Thank you for sharing your success story !
Sorry that i forgot to mention i already had what you suggested in the
web.xml :
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
I also made sure that the dtd is correctly pointing to 3.0 :
<web-app xmlns="http://java.sun.com/xml/ns/javaee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";
version="3.0">
And i'm running under Tomcat 7.0.42 which already supports servlet 3.0.
And actually JSESSIONID showed up _only_ after the login process. There's
no more JSESSIONID in any urls afterwards.
Here is my related web.xml entries :
<!-- has to come first before applying any other filter, otherwise encoding
will fail -->
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<display-name>JsessionId Filter</display-name>
<filter-name>jsessionIdAvoiderFilter</filter-name>
<filter-class>web.JsessionIdAvoiderFilter</filter-class>
</filter>
<filter>
<filter-name>httpMethodFilter</filter-name>
<filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>jsessionIdAvoiderFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>httpMethodFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
I also tried swapping place between shiroFilter and
jsessionIdAvoiderFilter,
but with the same result of still containing the ;JSESSIONID=xxx
And this is my shiro filter configuration :
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login"/>
<property name="successUrl" value="/"/>
<property name="unauthorizedUrl" value="/signup"/>
<property name="filterChainDefinitions">
<value>
/login = authc
/logout = noSessionCreation, logout
/** = noSessionCreation, anon
</value>
</property>
</bean>
I'm using freemarker, so the session thing in JSP shouldnt be an issue,
since i'm using any JSPs.
My jsessionIdAvoiderFilter is simple :
public class JsessionIdAvoiderFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
if (!(req instanceof HttpServletRequest)) {
chain.doFilter(req, res);
return;
}
HttpServletResponse response = (HttpServletResponse) res;
// Prevent rendering of JSESSIONID in URLs for all outgoing links
HttpServletResponseWrapper wrappedResponse = new
HttpServletResponseWrapper(response) {
@Override
public String encodeRedirectUrl(String url) {
return url;
}
@Override
public String encodeRedirectURL(String url) {
return url;
}
@Override
public String encodeUrl(String url) {
return url;
}
@Override
public String encodeURL(String url) {
return url;
}
};
chain.doFilter(req, wrappedResponse);
}
@Override
public void destroy() {
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
}
Thanks for your time !
On Thu, Nov 14, 2013 at 9:34 PM, Josh Berry <[email protected]> wrote:
> I had success with setting <tracking-mode> to COOKIE in my web.xml.
>
> Otherwise, if you want to do this with a filter, you'll have to make sure
> your filter is installed at the correct place in the filter chain so that
> it sees this to remove it. If you can't make any headway on where to place
> it, I can probably take a closer look today.
>
> -josh
>
>
> On Thu, Nov 14, 2013 at 7:49 AM, Albert Kam <[email protected]>wrote:
>
>> Hello, i'm currently using the latest stable version of Apache Shiro.
>>
>> Everything has been working fine, until i want to remove ;JSESSIONID=xxx
>> from the url after successful login.
>>
>> I tried suggestion here, by creating a filter that is making use of a
>> wrappedResponse, and register it into my web.xml, but still failing.
>>
>> Has anyone here successfully done this before ?
>>
>> Thank you,
>> Albert Kam
>>
>> --
>> Do not pursue the past. Do not lose yourself in the future.
>> The past no longer is. The future has not yet come.
>> Looking deeply at life as it is in the very here and now,
>> the practitioner dwells in stability and freedom.
>> (Thich Nhat Hanh)
>>
>
>
--
Do not pursue the past. Do not lose yourself in the future.
The past no longer is. The future has not yet come.
Looking deeply at life as it is in the very here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh)
