1. Shiro
  2. SHIRO-23

Integrating Jsecurity with Guice


    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.2.0
    • Component/s: None
    • Labels:



      • Licensed to the Apache Software Foundation (ASF) under one
      • or more contributor license agreements. See the NOTICE file
      • distributed with this work for additional information
      • regarding copyright ownership. The ASF licenses this file
      • to you under the Apache License, Version 2.0 (the
      • "License"); you may not use this file except in compliance
      • with the License. You may obtain a copy of the License at
      • Unless required by applicable law or agreed to in writing,
      • software distributed under the License is distributed on an
      • KIND, either express or implied. See the License for the
      • specific language governing permissions and limitations
      • under the License.
        package com.akube.framework.jsecurity.filter;

      import org.apache.commons.logging.Log;
      import org.apache.commons.logging.LogFactory;
      import org.jsecurity.JSecurityException;
      import org.jsecurity.SecurityUtils;
      import org.jsecurity.mgt.SecurityManager;
      import org.jsecurity.web.config.IniWebConfiguration;

      import java.lang.reflect.InvocationTargetException;
      import java.lang.reflect.Method;
      import java.util.Map;


      • <p>JSecurity configuration that relies on Guice to define and initialize the JSecurity SecurityManager
      • instance (and all of its dependencies) and makes it avaialble to this filter by performing a Guice injection.
      • The URL/filter behavior is still loaded according to the behavior of the parent class
      • {@link org.jsecurity.web.config.IniWebConfiguration}
      • <p/>
      • <p>
      • The web.xml will need an entry like the following
      • <filter>

      the injector factory class - > injector factory method is called to obtain a guice injector

      • </p>
      • @author Animesh Jain
      • @see IniWebConfiguration
      • @since 0.9
        public class GuiceWebConfiguration extends IniWebConfiguration {

      public static final String INJECTOR_FACTORY_CLASS = "InjectorFactoryClass";
      public static final String INJECTOR_FACTORY_METHOD = "InjectorFactoryMethod";

      private static final Log log = LogFactory.getLog(GuiceWebConfiguration.class);

      protected Injector injector;

      public Injector getInjector()

      { return injector; }

      public void setInjector(Injector injector)

      { this.injector = injector; }

      public GuiceWebConfiguration() {

      public void init() throws JSecurityException {
      String className = getFilterConfig().getInitParameter(INJECTOR_FACTORY_CLASS);
      String methodName = getFilterConfig().getInitParameter(INJECTOR_FACTORY_METHOD);
      System.out.println("*************** GuiceWebConfiguration init() ***************");
      System.out.println("injector class = "+className);
      System.out.println("injector method = "+methodName);
      Get injector from a class which holds an instance for this application. I had a static method in a class that returns the injector.
      I've put the class name and method name in filter init params.

      { Class clazz = Class.forName(className); Method method = clazz.getMethod(methodName); Injector injector = (Injector) method.invoke(null); System.out.println("Injector instantiated = "+injector); setInjector(injector); }

      catch (ClassNotFoundException e)

      { log.error("Injector factory class not found - "+className, e); throw new JSecurityException("Injector factory class not found - "+className, e); }

      catch (NoSuchMethodException e)

      { log.error("Injector factory method not found - "+methodName+" in class "+className, e); throw new JSecurityException("Injector factory method not found - "+methodName+" in class "+className, e); }

      catch (InvocationTargetException e)

      { log.error("InvocationTargetException when trying to invoke - "+methodName+" in class "+className, e); throw new JSecurityException("InvocationTargetException when trying to invoke - "+methodName+" in class "+className, e); }

      catch (IllegalAccessException e)

      { log.error("IllegalAccessException when trying to invoke - "+methodName+" in class "+className, e); throw new JSecurityException("IllegalAccessException when trying to invoke - "+methodName+" in class "+className, e); }


      protected SecurityManager createDefaultSecurityManager()

      { return createSecurityManager(null); }

      protected SecurityManager createSecurityManager(Map<String, Map<String, String>> sections)

      { return getOrCreateSecurityManager(injector, sections); }

      protected SecurityManager getOrCreateSecurityManager(Injector injector, Map<String, Map<String, String>> sections) {
      System.out.println("Trying to create Security Manager");
      SecurityManager securityManager = null;
      if (injector != null)

      { /* The security manager is obtained using the Guice injector. Typically one will have to use a custom provider and bind it to the DefaultWebSecurityManager class This is the way Guice handles external configuration */ securityManager = injector.getInstance(DefaultWebSecurityManagerProvider.class).get(); SecurityUtils.setSecurityManager(securityManager); }


      { throw new JSecurityException("Injector is null. Cannot instantiate security manager"); }

      return securityManager;



      The filter class can be -


      • <p>Extension of JSecurityFilter that uses {@link GuiceWebConfiguration}

        to configure the JSecurity instance.</p>

      • @author Animesh Jain
        public class GuiceJSecurityFilter extends JSecurityFilter {

      public GuiceJSecurityFilter()

      { this.configClassName = GuiceWebConfiguration.class.getName(); }



      The Guice module can be

      public class JSecurityModule extends AbstractModule {

      protected void configure()

      { // the DefaultWebSecurityManagerProvider class provides a custom configured SecurityManager if needed bind(DefaultWebSecurityManagerProvider.class).asEagerSingleton(); bindInterceptor(any(), annotatedWith(RequiresRoles.class), new AopAllianceAnnotationsAuthorizingMethodInterceptor()); }



      In my own project I've somewhat tried to abstract out a few classes to make things easily configurable with Guice + Jsecurity + Hibernate + Stripes.. so I can share that project scaffold if needed.

      1. ShiroGuiceSupport.patch
        41 kB
        Jared Bunting
        0.8 kB
        Brian Yarger
        0.8 kB
        Brian Yarger
      4. guice-final.patch
        118 kB
        Jared Bunting
        1 kB
        Brian Yarger


        No work has yet been logged on this issue.


          • Assignee:
            Kalle Korhonen
            Animesh Jain
          • Votes:
            0 Vote for this issue
            0 Start watching this issue


            • Created: