I'm not sure I'm following Tommy. You have a few different messages, the one mentioning your shiro.ini
> when the shiro.ini is indeed in /WEB-INF/ implies that you have fixed the original issue? by i'm guessing you are still running into issues? On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[email protected]> wrote: > I've added some debug logging to troubleshoot the session cookie: > > https://imgur.com/a/vaTZrxP > > And this is the Shiro's generated session ID: > 1984c09f-ee77-461a-96f2-cb3d4cbac8eb > > On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[email protected]> wrote: > >> According this: >> https://shiro.apache.org/web.html#Web-SessionCookieConfiguration >> >> Should I see a cookie for Shiro's session based upon my minimalist >> configuration? I only see cookie for the JSESSIONID. >> >> On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[email protected]> wrote: >> >>> I've also tried: >>> >>> Factory<SecurityManager> factory = new >>> IniSecurityManagerFactory("classpath:shiro.ini"); >>> SecurityManager securityManager = factory.getInstance(); >>> SecurityUtils.setSecurityManager(securityManager); >>> >>> and received this: >>> >>> org.apache.shiro.config.ConfigurationException: java.io.IOException: >>> Resource [classpath:shiro.ini] could not be found. >>> >>> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250) >>> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233) >>> >>> org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73) >>> >>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153) >>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>> >>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>> >>> when the shiro.ini is indeed in /WEB-INF/. The log shows that the >>> listener initialized successfully: >>> >>> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] >>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting >>> Shiro environment initialization. >>> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] >>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >>> environment initialized in 282 ms. >>> >>> Does it matter if configuring both listener and filter in web.xml or via >>> a class implementing ServletContainerInitializer.onStartup()? >>> >>> Thanks, >>> Tommy >>> >>> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[email protected]> wrote: >>> >>>> Yes. If I omit setting the SecurityManager in the code per the official >>>> guide/documentation, I get this exception: >>>> >>>> org.apache.shiro.UnavailableSecurityManagerException: No >>>> SecurityManager accessible to the calling code, either bound to the >>>> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is >>>> an invalid application configuration. >>>> >>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) >>>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) >>>> >>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149) >>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>> >>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>> >>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>> >>>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[email protected]> >>>> wrote: >>>> >>>>> Are you creating a new security manager for each request? >>>>> >>>>> >>>>> I’m not sure how you are using this logic, but you should let Shiro do >>>>> all of this for you (via the ShiroFilter). >>>>> >>>>> -Brian >>>>> >>>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2 <[email protected]> wrote: >>>>> > >>>>> > Hi Brian, >>>>> > >>>>> > Thanks for the prompt feedback. Here's the code I used to check for >>>>> the >>>>> > session: >>>>> > >>>>> > https://pastebin.com/F5SMmLpq >>>>> > >>>>> > The shiro.ini is very basic and minimal: >>>>> > >>>>> > [main] >>>>> > [users] >>>>> > [roles] >>>>> > [urls] >>>>> > /** = anon >>>>> > >>>>> > Most of the content (99%) in shiro.ini are comments and examples as >>>>> notes >>>>> > for future implementation of authentication and authorization. >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > Sent from: http://shiro-user.582556.n2.nabble.com/ >>>>> >>>>
