Shiro Authenticating Realm应该是交易吗？

Question

I'm using Shiro to secure my Spring MVC webapp. I'm using Hibernate for persistence and so I have a HibernateRealm to get and populate an AuthenticationInfo object.

@Override
@Transactional
protected AuthenticationInfo doGetAuthenticationInfo(
        AuthenticationToken token) throws AuthenticationException {
    Account account = accountDao.findByUsername((String)token.getPrincipal());

    SimplePrincipalCollection principals = new SimplePrincipalCollection(account, getName());

    SimpleAccount info = new SimpleAccount(principals, account.getPassword());

    return info;
}

Account is my custom user class. I use the DAO to retrieve an Account by username. I was wondering if there is any point in making this method @Transactional . This is a read only operation after all.

I'm also having the following problem: the DAO does sessionFactory.getCurrentSession() to get a session, but I'm getting a

HibernateException: No Session found for current thread 

when the method gets called. I have these in my application context:

<tx:annotation-driven transaction-manager = "transactionManager" />
<bean id="transactionManager"
    class="org.springframework.orm.hibernate4.HibernateTransactionManager">
    <property name="sessionFactory" ref="sessionFactory" />
</bean>

I can't understand why Spring isn't opening a session for me.

Edit: To login, we do this in a Spring @Controller method using Shiro's Subject

@RequestMapping(value = "/account/login", method = RequestMethod.POST)
public String login(@RequestParam("username") String username, @RequestParam("password") String password) {
    Subject currentUser = SecurityUtils.getSubject(); 
    if (!currentUser.isAuthenticated) {
        UsernamePasswordToken token = new UsernamePasswordToken(username, password);
        currentUser.login(token);
        return "profile";
    } 
    return "home";
}

Internally, Shiro uses the realm method I have above to get the stored username/password information. It uses an @Autowired DAO to check my database for the right account. It then matches the passwords with a CredentialsMatcher implementation.

Answer 1

So you have two problems. It is usually better to split such questions into two, since these problems are not really connected to each other.

1. No Session found for current thread It seems that @Transactional annotations does not work. To be sure you may run you code or tests in Debug mode and look for the JdkDynamicAopProxy or something similar in the stack - if it is present, than your Realm is invoked through transactions-intercepting proxy, but I suppose that there is no proxy curently. For it to work you need to take from the SpringContext not the HibernateRealm directly but the interface that this realm is implementing. This is due to the fact that built-in standard java library proxies can deal only with interfaces.
2. As for making the read-only service methods transactional. There are several valid reasons to do so:
   • Since you are using Hibernate it is really possible that you actually use more than one query to get your Account object. And if this account is modified concurrently it may lead to inconsistent state:
     • first query for Account retrieval
     • Account is modified or deleted
     • second query for Account retrieval - this query will see the results of modification that together with the results of the first query may lead to inconsistent behavior, but if first and second query were in the same transaction with the proper level of transaction isolation second query would not see the modifications.
   • Uniform access to the database - it is really helpful when all your database connectivity layer access the DB in one and the same way - I greatly simplifies maintaining and extending of the application.
   • Using some transactional hints like @Transactional(readOnly=true) may improve your performance with proper configuration (eg for the really high-loaded application readOnly queries may use secondary replica of the DB Server). It is really easier to setup the java.sql.Connection.setReadOnly() method as part of the Spring transactions, than in the other way.

Answer 2

It appears that Spring isn't creating a transactional proxy for your Realm bean. This is the only reason that I can see why a Hibernate Session isn't available - because the backing infrastructure isn't there (on the thread) ready for use.

As to your question, if you do want to mark it @Transactional , you might consider specifying @Transactional(readOnly=true)

Answer 3

Shiro creates it's own instance of my Realm and therefore Spring has no power over it to wrap it in a proxy. That's why it can't add the transactional behavior.