Oh, one final note. Your form action URL should be the same as your
filter's 'loginUrl':
<form name="loginform" method="post" action='${authc.loginUrl}'>
...
where ${authc.loginUrl] is the same value as configured on the authc
filter in the ini [main] section.
Also, you should probably look at Shiro's sample web application, as
it shows a working example:
http://svn.apache.org/repos/asf/shiro/trunk/samples/
particularly the 'web' module.
Cheers,
Les
On Thu, Feb 17, 2011 at 11:28 AM, Les Hazlewood <[email protected]> wrote:
> Hi Datta,
>
> Assuming your INI config is in a file named shiro.ini at the root of
> the classpath, then you've configured the ShiroFilter correctly in
> web.xml. Your realm definitions look fine - Shiro will automatically
> find all realms defined in shiro.ini and set them on the
> SecurityManager. If you want to be explicit, you can configure them
> explicitly:
>
> [main]
> realm1 = ...
> realm2 = ..
> securityManager.realms = $realm1, $realm2
>
> You can read more about INI/object-graph configuration here:
> http://shiro.apache.org/configuration.html
>
> The reason your request does not reach your LoginUser servlet is
> because the 'authc' filter is a
> org.apache.shiro.web.filter.authc.FormAuthenticationFilter instance.
> It will process your logins automatically and redirect users as needed
> based on your configuration. This means the POST request will always
> be handled by the FormAuthenticationFilter and will never be allowed
> to 'fall through' to a controller or servlet below it. When using the
> default FormAuthenticationFilter, there is no need for a servlet or
> controller. All you need to do is configure your application's login
> url (where your form is located).
>
> For example:
>
> [main]
> # define your 2 realms here
> ...
> authc.loginUrl = /login.jsp
>
> If you _don't_ want the FormAuthenticationFilter to process your login
> POST requests, and instead you want to let the requests pass through
> to a servlet or MVC controller, you'll want to redefine the 'authc'
> filter to be a org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
> instance instead:
>
> [main]
> # realms
> authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
> authc.loginUrl = /login.jsp
>
> The FormAuthenticationFilter is easiest to use, but the
> PasThruAuthenticationFilter is useful if you need to do additional
> request processing beyond a standard login. See the
> FormAuthenticationFilter and the PassThruAuthenticationFilter JavaDoc
> for more information.
>
> Finally, when multiple realms are configured, Shiro's default
> authentication strategy is to call each realm. As long as at least
> one of those realms authenticates successfully, the authentication
> will be successful. You can see this happen by using your debugger
> and putting a breakpoint in the
> org.apache.shiro.authc.pam.ModularRealmAuthenticator class's
> 'doAuthenticate' method. You can change the strategy if you want to
> as well (AllSuccessfulStrategy, FirstSuccessfulStrategy, etc - see the
> ModularRealmAuthenticator JavaDoc for more).
>
> HTH,
>
> --
> Les Hazlewood
> Founder, Katasoft, Inc.
> Application Security Products & Professional Apache Shiro Support and
> Training:
> http://www.katasoft.com
>
> On Thu, Feb 17, 2011 at 5:53 AM, Datta <[email protected]> wrote:
>>
>> Hello Friends:
>> I am trying to use Active Directory Realm in my web application
>> I have to authenticate users against 2 Active Directory
>> Need help with configuration?
>>
>> Questions:
>> 1. First when the form is submitted, request does not reach LoginUser
>> servlet? (Unable to figure out whats wrong with .ini)
>> After disabling filter, request reaches Servlet, but realms are not
>> available.:(
>> 2. How do I know which realm is used by LoginUser servlet?
>> 3. Where do I specifiy so that these realms are available to
>> SecurityManager/DefaultWebSecurityManager?
>> 4. I tried the example here
>> http://www.ibm.com/developerworks/web/library/wa-apacheshiro/
>> It works well but with only 1 realm
>>
>>
>> Below is my shiro.ini, login.jsp, web.xml, login servlets doPost Method
>> [main]
>> sirRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
>> sirRealm.systemUsername = xxxx
>> sirRealm.systemPassword = xxx
>> sirRealm.searchBase = OU=IT,OU=MA-Users,DC=cinfotec,DC=corp
>> sirRealm.url = ldap://ad0.cinfotec.corp:389/
>>
>> xmrRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
>> xmrRealm.systemUsername = xxxx
>> xmrRealm.systemPassword = xxx
>> xmrRealm.searchBase = OU=BU,OU=MA-Users,DC=cinfotec,DC=corp
>> xmrRealm.url = ldap://ad1.cinfotec.corp:389/
>>
>> authc.loginUrl = /login.jsp
>> [urls]
>> # make sure the end-user is authenticated. If not, redirect to the
>> 'authc.loginUrl' above,
>> # and after successful authentication, redirect them back to the original
>> account page they
>> # were trying to view:
>> /** = authc
>> ---------------------------------------------------------------
>> login.jsp
>> <form name="loginform" method="post" action='LoginUser'>
>> <table align="left" border="0" cellspacing="0" cellpadding="3">
>> <tr>
>> <td>Username:</td>
>> <td><input type="text" name="username" maxlength="30"></td>
>> </tr>
>> <tr>
>> <td>Password:</td>
>> <td><input type="password" name="password" maxlength="30"></td>
>> </tr>
>> <tr>
>> <td colspan="2" align="left"><input type="checkbox"
>> name="rememberMe">Remember Me</td>
>> </tr>
>> <tr>
>> <td colspan="2" align="right"><input type="submit" name="submit"
>> value="Login"></td>
>> </tr>
>> </table>
>> </form>
>> ---------------------------------------------------------------
>> web.xml
>> <filter>
>> <filter-name>ShiroFilter</filter-name>
>>
>> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
>> </filter>
>> <filter-mapping>
>> <filter-name>ShiroFilter</filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>>
>> <servlet>
>> <servlet-name>LoginUser</servlet-name>
>> <display-name>LoginUser</display-name>
>> <description>Servlet to autenticate User agains AD</description>
>> <servlet-class>com.siriusxm.security.Login</servlet-class>
>> </servlet>
>> <servlet-mapping>
>> <servlet-name>LoginUser</servlet-name>
>> <url-pattern>/LoginUser</url-pattern>
>> </servlet-mapping>
>>
>> ---------------------------------------------------------------
>> LoginUser Servlet doPost
>>
>> public void doPost(HttpServletRequest request, HttpServletResponse
>> response) throws ServletException, IOException {
>> String url = "/login.jsp"; // Get the login page url fromm
>> properties file
>> String username = request.getParameter("username");
>> String password = request.getParameter("password");
>> UsernamePasswordToken token =
>> new UsernamePasswordToken(username, password);
>>
>> try {
>> Subject subject = SecurityUtils.getSubject();
>> subject.login(token);
>> //token.clear();
>> url = "/secure/index.jsp";
>>
>> } catch (AuthenticationException e) {
>> logger.error("Error:" + e.getMessage());
>> e.printStackTrace();
>> }
>> RequestDispatcher dispatcher =
>> getServletContext().getRequestDispatcher(url);
>>
>> dispatcher.forward(request, response);
>>
>> }
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/Help-with-configuring-mulitple-ActiveDirectory-in-web-app-tp6035984p6035984.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
