I'm working on a solution where a webapp[1] running in apache karaf provides forms based authentication for nginx. The webapp uses Shiro to handle the login and login check.
It now sort of works: authentication for the rest of the website works but authentication fails for the webapp itself. Is the path of the cookie(s) important for shiro authentication? What happens, is as follows: 1. I open an nginx URL in a browser eg. http://lorenzo.hjemme.lan/testauth.html 2. The nginx auth module [2] makes a call to /authservice/check to check the logged in state 3. The /authservice/check URL is reverse proxie'd to http://localhost:8181/authservice/check 4. http://localhost:8181/authservice is a webapp with shiro, running in apache karaf 5. The http://localhost:8181/authservice/check URL returns 401 (Needs Authentication) 6. The 401 causes nginx to open http://lorenzo.hjemme.lan/authservice/login 7. http://lorenzo.hjemme.lan/authservice/login is reverse-proxied to http://localhost:8181/authservice/login 8. A successful login results in cookies with path=/authservice set on the response and a 302 redirect to the original URL (http://lorenzo.hjemme.lan/testauth.html) 9. The reverse proxy config rewrites path=/authservice to path=/ on the cookies 10. The browser again tries to open http://lorenzo.hjemme.lan/testauth.html this time with a shiro cookie with path=/ 11. The nginx auth module makes a check call to /authservice/check with the cookie, and the check URL returns 200 12. Nginx serves http://lorenzo.hjemme.lan/testauth.html Success! So far, so good! 13. Then I try opening http://lorenzo.hjemme.lan/authservice and then shiro auth fails and redirects to the login page (this all happens inside the shiro webapp, nginx isn't involved 15. The http://localhost:8181/authservice/check is set up with anon access in shiro, so by itself isn't redirected by shiro, and this code returns true: Is it the changed path of the cookie that cause the shiro failure? What can I do to create a cookie that works both inside /authservice and outside? Thanks! References: [1] <https://github.com/steinarb/authservice> [2] <http://nginx.org/en/docs/http/ngx_http_auth_request_module.html>