Shiro
  1. Shiro
  2. SHIRO-21

Add OpenId as an authentication mechanism

    Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      From the forums:

      Are there any plans to incorporate OpenId as an authentication mechanism in JSecurity?

      Mike

      Tue, 02/19/2008 - 2:58pm ? lhazlewood
      Hi Mike, If you would please

      Hi Mike,

      If you would please open an issue for us (http://issues.jsecurity.org), you can bet that we'll try to get it incorporated as soon as possible. Also, if you have any code that you might be able to kickstart us, please include it.

      Thanks!

      Les

      1. patch-shiro-web-01
        3 kB
        Maria Jurcovicova
      2. patch-shiro-openid4j-01.patch
        40 kB
        Maria Jurcovicova
      3. patch-OpenId_01.txt
        39 kB
        Maria Jurcovicova

        Activity

        Hide
        Jérôme Leleu added a comment -

        Some times ago, the idea came to have a dedicated repository for Shiro extensions which cannot be integrated directly into the main source code. This repository is: https://github.com/bujiio (members: Les, Jason and me).

        pac4j is some global ecosystem I build to deal with security protocols: http://www.pac4j.org

        And buji-pac4j is the library dedicated to Shiro to support CAS/OAuth/OpenID/HTTP protocols. The pac4j-openid library is in fact based on openid4java, but using buji-pac4j + pac4j-openid should be a lot easier than doing things by hand.

        I recommend you to read the documentation: https://github.com/bujiio/buji-pac4j and take a look at the demo: https://github.com/leleuj/buji-pac4j-demo.

        Show
        Jérôme Leleu added a comment - Some times ago, the idea came to have a dedicated repository for Shiro extensions which cannot be integrated directly into the main source code. This repository is: https://github.com/bujiio (members: Les, Jason and me). pac4j is some global ecosystem I build to deal with security protocols: http://www.pac4j.org And buji-pac4j is the library dedicated to Shiro to support CAS/OAuth/OpenID/HTTP protocols. The pac4j-openid library is in fact based on openid4java, but using buji-pac4j + pac4j-openid should be a lot easier than doing things by hand. I recommend you to read the documentation: https://github.com/bujiio/buji-pac4j and take a look at the demo: https://github.com/leleuj/buji-pac4j-demo .
        Hide
        David Hoffer added a comment -

        What's the relationship between buji-pac4j and Shiro? Part of my motivation to using Shiro is for a simpler, integrated, and straight-forward approach than my current use of Spring Security. I use Google Guice for DI, Spring for secuirty, openId4java for OpenId, etc. Since I understand Shiro supports Guice it seems it might integrate better with my app. I'm a bit confused on buji-pac4j is that just a Shiro extension or from the online info it seems it's based on pac4j which also does what Shiro does?

        I'm wondering why Shiro does not have integrated support for OpenId as it seems that's the direction most apps take these days.

        Show
        David Hoffer added a comment - What's the relationship between buji-pac4j and Shiro? Part of my motivation to using Shiro is for a simpler, integrated, and straight-forward approach than my current use of Spring Security. I use Google Guice for DI, Spring for secuirty, openId4java for OpenId, etc. Since I understand Shiro supports Guice it seems it might integrate better with my app. I'm a bit confused on buji-pac4j is that just a Shiro extension or from the online info it seems it's based on pac4j which also does what Shiro does? I'm wondering why Shiro does not have integrated support for OpenId as it seems that's the direction most apps take these days.
        Hide
        Jérôme Leleu added a comment -

        In fact, there is a client OpenID support for Shiro through the official extension: https://github.com/bujiio/buji-pac4j.

        Currently, it works with Google (it used to work wih myopenid.com which has been shut down). Other OpenID providers could be implemented easily and I'm willing to help in this work...

        Show
        Jérôme Leleu added a comment - In fact, there is a client OpenID support for Shiro through the official extension: https://github.com/bujiio/buji-pac4j . Currently, it works with Google (it used to work wih myopenid.com which has been shut down). Other OpenID providers could be implemented easily and I'm willing to help in this work...
        Hide
        Gautam Wahi added a comment -

        As far as I know it doesn't

        On Saturday, 22 March 2014 9:34 PM, David Hoffer (JIRA) <jira@apache.org> wrote:

            [ https://issues.apache.org/jira/browse/SHIRO-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13944132#comment-13944132]

        David Hoffer commented on SHIRO-21:
        -----------------------------------

        What's the status of this?  Does Shiro support OpenID yet?


        This message was sent by Atlassian JIRA
        (v6.2#6252)

        Show
        Gautam Wahi added a comment - As far as I know it doesn't On Saturday, 22 March 2014 9:34 PM, David Hoffer (JIRA) <jira@apache.org> wrote:     [ https://issues.apache.org/jira/browse/SHIRO-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13944132#comment-13944132 ] David Hoffer commented on SHIRO-21 : ----------------------------------- What's the status of this?  Does Shiro support OpenID yet? – This message was sent by Atlassian JIRA (v6.2#6252)
        Hide
        David Hoffer added a comment -

        What's the status of this? Does Shiro support OpenID yet?

        Show
        David Hoffer added a comment - What's the status of this? Does Shiro support OpenID yet?
        Hide
        Gautam Wahi added a comment -

        Hi Les, Maria,

        I am trying to get GAE + Shiro + Openid4Java up and running via the patch that Maria has attached and what already exists in the trunk.
        Unfortunately, i am stumped in the "forwardToOpenId" method in "Open4jFilter" class. Its giving me an NPE at the below line:
        "RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(getRedirectToUrl());"
        I debugged and googled and realised that the Filters in Shiro dont have ServletContexts with them.

        any ideas on how i could get this working?

        thanks,
        Gautam

        Show
        Gautam Wahi added a comment - Hi Les, Maria, I am trying to get GAE + Shiro + Openid4Java up and running via the patch that Maria has attached and what already exists in the trunk. Unfortunately, i am stumped in the "forwardToOpenId" method in "Open4jFilter" class. Its giving me an NPE at the below line: "RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(getRedirectToUrl());" I debugged and googled and realised that the Filters in Shiro dont have ServletContexts with them. any ideas on how i could get this working? thanks, Gautam
        Hide
        Roman S added a comment - - edited

        Maria, thank you the patch! It worked great!

        But I do have a kind of semi-problem and I'm not sure what is causing it:

        If time on the server (my server) is a little bit ahead (>1 min), then Nonce verification fails, thus OpenId authentication itself fails and I get the following exception:

        java.lang.IllegalStateException
        at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:433)
        at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:775)
        at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:408)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:67)
        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:72)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
        at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
        at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
        at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
        at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:376)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:394)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:243)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:722)

        Do you have any hint for that, guys? I'd really want verification to fail gracefully.

        UPDATE: find out that was due to Open4jFilter.onLoginFailure returning false. changed it to true since there is no point in resuming the chain after unsuccessful OpenId authentication.

        Thank you!

        Show
        Roman S added a comment - - edited Maria, thank you the patch! It worked great! But I do have a kind of semi-problem and I'm not sure what is causing it: If time on the server (my server) is a little bit ahead (>1 min), then Nonce verification fails, thus OpenId authentication itself fails and I get the following exception: java.lang.IllegalStateException at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:433) at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:775) at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:408) at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:67) at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:72) at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449) at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365) at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:376) at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362) at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:394) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:243) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) at java.lang.Thread.run(Thread.java:722) Do you have any hint for that, guys? I'd really want verification to fail gracefully. UPDATE: find out that was due to Open4jFilter.onLoginFailure returning false. changed it to true since there is no point in resuming the chain after unsuccessful OpenId authentication. Thank you!
        Hide
        Les Hazlewood added a comment -

        Awesome - great stuff Maria. Thanks!

        Show
        Les Hazlewood added a comment - Awesome - great stuff Maria. Thanks!
        Hide
        Maria Jurcovicova added a comment -

        Hi,

        the patch adds Open4jFilter into shiro-open4j sub-project. It is meant as a reaction to:

        > You can see the existing implementation in the 'support/openid4j' module (commit logs are attached to this issue). If anyone wants > to help out, we're open!

        Filter collects either personal OpenId url from user or OpenId provider url and redirect user to providers authentication page (for example Google account page). It also listens for OpenId authentication answer, verifies it and put verification result into authenticationtoken.

        RelyingPartyRealm, or any other realm. may then authenticate user into some in-application account.

        Please ignore original patch, I forgot to include one method. Correct patch files are patch-shiro-openid4j-01.patch and patch-shiro-web-01.patch.

        Filter configuration in ini file:

        authenticatingFilter = org.apache.shiro.openid4j.authc.Open4jFilter

        1. page that performs redirect to OpenId provider login page
          authenticatingFilter.redirectToUrl=/account/formredirection.jsp
        2. url where the application listens for OpenId provider answers
          authenticatingFilter.openIdResponseUrl=/simpleshirosecuredapplication/openid
        1. request parameter with login error information; if not present filter assumes 'shiroLoginFailure'
          authenticatingFilter.failureKeyAttribute=simpleShiroApplicationLoginFailure
        2. specify login page
          authenticatingFilter.loginUrl = /account/login.jsp
        3. redirect after successful login
          authenticatingFilter.successUrl = /account/personalaccountpage.jsp

        With Regards,
        Maria

        Show
        Maria Jurcovicova added a comment - Hi, the patch adds Open4jFilter into shiro-open4j sub-project. It is meant as a reaction to: > You can see the existing implementation in the 'support/openid4j' module (commit logs are attached to this issue). If anyone wants > to help out, we're open! Filter collects either personal OpenId url from user or OpenId provider url and redirect user to providers authentication page (for example Google account page). It also listens for OpenId authentication answer, verifies it and put verification result into authenticationtoken. RelyingPartyRealm, or any other realm. may then authenticate user into some in-application account. Please ignore original patch, I forgot to include one method. Correct patch files are patch-shiro-openid4j-01.patch and patch-shiro-web-01.patch. Filter configuration in ini file: authenticatingFilter = org.apache.shiro.openid4j.authc.Open4jFilter page that performs redirect to OpenId provider login page authenticatingFilter.redirectToUrl=/account/formredirection.jsp url where the application listens for OpenId provider answers authenticatingFilter.openIdResponseUrl=/simpleshirosecuredapplication/openid request parameter with login error information; if not present filter assumes 'shiroLoginFailure' authenticatingFilter.failureKeyAttribute=simpleShiroApplicationLoginFailure specify login page authenticatingFilter.loginUrl = /account/login.jsp redirect after successful login authenticatingFilter.successUrl = /account/personalaccountpage.jsp With Regards, Maria
        Hide
        Maria Jurcovicova added a comment -

        This time for real.

        Show
        Maria Jurcovicova added a comment - This time for real.
        Hide
        Les Hazlewood added a comment -

        Hi Maria,

        Thanks for the patch!

        I haven't looked at it yet, but how does it differ from what is in Subversion already?

        Here is what we currently have:

        https://svn.apache.org/repos/asf/shiro/trunk/support/openid4j/

        Thoughts?

        Cheers,

        Les

        Show
        Les Hazlewood added a comment - Hi Maria, Thanks for the patch! I haven't looked at it yet, but how does it differ from what is in Subversion already? Here is what we currently have: https://svn.apache.org/repos/asf/shiro/trunk/support/openid4j/ Thoughts? Cheers, Les
        Hide
        Maria Jurcovicova added a comment -

        Hi,

        my first try is in patch-OpenId_01.txt . It does only authentication, attributes are not resolved. Any feedback will be appreciated.

        With Regards,
        Maria

        Show
        Maria Jurcovicova added a comment - Hi, my first try is in patch-OpenId_01.txt . It does only authentication, attributes are not resolved. Any feedback will be appreciated. With Regards, Maria
        Hide
        Maria Jurcovicova added a comment -

        Is anyone working on this? I would like to give it a try.

        Show
        Maria Jurcovicova added a comment - Is anyone working on this? I would like to give it a try.
        Hide
        Brian Bonner added a comment -

        Hi Les, thanks. I'll look around and see what I can find. Thanks.

        Show
        Brian Bonner added a comment - Hi Les, thanks. I'll look around and see what I can find. Thanks.
        Hide
        Les Hazlewood added a comment -

        Hi Brian,

        Yes, no work has been done on this lately, as my professional commitments have diverted me elsewhere. You can see the existing implementation in the 'support/openid4j' module (commit logs are attached to this issue). If anyone wants to help out, we're open!

        Les

        Show
        Les Hazlewood added a comment - Hi Brian, Yes, no work has been done on this lately, as my professional commitments have diverted me elsewhere. You can see the existing implementation in the 'support/openid4j' module (commit logs are attached to this issue). If anyone wants to help out, we're open! Les
        Hide
        Brian Bonner added a comment -

        Hi Les,

        Checking in on OpenId. Still at 80%?...Just trying to find out where this is at.

        Brian

        Show
        Brian Bonner added a comment - Hi Les, Checking in on OpenId. Still at 80%?...Just trying to find out where this is at. Brian
        Hide
        Les Hazlewood added a comment -

        Cool - thanks Kalle.

        I looked into both originally but decided against them primarily because of community size and adoption. Both jopenid and dyuproject only have a single committer. OpenId4Java on the other hand has 14 with a high level of activity (I think Google backs it - not sure). Granted, this doesn't mean that it is inherently 'better', just that my odds of finding additional helpful resources were probably higher. That and I used the Grails Nimble plugin to look at some ideas and it was based on OpenId4Java for what it's worth.

        If we decide that my cursory implementation with OpenId4Java isn't sufficient (for whatever reason), I'm totally happy with potentially supporting something else. There is only one maven dependency for OpenId4Java (for the consumer/relying party side), but I don't know how many .jars that will translate to.

        I'm about 80% done though, so maybe we will able to have more than one depending on users' preferences.

        Show
        Les Hazlewood added a comment - Cool - thanks Kalle. I looked into both originally but decided against them primarily because of community size and adoption. Both jopenid and dyuproject only have a single committer. OpenId4Java on the other hand has 14 with a high level of activity (I think Google backs it - not sure). Granted, this doesn't mean that it is inherently 'better', just that my odds of finding additional helpful resources were probably higher. That and I used the Grails Nimble plugin to look at some ideas and it was based on OpenId4Java for what it's worth. If we decide that my cursory implementation with OpenId4Java isn't sufficient (for whatever reason), I'm totally happy with potentially supporting something else. There is only one maven dependency for OpenId4Java (for the consumer/relying party side), but I don't know how many .jars that will translate to. I'm about 80% done though, so maybe we will able to have more than one depending on users' preferences.
        Hide
        Kalle Korhonen added a comment -

        Les, noticed in the post you had sent to the user list that you are planning on using openid4java. Don't forget to evaluate JOpenID and Dyuproject, see http://code.google.com/p/jopenid/, http://code.google.com/p/dyuproject and https://cwiki.apache.org/PHOTARKxWIKI/integrating-openid-and-providing-user-management-to-photark.html. Compare the size and number of dependencies. I've had good success in the past myself using JOpenID.

        Show
        Kalle Korhonen added a comment - Les, noticed in the post you had sent to the user list that you are planning on using openid4java. Don't forget to evaluate JOpenID and Dyuproject, see http://code.google.com/p/jopenid/ , http://code.google.com/p/dyuproject and https://cwiki.apache.org/PHOTARKxWIKI/integrating-openid-and-providing-user-management-to-photark.html . Compare the size and number of dependencies. I've had good success in the past myself using JOpenID.
        Hide
        Tauren Mills added a comment -

        Also, Google has a project called Step2 that creates a hybrid protocol to get OpenID and OAuth working together:
        http://code.google.com/p/step2/

        A good intro to it can be found here, including screenshots of Plaxo's implementation:
        http://googledataapis.blogspot.com/2009/01/bringing-openid-and-oauth-together.html

        Since both OpenID and OAuth might potentially be added to Shiro, perhaps Step2 might help add both at the same time.

        Show
        Tauren Mills added a comment - Also, Google has a project called Step2 that creates a hybrid protocol to get OpenID and OAuth working together: http://code.google.com/p/step2/ A good intro to it can be found here, including screenshots of Plaxo's implementation: http://googledataapis.blogspot.com/2009/01/bringing-openid-and-oauth-together.html Since both OpenID and OAuth might potentially be added to Shiro, perhaps Step2 might help add both at the same time.
        Hide
        Tauren Mills added a comment -

        I found this resource/tutorial for integrating openid via wicket and it could prove helpful when implementing OpenId support in Shiro.
        http://www.ibm.com/developerworks/java/library/j-openid/index.html

        Show
        Tauren Mills added a comment - I found this resource/tutorial for integrating openid via wicket and it could prove helpful when implementing OpenId support in Shiro. http://www.ibm.com/developerworks/java/library/j-openid/index.html

          People

          • Assignee:
            Les Hazlewood
            Reporter:
            Alan Cabrera
          • Votes:
            14 Vote for this issue
            Watchers:
            12 Start watching this issue

            Dates

            • Created:
              Updated:

              Development