Is the cookie path important for Shiro

Sat, 19 Jan 2019 11:54:29 -0800 

I'm working on a solution where a webapp[1] running in apache karaf
provides forms based authentication for nginx.  The webapp uses Shiro to
handle the login and login check.

It now sort of works: authentication for the rest of the website works
but authentication fails for the webapp itself.

Is the path of the cookie(s) important for shiro authentication?

What happens, is as follows:
 1. I open an nginx URL in a browser eg. http://lorenzo.hjemme.lan/testauth.html
 2. The nginx auth module [2] makes a call to /authservice/check to
    check the logged in state
 3. The /authservice/check URL is reverse proxie'd to 
http://localhost:8181/authservice/check
 4. http://localhost:8181/authservice is a webapp with shiro, running in
    apache karaf
 5. The http://localhost:8181/authservice/check URL returns 401 (Needs
    Authentication)
 6. The 401 causes nginx to open http://lorenzo.hjemme.lan/authservice/login
 7. http://lorenzo.hjemme.lan/authservice/login is reverse-proxied to 
http://localhost:8181/authservice/login
 8. A successful login results in cookies with path=/authservice set on
    the response and a 302 redirect to the original URL 
(http://lorenzo.hjemme.lan/testauth.html)
 9. The reverse proxy config rewrites path=/authservice to path=/ on the cookies
10. The browser again tries to open http://lorenzo.hjemme.lan/testauth.html
    this time with a shiro cookie with path=/
11. The nginx auth module makes a check call to /authservice/check with
    the cookie, and the check URL returns 200
12. Nginx serves http://lorenzo.hjemme.lan/testauth.html Success! So
    far, so good!
13. Then I try opening http://lorenzo.hjemme.lan/authservice and then
    shiro auth fails and redirects to the login page (this all happens
    inside the shiro webapp, nginx isn't involved
15. The http://localhost:8181/authservice/check is set up with anon
    access in shiro, so by itself isn't redirected by shiro, and this
    code returns true:

Is it the changed path of the cookie that cause the shiro failure?  What
can I do to create a cookie that works both inside /authservice and
outside?

Thanks!

References:
[1] <https://github.com/steinarb/authservice>
[2] <http://nginx.org/en/docs/http/ngx_http_auth_request_module.html>

Reply via email to