Hi everyone,
My shiro.ini contains (partial)
[main]
authc.loginUrl = /authentication/login!input.action
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
codeLutinRealm = com.codelutin.CodeLutinRealm
securityManager.realms = $codeLutin
[urls]
/authentication/login* = anon
/authentication/forgotten-password-* = anon
/authentication/registration* = anon
/css/** = anon
/data/** = anon
/font/** = anon
/img/** = anon
/js/** = anon
/struts/js/** = anon
/struts/themes/** = anon
/struts/bootstrap/** = anon
/** = authc
When i try to access /administration/admin.action, I'm redirected to
/authentication/login!input.action. Fine, that's what i expected.
I fill the login form (username and password field), submit and ... get
redirected to /authentication/login!input.action for not being logged in.
It took me 2 hours to understand why :-(
I use struts, and by convention, /authentication/login!input.action show
a form and the form submit to /authentication/login.action (in fact
/authentication/login!execute.action)
The documentation say:
"""
By default, the FormAuthenticationFilter will look for request
parameters named username, password and rememberMe.
"""
That's false (or partially true). FormAuthenticationFilter will look for
those request parameters ONLY IF request is on URL given in
authc.loginUrl value.
I believed that "authc.loginUrl" parameter define the page where the
user is redirected when he lacks authentication and that
FormAuthenticationFilter looked for request parameters named username,
password in all requests by unauthenticed user. I was wrong.
I was wrong because a unique configuration parameter "authc.loginUrl"
actually define TWO things:
* the page where the user is redirected when he lacks authentication
* the request url where login request (with username and password
paramaters) must be send if you want FormAuthenticationFilter to try to
login the user.
In my opinion, there should be two different configuration parameters:
* authc.loginFormUrl
* authc.loginSubmitUrl
They can be different.
Whatever, there is a big hole in the documentation to explain that.
--
Brendan Le Ny, Code Lutin
[email protected]
(+33) 02 40 50 29 28
