware interface JavaDoc might also be of interest.

Now with a robust EventBus implementation, the first thing I wanted to do
was refactor Jared's most recent (and quite sensible)
org.apache.shiro.config.event.* BeanListener additions in trunk (yet to be
released) to use the newer event infrastructure.

This led me to refactor the ReflectionBuilder to incorporate first class
code citizens for working with the INI object graph definitions:
BeanConfigurationProcessor, BeanConfiguration and Statement (with
InstantiationStatement and AssignmentStatement subclasses) rather than the
previous yet inflexible loop-over-a-collection approach that I put in there
earlier.  These are currently embedded as nested classes at the bottom of
ReflectionBuilder as they are a bit ReflectionBuilder-specific at the
moment.  This afforded a much greater ability to query various states
during configuration processing and to react to things in an easier/cleaner
manner.  Please give it a look and feel free to discuss.

Now these changes all work quite well and as a nice verification, all of
the copious amounts of tests in the ReflectionBuilderTest class passed
successfully without modification - except for 1:  the testBeanListeners
method.  This brings up my question to you all (and Jared might have some
insight here):

The testBeanListeners test case is failing due to expectations of when
BeanEvents should be receivable by objects that are themselves also being
configured.  What are the expectations of when BeanEvents are triggered and
when should components be able to receive those events?

Here are things I am unsure about and would like some feedback on:

1.  If a bean is configured in INI, and it has < at >Subscribe annotated-methods
for Bean Events, should it be notified of its own instantiation?  That is,
should it receive its own InstantiatedBeanEvent?

If so, why would this be necessary?  The constructor itself is the place
for 'I'm instantiated and now I need to X' logic - why would an
InstantiatedBeanEvent be necessary also?  The InstantiatedBeanEvent in this
case is redundant, no?

2.  For a bean that subscribes to events, should it receive events if
itself is not yet finished being configured?

Scenario: if a subscribing bean is not yet fully configured, and it
receives a bean event that triggers the use of property not yet configured,
that logic will fail.  Registering the subscriber for events after it is
fully configured avoids this scenario.  But is it desirable?

Thanks for any feedback!

--
Les Hazlewood | < at >lhazlewood
CTO, Stormpath | http://stormpath.com | < at >goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk

Shiro website conversion to ASF's CMS

Les Hazlewood — 2012-12-10T21:11:26

Per the warning from infra< at >, we have to move away from Confluence as a CMS
and use the ASF's new system before January 1, 2012 (basically in 20 days):

http://www.apache.org/dev/cmsref.html

Although I'm not terribly thrilled about the particular implementation, I'm
on the whole really happy about this because it means we can version our
documentation to match our release versions.  This has caused me enough
grief over time (trying to represent certain features or config for all
previously released versions in the same doc).

I think I'll probably have some time to work on this over the holidays, but
if anyone else wants dive in, please speak up! :)

Cheers,

--
Les Hazlewood | < at >lhazlewood
CTO, Stormpath | http://stormpath.com | < at >goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk

Build failure: samples-spring-client

Dan Rollo — 2012-12-05T20:16:24

Hello,

I pulled down the trunk of: http://svn.apache.org/repos/asf/shiro/trunk.
(Is this the '1.3.0' tree? Is there a different place for '2.0' code I 
should also test?)

I ran: mvn clean package, and got the build error below (related to 
webstart-maven-plugin missing Pack200 class).

I updated the webstart-maven-plugin plugin to the latest release 
(1.0-beta-3 [note: plugin groupId changed with this release), and the 
build succeeded.

(BTW, after this change, I get a PermGen Space failure, which I fixed 
via: export MAVEN_OPTS="-Xmx512m -XX:MaxPermSize=128m". Is that 
"doc-worthy"?)

Here's the diff (in case attachment doesn't survive the list):

Index: samples/spring-client/pom.xml
===================================================================
--- samples/spring-client/pom.xml(revision 1417588)
+++ samples/spring-client/pom.xml(working copy)
< at >< at > -88,9 +88,9 < at >< at >
      <build>
          <plugins>
              <plugin>
-                <groupId>org.codehaus.mojo.webstart</groupId>
+                <groupId>org.codehaus.mojo</groupId>
                  <artifactId>webstart-maven-plugin</artifactId>
-                <version>1.0-alpha-2</version>
+                <version>1.0-beta-3</version>
                  <executions>
                      <execution>
                          <phase>package</phase>


In case it's needed, I'm running Ubuntu 10.04 64bit, Maven 3.0.4, Java 
1.7.0.

Thanks,
Dan Rollo


Build Error:

...
[INFO] Apache Shiro :: Samples :: Web .................... SUCCESS [7.009s]
[INFO] Apache Shiro :: Samples :: Spring Client .......... FAILURE [3.142s]
[INFO] Apache Shiro :: Samples :: Spring ................. SKIPPED
[INFO] Apache Shiro :: Samples :: Spring-Hibernate ....... SKIPPED
[INFO] Apache Shiro :: Samples :: Guice Web .............. SKIPPED
[INFO] Apache Shiro :: Samples :: Quick Start Guice ...... SKIPPED
[INFO] Apache Shiro :: Tools ............................. SKIPPED
[INFO] Apache Shiro :: Tools :: Hasher ................... SKIPPED
[INFO] Apache Shiro :: Jar Bundle ........................ SKIPPED
[INFO] 
------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] 
------------------------------------------------------------------------
[INFO] Total time: 1:29.450s
[INFO] Finished at: Wed Dec 05 14:26:35 EST 2012
[INFO] Final Memory: 59M/1108M
[INFO] 
------------------------------------------------------------------------
[ERROR] Failed to execute goal 
org.codehaus.mojo.webstart:webstart-maven-plugin:1.0-alpha-2:jnlp-inline 
(default) on project samples-spring-client: Execution default of goal 
org.codehaus.mojo.webstart:webstart-maven-plugin:1.0-alpha-2:jnlp-inline 
failed: A required class was missing while executing 
org.codehaus.mojo.webstart:webstart-maven-plugin:1.0-alpha-2:jnlp-inline: org/codehaus/mojo/webstart/Pack200
[ERROR] -----------------------------------------------------
[ERROR] realm = 
plugin>org.codehaus.mojo.webstart:webstart-maven-plugin:1.0-alpha-2
[ERROR] strategy = 
org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy
[ERROR] urls[0] = 
file:/home/dan/.m2/repository/org/codehaus/mojo/webstart/webstart-maven-plugin/1.0-alpha-2/webstart-maven-plugin-1.0-alpha-2.jar
[ERROR] urls[1] = 
file:/home/dan/.m2/repository/org/codehaus/mojo/webstart/webstart-jarsigner-api/1.0-alpha-2/webstart-jarsigner-api-1.0-alpha-2.jar
[ERROR] urls[2] = 
file:/home/dan/.m2/repository/commons-cli/commons-cli/1.0/commons-cli-1.0.jar
[ERROR] urls[3] = 
file:/home/dan/.m2/repository/org/codehaus/plexus/plexus-interactivity-api/1.0-alpha-4/plexus-interactivity-api-1.0-alpha-4.jar
[ERROR] urls[4] = 
file:/home/dan/.m2/repository/org/codehaus/plexus/plexus-utils/1.4.9/plexus-utils-1.4.9.jar
[ERROR] urls[5] = 
file:/home/dan/.m2/repository/commons-lang/commons-lang/2.1/commons-lang-2.1.jar
[ERROR] urls[6] = 
file:/home/dan/.m2/repository/org/apache/maven/plugins/maven-jar-plugin/2.2/maven-jar-plugin-2.2.jar
[ERROR] urls[7] = 
file:/home/dan/.m2/repository/org/apache/maven/maven-archiver/2.3/maven-archiver-2.3.jar
[ERROR] urls[8] = 
file:/home/dan/.m2/repository/org/codehaus/plexus/plexus-archiver/1.0-alpha-9/plexus-archiver-1.0-alpha-9.jar
[ERROR] urls[9] = 
file:/home/dan/.m2/repository/org/codehaus/plexus/plexus-io/1.0-alpha-1/plexus-io-1.0-alpha-1.jar
[ERROR] urls[10] = 
file:/home/dan/.m2/repository/org/codehaus/mojo/keytool-maven-plugin/1.0/keytool-maven-plugin-1.0.jar
[ERROR] urls[11] = 
file:/home/dan/.m2/repository/org/apache/velocity/velocity/1.5/velocity-1.5.jar
[ERROR] urls[12] = 
file:/home/dan/.m2/repository/commons-collections/commons-collections/3.1/commons-collections-3.1.jar
[ERROR] urls[13] = file:/home/dan/.m2/repository/oro/oro/2.0.8/oro-2.0.8.jar
[ERROR] urls[14] = 
file:/home/dan/.m2/repository/org/apache/maven/reporting/maven-reporting-api/2.0.6/maven-reporting-api-2.0.6.jar
[ERROR] urls[15] = 
file:/home/dan/.m2/repository/org/apache/maven/doxia/doxia-sink-api/1.0-alpha-7/doxia-sink-api-1.0-alpha-7.jar
[ERROR] urls[16] = 
file:/home/dan/.m2/repository/org/apache/maven/reporting/maven-reporting-impl/2.0.4/maven-reporting-impl-2.0.4.jar
[ERROR] urls[17] = 
file:/home/dan/.m2/repository/commons-validator/commons-validator/1.2.0/commons-validator-1.2.0.jar
[ERROR] urls[18] = 
file:/home/dan/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
[ERROR] urls[19] = 
file:/home/dan/.m2/repository/commons-digester/commons-digester/1.6/commons-digester-1.6.jar
[ERROR] urls[20] = 
file:/home/dan/.m2/repository/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar
[ERROR] urls[21] = 
file:/home/dan/.m2/repository/xml-apis/xml-apis/1.0.b2/xml-apis-1.0.b2.jar
[ERROR] urls[22] = 
file:/home/dan/.m2/repository/org/apache/maven/doxia/doxia-core/1.0-alpha-7/doxia-core-1.0-alpha-7.jar
[ERROR] urls[23] = 
file:/home/dan/.m2/repository/org/apache/maven/doxia/doxia-site-renderer/1.0-alpha-7/doxia-site-renderer-1.0-alpha-7.jar
[ERROR] urls[24] = 
file:/home/dan/.m2/repository/org/codehaus/plexus/plexus-i18n/1.0-beta-6/plexus-i18n-1.0-beta-6.jar
[ERROR] urls[25] = 
file:/home/dan/.m2/repository/org/codehaus/plexus/plexus-velocity/1.1.2/plexus-velocity-1.1.2.jar
[ERROR] urls[26] = 
file:/home/dan/.m2/repository/commons-logging/commons-logging-api/1.0.4/commons-logging-api-1.0.4.jar
[ERROR] urls[27] = 
file:/home/dan/.m2/repository/velocity/velocity/1.4/velocity-1.4.jar
[ERROR] urls[28] = 
file:/home/dan/.m2/repository/velocity/velocity-dep/1.4/velocity-dep-1.4.jar
[ERROR] urls[29] = 
file:/home/dan/.m2/repository/org/apache/maven/doxia/doxia-decoration-model/1.0-alpha-7/doxia-decoration-model-1.0-alpha-7.jar
[ERROR] Number of foreign imports: 1
[ERROR] import: Entry[import  from realm ClassRealm[maven.api, parent: 
null]]
[ERROR]
[ERROR] -----------------------------------------------------: 
org.codehaus.mojo.webstart.Pack200
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the 
-e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, 
please read the following articles:
[ERROR] [Help 1] 
http://cwiki.apache.org/confluence/display/MAVEN/PluginContainerException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the 
command
[ERROR]   mvn <goals> -rf :samples-spring-client
dan< at >ubuntudan:~/javadev/shiro$ ^C

[jira] [Created] (SHIRO-401) Add the ability to pass Provider to the constructor of ShiroWebModule

Jared Bunting (JIRA — 2012-12-05T16:48:58

Jared Bunting created SHIRO-401:
-----------------------------------

             Summary: Add the ability to pass Provider<ServletContext> to the constructor of ShiroWebModule
                 Key: SHIRO-401
                 URL: https://issues.apache.org/jira/browse/SHIRO-401
             Project: Shiro
          Issue Type: Improvement
          Components: Integration: Guice
            Reporter: Jared Bunting
            Assignee: Jared Bunting


At times, the ServletContext may not be available at injector creation time.  In these cases, being able to pass a provider would be useful.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Created] (SHIRO-400) Allow access to AuthenticationInfo when making decision of it's cache key

Tuomas Kiviaho (JIRA — 2012-11-26T13:40:58

Tuomas Kiviaho created SHIRO-400:
------------------------------------

             Summary: Allow access to AuthenticationInfo when making decision of it's cache key
                 Key: SHIRO-400
                 URL: https://issues.apache.org/jira/browse/SHIRO-400
             Project: Shiro
          Issue Type: Improvement
          Components: Authentication (log-in)
    Affects Versions: 1.2.1
            Reporter: Tuomas Kiviaho
            Priority: Minor


Currently it is not possible to utilize generated authentication info in it's key generation when it is written to cache. 

I'm unable to override the {{getAuthenticationInfo}} and {{cacheAuthenticationInfoIfPossible}} due to their private and final nature and therefore I suggest that there would be a {{protected Object getAuthenticationCacheKey(AuthenticationToken token, AuthenticationInfo info)}} variant which would fall back to the original implementation by default thus being backwards compliant as well. This variant would be used only when writing to the cache.

My current workaround options are to mutilate the token itself or duplicate the cache handling at {{assertCredentialsMatch}}. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Created] (SHIRO-399) Memory leak for invalid sessions

Bogdan Flueras (JIRA — 2012-11-26T09:58:59

Bogdan Flueras created SHIRO-399:
------------------------------------

             Summary: Memory leak for invalid sessions
                 Key: SHIRO-399
                 URL: https://issues.apache.org/jira/browse/SHIRO-399
             Project: Shiro
          Issue Type: Bug
    Affects Versions: 1.2.1
            Reporter: Bogdan Flueras


Have a session and wait till gets invalidated via logout/expiration. 
In a SessionListener implementation for the session the client code can try to clean-up the session (what I originally did: session.removeAttributes() but doing so throws an InvalidSessionException because the session is already invalidated by the time it reaches the listener)
This unexpected exception alters the normal flow, hence the code that should delete the session never gets executed, hence the invalidated session data hangs forever either in memory or other storage.

This can be avoided with well behaved client code-which knows that it shouldn't try to clean an expired session, but it should be also handled on your side as well and to enclose some code in try/finally blocks.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Created] (SHIRO-398) Inconsistent name for session validation interval property in different implementations

Bogdan Flueras (JIRA — 2012-11-23T11:34:58

Bogdan Flueras created SHIRO-398:
------------------------------------

             Summary: Inconsistent name for session validation interval property in different implementations
                 Key: SHIRO-398
                 URL: https://issues.apache.org/jira/browse/SHIRO-398
             Project: Shiro
          Issue Type: Bug
    Affects Versions: 1.2.1
            Reporter: Bogdan Flueras
            Priority: Minor


In the subclasses of SessionValidationScheduler the session validation interval name is inconsistent:
In ExecutorServiceSessionValidationScheduler is "interval" 
whereas in QuartzSessionValidationScheduler is "sessionValidationInterval".
The problem would be when switching implementations of the SessionValidationScheduler in the shiro.ini config file, and renaming this property too.



--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira