I've added some debug logging to troubleshoot the session cookie: https://imgur.com/a/vaTZrxP
And this is the Shiro's generated session ID: 1984c09f-ee77-461a-96f2-cb3d4cbac8eb On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[email protected]> wrote: > According this: > https://shiro.apache.org/web.html#Web-SessionCookieConfiguration > > Should I see a cookie for Shiro's session based upon my minimalist > configuration? I only see cookie for the JSESSIONID. > > On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[email protected]> wrote: > >> I've also tried: >> >> Factory<SecurityManager> factory = new >> IniSecurityManagerFactory("classpath:shiro.ini"); >> SecurityManager securityManager = factory.getInstance(); >> SecurityUtils.setSecurityManager(securityManager); >> >> and received this: >> >> org.apache.shiro.config.ConfigurationException: java.io.IOException: >> Resource [classpath:shiro.ini] could not be found. >> >> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250) >> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233) >> >> org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73) >> >> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153) >> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >> >> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >> >> when the shiro.ini is indeed in /WEB-INF/. The log shows that the >> listener initialized successfully: >> >> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] >> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting >> Shiro environment initialization. >> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] >> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >> environment initialized in 282 ms. >> >> Does it matter if configuring both listener and filter in web.xml or via >> a class implementing ServletContainerInitializer.onStartup()? >> >> Thanks, >> Tommy >> >> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[email protected]> wrote: >> >>> Yes. If I omit setting the SecurityManager in the code per the official >>> guide/documentation, I get this exception: >>> >>> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager >>> accessible to the calling code, either bound to the >>> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is >>> an invalid application configuration. >>> >>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) >>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) >>> >>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149) >>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>> >>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>> >>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[email protected]> >>> wrote: >>> >>>> Are you creating a new security manager for each request? >>>> >>>> >>>> I’m not sure how you are using this logic, but you should let Shiro do >>>> all of this for you (via the ShiroFilter). >>>> >>>> -Brian >>>> >>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2 <[email protected]> wrote: >>>> > >>>> > Hi Brian, >>>> > >>>> > Thanks for the prompt feedback. Here's the code I used to check for >>>> the >>>> > session: >>>> > >>>> > https://pastebin.com/F5SMmLpq >>>> > >>>> > The shiro.ini is very basic and minimal: >>>> > >>>> > [main] >>>> > [users] >>>> > [roles] >>>> > [urls] >>>> > /** = anon >>>> > >>>> > Most of the content (99%) in shiro.ini are comments and examples as >>>> notes >>>> > for future implementation of authentication and authorization. >>>> > >>>> > >>>> > >>>> > -- >>>> > Sent from: http://shiro-user.582556.n2.nabble.com/ >>>> >>>
