I am trying to do relatively simple thing: log in user manually. I am using FacebookGraph plugin to connect to facebook. If user logs in via Facebook, i get his ID and I want to authenticate him in ShiroSecurity. Of course such trivial thing like
session.user = user
does not work. I have found the code in the wiki, which should do the trick:
Object userIdentity = user.email
String realmName = "username";
PrincipalCollection principals = new SimplePrincipalCollection(userIdentity, realmName);
Subject subject = new Subject.Builder().principals(principals).buildSubject();
However it does not work. I still get redirected to auth/login with log.debug message that ShiroSubject is null. Maybe it be because I invoke this code in a service. Any ideas how to make this work?
UPDATE:
def authenticate(authToken) {
log.info "Attempting to authenticate ${authToken.username} in DB realm..."+authToken.encodeAsJSON()
def username = authToken.username
// Null username is invalid
if (username == null) {
throw new AccountException("Null usernames are not allowed by this realm.")
}
// Get the user with the given username. If the user is not
// found, then they don't have an account and we throw an
// exception.
log.debug "reached this point2"
def user = ShiroUser.findByUsername(username)
log.debug "reached this point"
if (!user) {
throw new UnknownAccountException("No account found for user [${username}]")
}
log.info "Found user '${user.username}' in DB"
// Now check the user's password against the hashed value stored
// in the database.
def account = new SimpleAccount(username, user.passwordHash, "ShiroDbRealm")
if (!credentialMatcher.doCredentialsMatch(authToken, account)) {
log.info "Invalid password (DB realm)"
throw new IncorrectCredentialsException("Invalid password for user '${username}'")
}
return account
}
Take a look at the
AuthController.groovy
-> thesignIn
action.This is exactly the code you need to login. The Main Step is
Hope that helps...
ok. This is only the starting point... take a look at your Realm-Code on
/Realms
. There you'll find anauthenticate(authToken)
closure. It seems that this gets called throughSecurityUtils.subject.login()
and handles the credentials check...This should solve your problem with the hashed password....
According to the Javadoc, Subject.Builder() does not automatically bind the subject to the current application thread. Try adding this after building your Subject instance: