At first glance, your setup looks about right. It might be useful to just step through the code. I would start with a breakpoint in the getAuthenticationInfo(AuthenticationToken token) method of AuthenticatingRealm.
-Jared On Thu, Jun 20, 2013 at 9:58 AM, Stephen McCants <[email protected] > wrote: > Hello Jared and Thibault, > > I'm glad to hear this behavior is not in Shiro. I currently have a my > password stored in my database in plain text (until I get things working > well enough that I'm willing to encrypt the password). If I set the > password to 'password' and try to login, it seems to fail and leaves me at > the login.html page instead of redirecting me as it should after a > successful login. If I set the password to something else, then when I log > in I'm redirected to the success page. I've attached my shiro.ini file and > login.html page. > > Any thoughts on this strange behavior? It may not be very important, but > it is a little concerning that I might have a bug in my setup that could > cause later log in failures with reasonable passwords. > > Thanks for your help! > > Sincerely, > Stephen McCants > > Here is my shiro.ini file: > > [main] > # Take 2 on a shared cache/Single Sign On that can be used by both REST and > Schedule. > # Based on F_A_V's instructions from here: > # > http://shiro-user.582556.n2.nabble.com/Shiro-and-multiple-wars-within-the-same-Servlet-Container-td5560737.html > > # Cache for single sign on > ssoCacheManager = org.apache.shiro.cache.ehcache.EhCacheManager > #ssoCacheManager.cacheManager = com.hcs.org.ehcache.SingletonEhCacheFactory > ssoCacheManager.cacheManagerConfigFile = classpath:ehcache.xml > securityManager.cacheManager = $ssoCacheManager > > # native for single sign on > #securityManager.sessionMode = native > > # DAO for single sign on > sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > sessionManager.sessionDAO = $sessionDAO > securityManager.sessionManager = $sessionManager > ##securityManager.sessionManager.sessionDAO = $sessionDAO > > # > https://cwiki.apache.org/confluence/display/SHIRO/Session+Management#SessionManagement-SessionTimeout > # this sets up the session purge. Sessions inactive for over an hour will > # be purged from the database. the interval is set in milliseconds. > sessionValidationScheduler = > org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler > sessionValidationScheduler.interval = 60000 > sessionValidationScheduler.sessionManager = $sessionManager > securityManager.sessionManager.sessionValidationScheduler = > $sessionValidationScheduler > securityManager.sessionManager.sessionValidationSchedulerEnabled = true > > # cookie for single sign on > # this sets up the session cookie. the name is the cookie name > # and the path is the cookie path. by setting the path to / we > # can use it across domains. ajax will automatically pick it up > # from the browser and send it with all calls to REST. > # using the default session name JSESSIONID but anything can > # be used. > cookie = org.apache.shiro.web.servlet.SimpleCookiecookie.name = JSESSIONID > cookie.path = / > securityManager.sessionManager.sessionIdCookie = $cookie > > # authc is the form based authentication filter from shiro > # the usernameParam and passwordParam below specify that the > # form submitted will have will have inputs of those names > # the login url is the login page. > # If the login attempt fails, the resulting AuthenticationException fully > # qualified class name will be set as a request attribute under the > failureKeyAttribute key. > # This can be used as an i18n key or lookup mechanism to explain to the user > # why their login attempt failed (e.g. no account, incorrect password, etc). > authc.usernameParam = j_username > authc.passwordParam = j_password > authc.loginUrl = /login.html > authc.successUrl = /index.html > authc.failureKeyAttribute = shiroLoginFailure > > # Logout filter configuration (b/c it sends us off the bad places) > logout.redirectUrl = /login.html?logout=true > > # This is the connection information to the datbase > # that will be used for authentication. Where > # the user names and passwords are stored. > # TODO move this OUT of the shiro.ini so that it isn't part of the WAR file. > (WTL-141) > ds = com.mysql.jdbc.jdbc2.optional.MysqlDataSource > ds.serverName = localhost > ds.user = root > ds.password = XXXXX > ds.databaseName = webtl > > # the authenticationQuery is the sql used to get the password from the db. > jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm > jdbcRealm.dataSource = $ds > jdbcRealm.authenticationQuery = SELECT password FROM webtl.access_requests > where email_address = ? > > [urls] > # The /login.html is not restricted to authenticated users (otherwise no one > could log in!), but > # the 'authc' filter must still be specified for it so it can process that > url's > # login submissions. It is 'smart' enough to allow those requests through as > specified by the > # shiro.loginUrl above. > # The line below says that anything under / will use the form base > authentication as configured > # above to authenticate. > # The format is as this: URL_Ant_Path_Expression = Path_Specific_Filter_Chain > # this means that different authentication can be used for different paths. > #/admin.html = authc,perms > /img/* = anon > /lib/* = anon > # The JavaScript files below are available to support the signup page. > /js/util.js = anon > /js/loader.js = anon > /js/signup.js = anon > # Common.js is available to support internationalization. > /js/common.js = anon > /bundle/* = anon > /style/* = anon > /signup.html = anon > /logout = authc, logout > /** = authc > > > Here is my login.html file: > > <html> > <head> > <title>Login</title> > <script src="lib/jquery-1.7.2.min.js"></script> <!-- Need > JQuery to let us manipulate some text. --> > </head> > <body> > <table> > <tr> > <td> > <img src="img/hcslogo.png" /> > </td> > <td> > <h1>OR <span class="color">Control<span > class="superscript2">™</span></span></h1> > </td> > </tr> > </table> > <p name='logged_out'>You have been successfully logged out.</p> > <form action="" id="loginForm" method="post"> > <p> > <label for="username" id="username-label">Username</label><br/> > <input id="username" type="text" name="j_username"/><br/> > > <label for="password">Password</label><br/> > <input id="password" type="password" name="j_password"/><br/> > > <input type="checkbox" name="rememberMe" id="rememberMe"/> > <label for="rememberMe" style="vertical-align: top">Remember > Me</label><br/> > > <input type="submit" id="login" class="button" value="Login"/> > <input type="reset" id="reset" class="button" value="Clear"/> > </p> > </form> > <p>Copy Right Information Here</p> > > <script> > <!-- This shows or hides the text stating that you've > successfully logged out --> > var results = new RegExp('[\\?&]' + 'logout' + > '=([^&#]*)').exec(window.location.href); > if(results != null && results[1] != null) { > $("p[name=logged_out]").show(); > } else { > $("p[name=logged_out]").hide(); > } > </script> > </body> > </html> > > > On 6/19/2013 7:31 PM, Jared Bunting wrote: > > I am not aware of this behavior existing in the shiro codebase. Perhaps > you could share what it is that you've configured and seen to lead you to > this conclusion? > > -Jared > On Jun 19, 2013 6:02 PM, "Stephen McCants" <[email protected]> > wrote: > >> Hello All, >> >> I'm a new user to Shiro and still very much on the learning >> curve. I >> recently ran into a strange problem that seems to be that Shiro will not >> allow a log in if the password is set to 'password'. Is that really >> hard coded somewhere inside Shiro? While good passwords are wise, I >> just spent two hours wondering why I couldn't log in when the only >> problem seems to be that I choose a trivial password while I'm learning >> how to use Shiro and it is only deployed on my laptop. This 'feature' >> also doesn't seem to be in the documentation and I don't understand >> enough to delve into the source code and look for it. >> So, is it really hard coded to prevent log ins with the password >> 'password'? If so, what other follies is Shiro secretly preventing? Is >> that really a good idea to have Shiro rejecting passwords or should that >> be delegated to something that checks password strength when a password >> is being setup? >> Thanks! >> >> Sincerely, >> Stephen McCants >> >> -- >> Stephen McCants >> Senior Software Engineer >> Healthcare Control Systems >> 1-877-877-8795 x116 >> >> > > -- > Stephen McCants > Senior Software Engineer > Healthcare Control Systems1-877-877-8795 x116 > >
