Fixed shiro.ini configuration files

Signed-off-by: Alberto Codutti <alberto.codutti@eurotech.com>

assembly/broker/configurations/shiro.ini

@@ -3,70 +3,25 @@
 # =======================
 
 [main]
-# Objects and their properties are defined here,
-# Such as the securityManager, Realms and anything
-# else needed to build the SecurityManager
 
-#authenticator
+# Authenticator
 authenticator = org.eclipse.kapua.service.authentication.shiro.KapuaAuthenticator
 securityManager.authenticator = $authenticator
 
-#
-# Auth filters
-# kapuaAuthcAccessToken = org.eclipse.kapua.app.api.auth.KapuaTokenAuthenticationFilter
-
-#cacheManager = org.eclipse.kapua.broker.core.experimental.CacheManager
-#securityManager.cacheManager = $cacheManager
-
-##########
-# Realms #
-##########
-# Login
+# Realms
 kapuaUserPassAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.UserPassAuthenticatingRealm
 
-# Session
-kapuaAccessTokenAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.AccessTokenAuthenticatingRealm
-
-########################
-#Authorization section #
-########################
 # Authorization
 kapuaAuthorizingRealm = org.eclipse.kapua.service.authorization.shiro.KapuaAuthorizingRealm
-#removed from realms the authorizing realm (kapuaAuthorizingRealm) since it will be defined into the new Authorizer component
 securityManager.realms = $kapuaUserPassAuthenticatingRealm
 
+# Authorizer
 authorizer = org.eclipse.kapua.broker.core.security.EnhModularRealmAuthorizer
-#realms must be set again otherwise the authorizer will not have any.
-#The security manager (AuthorizingSecurityManager) is built in this way:
-#    AuthorizingSecurityManager()         //constructor
-#    setRealms(realms)                    //set realms (if any)
-#    afterRealmsSet()                     //set realms to authenticator (if any)
-#    setAuthorizer(Authorizer authorizer) //if any configured
-#    setAuthenticator()                   //if any custom authenticator is set
-#In this way the new authenticator must have the realms already configured once is set to the security manager.
-#Otherwise the security manager doesn't set it's own security manager to the authenticator
 authorizer.realms = $kapuaAuthorizingRealm
 securityManager.authorizer = $authorizer
 
-# SessionListeners only works with in the native SessionMode
-# This is not the mode we use when running in Tomcat.
-#securityManager.sessionMode = native
+# Session
 securityManager.sessionManager.globalSessionTimeout = -1
 securityManager.sessionManager.sessionValidationSchedulerEnabled = false
 
-securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false
-
-[users]
-# The 'users' section is for simple deployments
-# when you only need a small number of statically-defined
-# set of User accounts.
-
-[roles]
-# The 'roles' section is for simple deployments
-# when you only need a small number of statically-defined
-# roles.
-
-[urls]
-# The 'urls' section is used for url-based security
-# in web applications.  We'll discuss this section in the
-# Web documentation
+securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false

console/web/src/main/resources/shiro.ini

@@ -3,31 +3,17 @@
 # =======================
 
 [main]
-# Objects and their properties are defined here,
-# Such as the securityManager, Realms and anything
-# else needed to build the SecurityManager
 
-#authenticator
+# Authenticator
 authenticator = org.eclipse.kapua.service.authentication.shiro.KapuaAuthenticator
 securityManager.authenticator = $authenticator
 
-#realms
+# Realms
 kapuaAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.UserPassAuthenticatingRealm
 kapuaAuthorizingRealm = org.eclipse.kapua.service.authorization.shiro.KapuaAuthorizingRealm
 jwtAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.JwtAuthenticatingRealm
-securityManager.realms = $kapuaAuthorizingRealm, $kapuaAuthenticatingRealm, $jwtAuthenticatingRealm
-
-[users]
-# The 'users' section is for simple deployments
-# when you only need a small number of statically-defined
-# set of User accounts.
 
-[roles]
-# The 'roles' section is for simple deployments
-# when you only need a small number of statically-defined
-# roles.
+securityManager.realms = $kapuaAuthorizingRealm, $kapuaAuthenticatingRealm, $jwtAuthenticatingRealm
 
-[urls]
-# The 'urls' section is used for url-based security
-# in web applications.  We'll discuss this section in the
-# Web documentation
+# Request Filtering
+filterChainResolver = org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver

qa/integration/src/test/resources/shiro.ini

@@ -3,70 +3,31 @@
 # =======================
 
 [main]
-# Objects and their properties are defined here,
-# Such as the securityManager, Realms and anything
-# else needed to build the SecurityManager
 
-#authenticator
+# Authenticator
 authenticator = org.eclipse.kapua.service.authentication.shiro.KapuaAuthenticator
 securityManager.authenticator = $authenticator
 
-#
-# Auth filters
-# kapuaAuthcAccessToken = org.eclipse.kapua.app.api.auth.KapuaTokenAuthenticationFilter
-
-#cacheManager = org.eclipse.kapua.broker.core.experimental.CacheManager
-#securityManager.cacheManager = $cacheManager
-
 ##########
 # Realms #
 ##########
+
 # Login
 kapuaUserPassAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.UserPassAuthenticatingRealm
 
 # Session
 kapuaAccessTokenAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.AccessTokenAuthenticatingRealm
 
-########################
-#Authorization section #
-########################
 # Authorization
 kapuaAuthorizingRealm = org.eclipse.kapua.service.authorization.shiro.KapuaAuthorizingRealm
-#removed from realms the authorizing realm (kapuaAuthorizingRealm) since it will be defined into the new Authorizer component
+
 securityManager.realms = $kapuaAccessTokenAuthenticatingRealm, $kapuaUserPassAuthenticatingRealm
 
+# Authorizer
 authorizer = org.eclipse.kapua.broker.core.security.EnhModularRealmAuthorizer
-#realms must be set again otherwise the authorizer will not have any.
-#The security manager (AuthorizingSecurityManager) is built in this way:
-#    AuthorizingSecurityManager()         //constructor
-#    setRealms(realms)                    //set realms (if any)
-#    afterRealmsSet()                     //set realms to authenticator (if any)
-#    setAuthorizer(Authorizer authorizer) //if any configured
-#    setAuthenticator()                   //if any custom authenticator is set
-#In this way the new authenticator must have the realms already configured once is set to the security manager.
-#Otherwise the security manager doesn't set it's own security manager to the authenticator
 authorizer.realms = $kapuaAuthorizingRealm
 securityManager.authorizer = $authorizer
 
-# SessionListeners only works with in the native SessionMode
-# This is not the mode we use when running in Tomcat.
-#securityManager.sessionMode = native
+# Session
 securityManager.sessionManager.globalSessionTimeout = -1
-securityManager.sessionManager.sessionValidationSchedulerEnabled = false
-
-securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false
-
-[users]
-# The 'users' section is for simple deployments
-# when you only need a small number of statically-defined
-# set of User accounts.
-
-[roles]
-# The 'roles' section is for simple deployments
-# when you only need a small number of statically-defined
-# roles.
-
-[urls]
-# The 'urls' section is used for url-based security
-# in web applications.  We'll discuss this section in the
-# Web documentation
+securityManager.sessionManager.sessionValidationSchedulerEnabled = false

rest-api/web/src/main/resources/shiro.ini

@@ -3,21 +3,15 @@
 # =======================
 
 [main]
-# Objects and their properties are defined here,
-# Such as the securityManager, Realms and anything
-# else needed to build the SecurityManager
 
-#authenticator
+# Authenticator
 authenticator = org.eclipse.kapua.service.authentication.shiro.KapuaAuthenticator
 securityManager.authenticator = $authenticator
 
-#
-# Auth filters
-kapuaAuthcAccessToken = org.eclipse.kapua.app.api.core.auth.KapuaTokenAuthenticationFilter
-
 ##########
 # Realms #
 ##########
+
 # Login
 kapuaUserPassAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.UserPassAuthenticatingRealm
 kapuaApiKeyAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.ApiKeyAuthenticatingRealm
@@ -35,22 +29,13 @@ securityManager.realms = $kapuaAuthorizingRealm, $kapuaAccessTokenAuthenticating
 securityManager.rememberMeManager.cookie.name = kapua-rememberme
 securityManager.rememberMeManager.cookie.maxAge = 0
 
-[users]
-# The 'users' section is for simple deployments
-# when you only need a small number of statically-defined
-# set of User accounts.
-
-[roles]
-# The 'roles' section is for simple deployments
-# when you only need a small number of statically-defined
-# roles.
+#
+# Auth filters
+kapuaAuthcAccessToken = org.eclipse.kapua.app.api.core.auth.KapuaTokenAuthenticationFilter
 
 [urls]
-# The 'urls' section is used for url-based security
-# in web applications.  We'll discuss this section in the
-# Web documentation
 
-# Authentication
+# Filter Mappings
 /v1/authentication/info         = kapuaAuthcAccessToken
 
 /v1/authentication/logout       = kapuaAuthcAccessToken

service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/KapuaAuthenticator.java

@@ -12,10 +12,6 @@
  *******************************************************************************/
 package org.eclipse.kapua.service.authentication.shiro;
 
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-
 import org.apache.shiro.ShiroException;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationInfo;
@@ -26,13 +22,18 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
 /**
- * Kapua Shiro Authenticator.<br>
+ * Kapua Shiro Authenticator.
+ * <p>
  * This authenticator provide more significantly exception message in a multi-realm configuration.<br>
- * The code is derived from the original {@link ModularRealmAuthenticator} because the <b>default Shiro implementation doesn't support detailed messages in a multirealm configuration.</b>
- *
- * since 1.0
+ * The code is derived from the original {@link ModularRealmAuthenticator} because the
+ * <b>default Shiro implementation doesn't support detailed messages in a multirealm configuration.</b>
  *
+ * @since 1.0.0
  */
 public class KapuaAuthenticator extends ModularRealmAuthenticator {
 
@@ -45,6 +46,7 @@ protected AuthenticationInfo doMultiRealmAuthentication(Collection<Realm> realms
         if (logger.isTraceEnabled()) {
             logger.trace("Iterating through {} realms for PAM authentication", realms.size());
         }
+
         List<Throwable> exceptionList = new ArrayList<>();
         boolean loginSucceeded = false;
         boolean supportedRealmFound = false;
@@ -61,9 +63,7 @@ protected AuthenticationInfo doMultiRealmAuthentication(Collection<Realm> realms
                 } catch (Exception exception) {
                     t = exception;
                     if (logger.isDebugEnabled()) {
-                        String msg = "Realm [" + realm
-                                + "] threw an exception during a multi-realm authentication attempt:";
-                        logger.debug(msg, t);
+                        logger.debug("Realm [{}] threw an exception during a multi-realm authentication attempt:", realm, t);
                     }
                 }
                 aggregate = strategy.afterAttempt(realm, token, info, aggregate, t);
@@ -80,6 +80,7 @@ protected AuthenticationInfo doMultiRealmAuthentication(Collection<Realm> realms
                 // TODO move the error message to the message bundle
                 throw new ShiroException("Internal Error!");
             }
+
             if (exceptionList.get(0) instanceof AuthenticationException) {
                 throw (AuthenticationException) exceptionList.get(0);
             } else {