Sorry I do not know exactly how to do it in your case. I'm not even sure that it's the right way to do it : ) I guess one of the real Shiro experts will tell you soon.
But what seems strange to me is that you have "/login = anon" I always thought the login page has to be 'authc'? Maybe this "/login = anon" rule does not have any effect? Have a look at the docs, too: http://shiro.apache.org/session-management.html -> Section: "shiro.ini - Disable Session Creation per request" Although you are not using the ini config I guess the filter key is the same, so "noSessionCreation" seems right. There they put it before the authc, have you tried that? I'm just quite sure that "/** = authc, noSessionCreation" is not what you want as this, as far as I know, would mean that no session is created ever. On Fri, Jul 26, 2013 at 3:28 PM, Nagaraju Kurma < [email protected]> wrote: > thanks for helpful reply...... > > unfortunately here i am not using shiro.ini file as the security realm, > instead i am using postgresql database to store users, roles,......,etc > > like ur configuration in filterChain..... our configuration is as follows > > this is shiro with spring integration > > <bean id="shiroFilter" > class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> > <property name="securityManager" ref="securityManager" /> > <property name="loginUrl" value="/login" /> > <property name="successUrl" > value="redirect:/main/welcome1?cat=dashboard.summary" /> > <property name="unauthorizedUrl" value="/login" /> > <property name="filterChainDefinitions"> > <value> > /framework/default/skins/css/login_style.css = anon > /framework/default/skins_ie/js/html5shiv.js = anon > /framework/default/skins/images/lock_icon.gif = anon > /framework/default/skins/images/enhancesys_top_logo.png = anon > > /login = anon <!-- login request > trapper---> > > /main/logout = logout > /** = authc > </value> > </property> > </bean> > > here my anon is the login request trapper, as u said i tried in different > ways like > 1) /login = anon, NO_SESSION_CREATION ---------------> i got exception > saying that there is no filter named as > NO_SESSION_CREATION > > 2) /login = anon, noSessionCreation -----------------> no > efftect > > 3) /** = authc ,NO_SESSION_CREATION -------------> same exception > > 4) /** = authc ,noSessionCreation -----------------> in impact > > suggest me how to do it........ > > thanking you, :) > > > > > > On Fri, Jul 26, 2013 at 1:30 PM, Alexander Openkowski < > [email protected]> wrote: > >> My login page is located under 'mydomain.com/app/account/login.jsp'. To >> hide the jsessionid when landing on the login page I added the following to >> my ShiroGuiceModule: >> >> addFilterChain("/app/account/**", AUTHC, NO_SESSION_CREATION); // before >> I only had AUTHC filter there >> >> So basically the trick seems to be to not create a session until the user >> logs in. >> If you're using .ini configuration it shouldn't be too hard to adapt that >> I think. >> >> Btw: If there is something wrong with this approach please tell me! >> >> HTH, >> Alex >> >> >> On Fri, Jul 26, 2013 at 7:24 AM, Nagaraju Kurma < >> [email protected]> wrote: >> >>> thanks for your suggestions, >>> here i am using native session but not servlet session. >>> >>> when shiro session was extended from servlet session it has got some >>> more extra activities. >>> i searched in google and tried with the following different options >>> >>> >>> 1) in web.xml >>> ----------------- >>> >>> <session-config> >>> <tracking-mode>COOKIE</tracking-mode></session-config> >>> >>> >>> >>> >>> >>> >>> 2) context.xml >>> >>> >>> <?xml version='1.0' encoding='utf-8'?><Context docBase="PATH_TO_WEBAPP" >>> path="/CONTEXT" disableURLRewriting="true"></Context> >>> >>> >>> 3) added on filter >>> >>> >>> *package net.enhancesys.auth.filter; >>> >>> import java.io.IOException; >>> >>> import javax.servlet.Filter; >>> import javax.servlet.FilterChain; >>> import javax.servlet.FilterConfig; >>> import javax.servlet.ServletException; >>> import javax.servlet.ServletRequest; >>> import javax.servlet.ServletResponse; >>> import javax.servlet.http.HttpServletRequest; >>> import javax.servlet.http.HttpServletResponse; >>> import javax.servlet.http.HttpServletResponseWrapper; >>> import javax.servlet.http.HttpSession; >>> >>> public class DisableUrlSessionFilter implements Filter { >>> >>> /* >>> * private static Log logger = >>> * LogFactory.getLog(DisableUrlSessionFilter.class); >>> */ >>> /** >>> * Filters requests to disable URL-based session identifiers. >>> */ >>> public void doFilter(ServletRequest request, ServletResponse response, >>> FilterChain chain) throws IOException, ServletException >>> { >>> // skip non-http requests >>> if (!(request instanceof HttpServletRequest)) { >>> chain.doFilter(request, response); >>> return; >>> } >>> >>> HttpServletRequest httpRequest = (HttpServletRequest) request; >>> HttpServletResponse httpResponse = (HttpServletResponse) >>> response; >>> >>> // clear session if session id in URL >>> if (httpRequest.isRequestedSessionIdFromURL()) { >>> HttpSession session = httpRequest.getSession(); >>> if (session != null) { >>> session.invalidate(); >>> } >>> } >>> >>> // wrap response to remove URL encoding >>> HttpServletResponseWrapper wrappedResponse = new >>> HttpServletResponseWrapper( >>> httpResponse) { >>> @Override >>> public String encodeRedirectUrl(String url) { >>> return url; >>> } >>> >>> @Override >>> public String encodeRedirectURL(String url) { >>> return url; >>> } >>> >>> @Override >>> public String encodeUrl(String url) { >>> >>> return url; >>> } >>> >>> @Override >>> public String encodeURL(String url) { >>> return url; >>> } >>> }; >>> >>> // process next request in chain >>> chain.doFilter(request, wrappedResponse); >>> } >>> >>> /** >>> * Unused. >>> */ >>> public void init(FilterConfig config) throws ServletException { >>> } >>> >>> /** >>> * Unused. >>> */ >>> public void destroy() { >>> } >>> }* >>> >>> >>> >>> for the above filter in web.xml >>> >>> * <filter-mapping> <filter-name>somename</filter-name> >>> <url-pattern>/*</url-pattern> </filter-mapping> <filter> >>> <filter-name>somename</filter-name> >>> <filter-class>AboveFilterName</filter-class> </filter> >>> * >>> >>> >>> >>> *but no solution was helpled me...* >>> * >>> * >>> *thanking you* >>> >>> >>>> >>>> -- >>>> >>>> Regards,**** >>>> >>>> Nagaraju. >>>> >>>> >>> >>> >>> -- >>> >>> Regards,**** >>> >>> Nagaraju. >>> >> >> > > > -- > > Regards,**** > > Nagaraju. >
