Home > Java - J2EE > Hessian WebService and Apache Shiro

Hessian WebService and Apache Shiro

I want to make a small example with Hessian WebService and Apache Shiro. About Hessian I have in my previous post was already written. Now I want to write about something Shiro and make a small example with two. Source code of example can be downloaded here.

Apache Shiro is an open source Java security framework that performs authentication, authorization, session management and more. Shiro has been designed to be an intuitive and easy-to-use framework while still providing robust security features. It can also work in non-web environment unconditional and does not need an EJB – Container.

For more information about Shiro, see shiro homepage or shiro 10 Minute Tutorial.

For Web Service I have created a DynamicWebProject in Eclipse. The project has currently only two HessianService. Below is this service and the settings in web.xml ;

public class UserService extends HessianServlet implements IUserService {

    private Logger log = Logger.getLogger(UserService.class);

    public String login(String username, char[] password){
        log.info("Login for User : " + username);
        Subject currentUser = SecurityUtils.getSubject();        

        try {
            if ( !currentUser.isAuthenticated() ) {                
                UsernamePasswordToken token = new UsernamePasswordToken(username, password);
        } catch (UnknownAccountException uae) {
            log.error("There are no user with username : " + username);
            return null;
        } catch (AuthenticationException ae) {
            return null;

        Session session = currentUser.getSession();        
        return session.getId().toString();

public class SecureService extends HessianServlet implements ISecureService {

    public String sayHello(String name){
         return "Hello " + name;

The following lines must be added in web.xml.



Let us activate the Shiro for our WebService. In this example I’ll use IniShiroFilter to load the configurations from INI file. For this you can either create a separate INI file or it can be inline in web.xml without using an INI file. You do this by using the config init-param instead of configPath:

             # realms to be used
             securityManager.realm = $mySecurityRealm

             # sessionManager
             sessionManager = org.apache.shiro.web.session.mgt.ServletContainerSessionManager
             sessionManager.globalSessionTimeout = 60000
             securityManager.sessionManager = $sessionManager

             /restrictedArea/** = authcBasic


Now our service is ready. Let’s write a Java-Client to test the service. An important point here is that after logging in, we need to transfer the sessionId each time so that the service will recognize us. Otherwise, we always get HTTP 401 errors.

For client I’ve created a Java project and has only the following class.

public class HessianClient {   
    public static void main(String[] args) {
        HessianProxyFactory factory = new HessianProxyFactory();        
        try {
            ISecureService secureService = (ISecureService) factory.create(ISecureService.class,

            secureService.sayHello("TEST"); // error : HTTP response code: 401 for URL

            IUserService userService = (IUserService) factory.create(IUserService.class,
            String sessionId = userService.login("admin", "admin".toCharArray());

            secureService.sayHello("TEST"); // error : HTTP response code: 401 for URL:

            ISecureService secureServiceWithSessionID = (ISecureService) factory.create(ISecureService.class,

            secureServiceWithSessionID.sayHello("TEST"); // no error    

        } catch (MalformedURLException e) {

As you can see here, everything is fine if you always send the sessionId to server.


At the end I hope that this small example will help someone to get ahead.

Categories: Java - J2EE Tags: , , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: