subject:"Re\: Is the cookie path important for Shiro"

Re: Is the cookie path important for Shiro

2019-01-25 Thread Steinar Bang

> Brian Demers :

> What does the request shiro receives look like?

Hm... I was going to do some wireshark captures to illustrate the
problem.

But what happened now was that everything worked as expected... ie the
authproblem when entering the webapp after a cookie path rewrite no
longer occurs...:-)

Nevertheless the captures may be of interest.

The captures are on port 8181, ie. the captures are the way shiro sees
them, and the nginx cookie path rewrites aren't shown.

1. A capture of an nginx auth check before doing a login

https://gist.github.com/steinarb/7bb695f350592c63111bac9d30782d89#file-initial-auth-check
2. A capture of opening the login page (redirected there by nginx when
the auth failed)

https://gist.github.com/steinarb/7bb695f350592c63111bac9d30782d89#file-open-login-page
3. A capture of of the login POST (redirecting to the original page)

https://gist.github.com/steinarb/7bb695f350592c63111bac9d30782d89#file-successful-login-post
4. A capture of a successful auth check

https://gist.github.com/steinarb/7bb695f350592c63111bac9d30782d89#file-successful-auth-check-from-nginx
5. A capture of what happens when entering the webapp's path from the
nginx frontend (ie. http://lorenzo.hjemme.lan/authservice/). This
is the one that was failing for me, but now is working

https://gist.github.com/steinarb/7bb695f350592c63111bac9d30782d89#file-opening-the-top-level-authservice-path

> Is the rewrite also changing the request path?

No. The base path as seen from nginx is http://lorenzo.hjemme.lan/authservice
and the base path as seen from karaf is http://localhost:8181/authservice

> Does that affect the path filtering rules you have set up?

I don't think so. It seemed to work as expected "inside" the
http://lorenzo.hjemme.lan/authservice URL before I introduced the cookie
path rewrite.

But when I introduced the rewrite http://lorenzo.hjemme.lan/ worked
while http://lorenzo.hjemme.lan/authservice failed.

However now both work. I have no idea what made it start working. Some
kind of cookie expiry, perhaps...?

Thanks!

- Steinar

Re: Is the cookie path important for Shiro

2019-01-22 Thread Brian Demers

What does the request shiro receives look like?  Is the rewrite also
changing the request path? Does that affect the path filtering rules you
have set up?

On Sat, Jan 19, 2019 at 2:53 PM Steinar Bang  wrote:

> I'm working on a solution where a webapp[1] running in apache karaf
> provides forms based authentication for nginx.  The webapp uses Shiro to
> handle the login and login check.
>
> It now sort of works: authentication for the rest of the website works
> but authentication fails for the webapp itself.
>
> Is the path of the cookie(s) important for shiro authentication?
>
> What happens, is as follows:
>  1. I open an nginx URL in a browser eg.
> http://lorenzo.hjemme.lan/testauth.html
>  2. The nginx auth module [2] makes a call to /authservice/check to
> check the logged in state
>  3. The /authservice/check URL is reverse proxie'd to
> http://localhost:8181/authservice/check
>  4. http://localhost:8181/authservice is a webapp with shiro, running in
> apache karaf
>  5. The http://localhost:8181/authservice/check URL returns 401 (Needs
> Authentication)
>  6. The 401 causes nginx to open
> http://lorenzo.hjemme.lan/authservice/login
>  7. http://lorenzo.hjemme.lan/authservice/login is reverse-proxied to
> http://localhost:8181/authservice/login
>  8. A successful login results in cookies with path=/authservice set on
> the response and a 302 redirect to the original URL (
> http://lorenzo.hjemme.lan/testauth.html)
>  9. The reverse proxy config rewrites path=/authservice to path=/ on the
> cookies
> 10. The browser again tries to open
> http://lorenzo.hjemme.lan/testauth.html
> this time with a shiro cookie with path=/
> 11. The nginx auth module makes a check call to /authservice/check with
> the cookie, and the check URL returns 200
> 12. Nginx serves http://lorenzo.hjemme.lan/testauth.html Success! So
> far, so good!
> 13. Then I try opening http://lorenzo.hjemme.lan/authservice and then
> shiro auth fails and redirects to the login page (this all happens
> inside the shiro webapp, nginx isn't involved
> 15. The http://localhost:8181/authservice/check is set up with anon
> access in shiro, so by itself isn't redirected by shiro, and this
> code returns true:
>
> Is it the changed path of the cookie that cause the shiro failure?  What
> can I do to create a cookie that works both inside /authservice and
> outside?
>
> Thanks!
>
> References:
> [1] 
> [2] 
>

Re: Is the cookie path important for Shiro

Re: Is the cookie path important for Shiro

2 matches

Site Navigation

Mail list logo

Footer information