Grails › Grails - user

Logging user actions and Shiro - 'No SecurityManager accessible'

Classic

List

Threaded

9 messages Options

John Moore

Logging user actions and Shiro - 'No SecurityManager accessible'

I need to do some pretty extensive logging of user actions in an application I'm working on. In the case of some classes, I need to record which properties have changed, their old and new values, and who changed them. I'm using Shiro, which means that I should theoretically always be able to determine the current user (with SecurityUtils.subject?.principal). Shawn Hartsock's Audit Logging plugin looks very promising, and successfully logs all changes as AuditLogEvent objects, including the current user. Ideally, though, I'd like to be able to use his 'onChange' handler in my own domain class, but there seems to be a bit of a clash with Shiro here, or at least the Shiro plugin, because when I try and call 'SecurityUtils.subject?.principal' within the onChange handler, I get an error like this:

"No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an invalid application configuration.
Message: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an invalid application configuration.
Line | Method
->> 123 | getSecurityManager in org.apache.shiro.SecurityUtils
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 627 | <init> in org.apache.shiro.subject.Subject$Builder
| 56 | getSubject . . . . . . . . . . . in org.apache.shiro.SecurityUtils"

Is there some way I could make the SecurityManager available, or otherwise grab the username within this handler? Failing that, is there some other technique people are using to do this, i.e., grab before and after information and associated user?

Shawn Hartsock

Re: Logging user actions and Shiro - 'No SecurityManager accessible'

Do you have a sample project I can play with somewhere?

On Mon, Jul 2, 2012 at 3:44 PM, John Moore <[hidden email]> wrote:

> I need to do some pretty extensive logging of user actions in an application
> I'm working on. In the case of some classes, I need to record which
> properties have changed, their old and new values, and who changed them. I'm
> using Shiro, which means that I should theoretically always be able to
> determine the current user (with SecurityUtils.subject?.principal). Shawn
> Hartsock's Audit Logging plugin looks very promising, and successfully logs
> all changes as AuditLogEvent objects, including the current user. Ideally,
> though, I'd like to be able to use his 'onChange' handler in my own domain
> class, but there seems to be a bit of a clash with Shiro here, or at least
> the Shiro plugin, because when I try and call
> 'SecurityUtils.subject?.principal' within the onChange handler, I get an
> error like this:
>
> "No SecurityManager accessible to the calling code, either bound to the
> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an
> invalid application configuration.
> Message: No SecurityManager accessible to the calling code, either bound to
> the org.apache.shiro.util.ThreadContext or as a vm static singleton. This
> is an invalid application configuration.
> Line | Method
> ->> 123 | getSecurityManager in org.apache.shiro.SecurityUtils
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> | 627 | <init> in
> org.apache.shiro.subject.Subject$Builder
> | 56 | getSubject . . . . . . . . . . . in
> org.apache.shiro.SecurityUtils"
>
> Is there some way I could make the SecurityManager available, or otherwise
> grab the username within this handler? Failing that, is there some other
> technique people are using to do this, i.e., grab before and after
> information and associated user?
>
> --
> View this message in context: http://grails.1312388.n4.nabble.com/Logging-user-actions-and-Shiro-No-SecurityManager-accessible-tp4630965.html
> Sent from the Grails - user mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
> http://xircles.codehaus.org/manage_email
>
>

--
/** Shawn.Hartsock http://hartsock.blogspot.com */

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

John Moore

Re: Logging user actions and Shiro - 'No SecurityManager accessible'

Shawn Hartsock wrote

Do you have a sample project I can play with somewhere?

I'll try and concoct one demonstrating the issue.

John Moore

Re: Logging user actions and Shiro - 'No SecurityManager accessible'

Hmm. I created a small demo Grails app to demonstrate the problem...and it doesn't. It works fine. There is evidently no inherent problem with calling the Shiro stuff from within an onChange or onSave handler, it's just that there is some quirk in the specific context I am using it in which is causing the issue. I'm a bit baffled at the moment because my demo system looks like it's doing exactly the same thing as my real system, it's just not failing and I can't for the life of me see what the difference is at the moment. The real system is a conversion from Grails 1.3.7 to 2.0.4 (the demo was created in 2.0.4) and I'm wondering whether that is significant, although I can't see why it would be.

John Moore

Re: Logging user actions and Shiro - 'No SecurityManager accessible'

I've established for now that it's nothing to do with the Audit Logging plugin - sorry if my original post implied that it was. Something to do with inaccessibility from within a service, still trying to work out why.

John Moore

Re: Logging user actions and Shiro - 'No SecurityManager accessible'

Source of the problem was problems with the Shiro SecurityManager and BootStrap.groovy. I've started a new thread: http://grails.1312388.n4.nabble.com/Shiro-SecurityManager-and-BootStrap-groovy-td4630989.html

Shawn Hartsock

Re: Logging user actions and Shiro - 'No SecurityManager accessible'

I noticed you are using Shiro from inside the event handler closure.
If you change to using the actorClosure (what AuditLogging calls the
principal) what happens?

Grabbing the username is done by the actorClosure component of the
Audit Logging Plugin.

http://grails.org/plugin/audit-logging

You should be able to put something like this in your Config.groovy
and the Audit Logging system will just magically know your user name.

auditLog {
actorClosure = { request, session ->
SecurityUtils.subject?.principal?:"system"
}
}

That's presuming the closure "actorClosure" ends up called from a
place that can get at the correct thread local storage for you. This
closure gets configured at a different place (in Config.groovy) so it
might behave differently.

On Tue, Jul 3, 2012 at 8:23 AM, John Moore <[hidden email]> wrote:

> Source of the problem was problems with the Shiro SecurityManager and
> BootStrap.groovy. I've started a new thread:
> http://grails.1312388.n4.nabble.com/Shiro-SecurityManager-and-BootStrap-groovy-td4630989.html
>
> --
> View this message in context: http://grails.1312388.n4.nabble.com/Logging-user-actions-and-Shiro-No-SecurityManager-accessible-tp4630965p4630990.html
> Sent from the Grails - user mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
> http://xircles.codehaus.org/manage_email
>
>

Shawn Hartsock

Re: Logging user actions and Shiro - 'No SecurityManager accessible'

In reply to this post by John Moore

BTW: just trying to help. The AuditLogging plugin is actually quite
complex at this point and I've been trying to figure out how to make
it simpler. So far I've not had time to do the big effort I wanted to.
At this point I'm just trying to devise testing strategies that will
make it unlikely that the plugin causes problems with other plugins.

On Tue, Jul 3, 2012 at 5:55 AM, John Moore <[hidden email]> wrote:

> I've established for now that it's nothing to do with the Audit Logging
> plugin - sorry if my original post implied that it was. Something to do with
> inaccessibility from within a service, still trying to work out why.
>
> --
> View this message in context: http://grails.1312388.n4.nabble.com/Logging-user-actions-and-Shiro-No-SecurityManager-accessible-tp4630965p4630986.html
> Sent from the Grails - user mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
> http://xircles.codehaus.org/manage_email
>
>

John Moore

Re: Logging user actions and Shiro - 'No SecurityManager accessible'

Shawn, the plugin turned out to be entirely blameless in the end. The issue was to do with a problem with trying to access a Shiro SecurityManager from within BootStrap. groovy. Because the error was occurring in onChange when I tried to save records I assumed it was to do with some conflict between Shiro and your plugin, but it was actually caused by the place I was trying to save the records, within BootStrap.groovy.

In the end I simply used a try/catch around the Shiro call in onChange so that when this closure was called within e.g., BootStrap.groovy, it wouldn't return an error. Thus:

def user
try{
user=SecurityUtils.subject?.principal
} catch (Exception e){
//in case security manager is not available, as e.g., in Bootstrap.groovy
user="system"
}

This works fine because the only information I'm really interested in capturing is what logged in users do, and there will always be a SecurityManager at that point.
lastModifiedBy=user