Hi,
I am using Jersey Framework and decided to use Shiro for authentication
mechanism.
My problem is, I am able to generate session id and authenticate the user
with login url, but using the same session key for any other API call is
always resulting in a 302 response. It's actually happening automatically
behind the scenes, and my API call is not even getting executed to perform
other stuff.
Even the logs also say that session is found, but the API code never get's
executed. Also, the doReadSession is getting called for at least 11 times.
Here is my shiro.ini:
# =======================
# Shiro INI configuration
# =======================
[main]
#Defining authentication filter and realm
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
mongoRealm = com.company.core.usermanagement.MongoRealm
securityManager.realms = $mongoRealm
#Defining session DAO and session Manager
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionDAO = com.company.core.usermanagement.MongoSessionDAO
sessionManager.sessionDAO = $sessionDAO
sessionManager.globalSessionTimeout = 10000
sessionManager.sessionValidationSchedulerEnabled = false
securityManager.sessionManager = $sessionManager
#Session cache manager
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
authc.loginUrl = /api/userlogin
[urls]
/api/userlogin = authc
/api/** = noSessionCreation, authc
Here are my API calls and response:
*For Login:*
curl -i -X POST -H "Content-Type: application/json" -d '{"username":
"admin", "password": "password", "rememberMe": true}'
http://localhost:8080/securitysample/api/userlogin
*Response (Expected and Actual):*
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965;
Path=/securitysample; HttpOnly
Set-Cookie: rememberMe=deleteMe; Path=/atlantis-analytics; Max-Age=0;
Expires=Mon, 03-Apr-2017 07:50:21 GMT
Set-Cookie:
rememberMe=pPC2qCOGj93a/sWbOSngHMW3WFAXYnUeINnhLtuNzAf6dAh56APdoArG3k1JWuCZ4I9ljPjqmRqaPYGtalY2ZIMKkCZfs0LvjL+k+4SKTbA8BC5232jrBBYszzphSGsal4+EGPDK29OkeHUY3Yi4ld+3wMNuyP/CoaZUjcqZ5qPpj1c5ym7qFj4ylZGf4qscAOtkzqNeste0zns2jTtxakhMKzyqgAXFohrhi3eeBqmpaLGXuUN1z4v5jFxV14nqsIAVWiqr1x2BVXfAWD946UyrjYlFO92g+TQkuLxkAW2WKTyOYtFUDUM+/AVeUGQc5Tdkj8X94BkywvUuE6BpUQ7BpYaIn9PiC7L5GRRpQ+1L3elEi9XJ6OQ92x8E9xTMPMsr7iFiHqc1edUMhQJmTrRUJPx1iFa1uK+yGz9I6IsDKO4JYWlu7INouiiuFgnSOCpNhChDBXwbACJ9cFp2Fv9qcBx/Ucx5Kuh71qIJpRct53kz5C7NGffuNOmj9tvqf3vRaBZKe+RxpuiCvnFVCwLMpAHutSDA7Kh3EGkeTaYaS9oRgWdd/U/QwIEJ1j1iMVaeK7H6+EhvTr15hJTmuA==;
Path=/securitysample; Max-Age=31536000; Expires=Wed, 04-Apr-2018 07:50:21
GMT; HttpOnly
Access-Control-Allow-Origin: *
Content-Type: */*
Content-Length: 18
Date: Tue, 04 Apr 2017 07:50:21 GMT
This is totally expected and I get a session id which is stored in my mongo
db as well. But call to any other API is always resulting in 302 and the
actual api code is never getting executed.
*Any other call:*
curl -i -X GET -H "Cookie: JSESSIONID=d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965"
http://localhost:8080/securitysample/api/projects?username=admin
*Response (Actual and not expected):*
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://localhost:8080/securitysample/api/userlogin
Content-Length: 0
Date: Tue, 04 Apr 2017 07:55:30 GMT
Here are the server logs upon calling any other API:
2017-04-04 13:25:30 DEBUG SimpleCookie:389 - Found 'JSESSIONID' cookie value
[d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965]
2017-04-04 13:25:30 INFO MongoSessionDAO:68 - doReadSession - Looking for
session id: d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoProvider:19 - In init() Method
2017-04-04 13:25:30 INFO MongoProvider:86 - In getCollection() Method
2017-04-04 13:25:30 INFO MongoSessionDAO:85 - Found session:
d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoSessionDAO:68 - doReadSession - Looking for
session id: d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoProvider:19 - In init() Method
2017-04-04 13:25:30 INFO MongoProvider:86 - In getCollection() Method
2017-04-04 13:25:30 INFO MongoSessionDAO:85 - Found session:
d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoSessionDAO:68 - doReadSession - Looking for
session id: d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoProvider:19 - In init() Method
2017-04-04 13:25:30 INFO MongoProvider:86 - In getCollection() Method
2017-04-04 13:25:30 INFO MongoSessionDAO:85 - Found session:
d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoSessionDAO:68 - doReadSession - Looking for
session id: d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoProvider:19 - In init() Method
2017-04-04 13:25:30 INFO MongoProvider:86 - In getCollection() Method
2017-04-04 13:25:30 INFO MongoSessionDAO:85 - Found session:
d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoSessionDAO:68 - doReadSession - Looking for
session id: d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoProvider:19 - In init() Method
2017-04-04 13:25:30 INFO MongoProvider:86 - In getCollection() Method
2017-04-04 13:25:30 INFO MongoSessionDAO:85 - Found session:
d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoSessionDAO:68 - doReadSession - Looking for
session id: d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoProvider:19 - In init() Method
2017-04-04 13:25:30 INFO MongoProvider:86 - In getCollection() Method
2017-04-04 13:25:30 INFO MongoSessionDAO:85 - Found session:
d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoSessionDAO:68 - doReadSession - Looking for
session id: d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoProvider:19 - In init() Method
2017-04-04 13:25:30 INFO MongoProvider:86 - In getCollection() Method
2017-04-04 13:25:30 INFO MongoSessionDAO:85 - Found session:
d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoSessionDAO:68 - doReadSession - Looking for
session id: d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoProvider:19 - In init() Method
2017-04-04 13:25:30 INFO MongoProvider:86 - In getCollection() Method
2017-04-04 13:25:30 INFO MongoSessionDAO:85 - Found session:
d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoSessionDAO:68 - doReadSession - Looking for
session id: d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoProvider:19 - In init() Method
2017-04-04 13:25:30 INFO MongoProvider:86 - In getCollection() Method
2017-04-04 13:25:30 INFO MongoSessionDAO:85 - Found session:
d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoSessionDAO:68 - doReadSession - Looking for
session id: d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoProvider:19 - In init() Method
2017-04-04 13:25:30 INFO MongoProvider:86 - In getCollection() Method
2017-04-04 13:25:30 INFO MongoSessionDAO:85 - Found session:
d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 DEBUG MongoSessionDAO:30 - Update session
2017-04-04 13:25:30 INFO MongoSessionDAO:68 - doReadSession - Looking for
session id: d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 INFO MongoProvider:19 - In init() Method
2017-04-04 13:25:30 INFO MongoProvider:86 - In getCollection() Method
2017-04-04 13:25:30 INFO MongoSessionDAO:85 - Found session:
d2594305-e7e1-4bf6-a4ea-6ff2ee9c7965
2017-04-04 13:25:30 DEBUG MongoSessionDAO:30 - Update session
Can someone please tell where I am doing mistake? I have spent a lot of time
in reading shiro documentations and tried lots of other filters such user,
anon etc. None is working. Please help.
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Login-successful-but-authenticated-call-to-any-other-api-results-in-302-response-tp7581569.html
Sent from the Shiro User mailing list archive at Nabble.com.
