No, I am not setting it beforehand in my code. I just checked. (Sorry, I did this so long along. I barely remember the details.)
I believe it is being set using my shiro.ini file. [main] sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher DBRealm = com.example.webapp.security.shiro.database.ShiroDatabaseRealm FacebookRealm = com.example.webapp.security.shiro.facebook.ShiroFacebookRealm FBCredentialMatcher = com.example.webapp.security.shiro.facebook.FacebookCredentialsMatcher FacebookRealm.credentialsMatcher = $FBCredentialMatcher securityManager.realms = $DBRealm, $FacebookRealm On Mon, Mar 2, 2020 at 2:43 PM Tommy Pham <[email protected]> wrote: > Hi Anas, > > Thanks for the feedback. Did you set a SecurityManager via > SecurityUtils? If you didn't, then I don't the code, you've provided would > work for me. From my own troubleshooting, The > SecurityUtils.getSecurityManager() failed when I don't set it before hand. > > Thanks, > Tommy > > On Mon, Mar 2, 2020 at 8:39 AM Anas Mughal <[email protected]> wrote: > >> >> I ran into a similar issue when I initially set up Shiro in my web >> application. Every request was having a different session and I could not >> track the logged-in user. >> >> I added the following code to my generic before handler: >> >> >> before(( request, response ) -> { >> >> org.apache.shiro.mgt.SecurityManager sm = SecurityUtils. >> getSecurityManager(); >> >> final Subject currentUser = new WebSubject.Builder( sm, request.raw(), >> response.raw() ).buildSubject(); >> >> ThreadContext.bind(currentUser); >> >> } >> >> >> >> I am using SparkJava (http://sparkjava.com/) and this has worked well >> for me. >> >> I hope this helps you. >> >> -- >> Anas Mughal >> >> >> >> >> >> >> On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[email protected]> >> wrote: >> >>> I'm not sure I'm following Tommy. You have a few different messages, >>> the one mentioning your shiro.ini >>> >>> > when the shiro.ini is indeed in /WEB-INF/ >>> >>> implies that you have fixed the original issue? by i'm guessing you are >>> still running into issues? >>> >>> >>> On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[email protected]> wrote: >>> >>>> I've added some debug logging to troubleshoot the session cookie: >>>> >>>> https://imgur.com/a/vaTZrxP >>>> >>>> And this is the Shiro's generated session ID: >>>> 1984c09f-ee77-461a-96f2-cb3d4cbac8eb >>>> >>>> On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[email protected]> wrote: >>>> >>>>> According this: >>>>> https://shiro.apache.org/web.html#Web-SessionCookieConfiguration >>>>> >>>>> Should I see a cookie for Shiro's session based upon my minimalist >>>>> configuration? I only see cookie for the JSESSIONID. >>>>> >>>>> On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[email protected]> wrote: >>>>> >>>>>> I've also tried: >>>>>> >>>>>> Factory<SecurityManager> factory = new >>>>>> IniSecurityManagerFactory("classpath:shiro.ini"); >>>>>> SecurityManager securityManager = factory.getInstance(); >>>>>> SecurityUtils.setSecurityManager(securityManager); >>>>>> >>>>>> and received this: >>>>>> >>>>>> org.apache.shiro.config.ConfigurationException: java.io.IOException: >>>>>> Resource [classpath:shiro.ini] could not be found. >>>>>> >>>>>> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250) >>>>>> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233) >>>>>> >>>>>> org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73) >>>>>> >>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153) >>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>> >>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>> >>>>>> when the shiro.ini is indeed in /WEB-INF/. The log shows that the >>>>>> listener initialized successfully: >>>>>> >>>>>> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] >>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting >>>>>> Shiro environment initialization. >>>>>> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] >>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >>>>>> environment initialized in 282 ms. >>>>>> >>>>>> Does it matter if configuring both listener and filter in web.xml or >>>>>> via a class implementing ServletContainerInitializer.onStartup()? >>>>>> >>>>>> Thanks, >>>>>> Tommy >>>>>> >>>>>> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[email protected]> wrote: >>>>>> >>>>>>> Yes. If I omit setting the SecurityManager in the code per the >>>>>>> official guide/documentation, I get this exception: >>>>>>> >>>>>>> org.apache.shiro.UnavailableSecurityManagerException: No >>>>>>> SecurityManager accessible to the calling code, either bound to the >>>>>>> org.apache.shiro.util.ThreadContext or as a vm static singleton. This >>>>>>> is >>>>>>> an invalid application configuration. >>>>>>> >>>>>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>>>>>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) >>>>>>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) >>>>>>> >>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>> >>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149) >>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>> >>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>> >>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>> >>>>>>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Are you creating a new security manager for each request? >>>>>>>> >>>>>>>> >>>>>>>> I’m not sure how you are using this logic, but you should let Shiro >>>>>>>> do all of this for you (via the ShiroFilter). >>>>>>>> >>>>>>>> -Brian >>>>>>>> >>>>>>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2 <[email protected]> wrote: >>>>>>>> > >>>>>>>> > Hi Brian, >>>>>>>> > >>>>>>>> > Thanks for the prompt feedback. Here's the code I used to check >>>>>>>> for the >>>>>>>> > session: >>>>>>>> > >>>>>>>> > https://pastebin.com/F5SMmLpq >>>>>>>> > >>>>>>>> > The shiro.ini is very basic and minimal: >>>>>>>> > >>>>>>>> > [main] >>>>>>>> > [users] >>>>>>>> > [roles] >>>>>>>> > [urls] >>>>>>>> > /** = anon >>>>>>>> > >>>>>>>> > Most of the content (99%) in shiro.ini are comments and examples >>>>>>>> as notes >>>>>>>> > for future implementation of authentication and authorization. >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > -- >>>>>>>> > Sent from: http://shiro-user.582556.n2.nabble.com/ >>>>>>>> >>>>>>> >> >> -- >> Anas Mughal >> >> >> >> >> -- Anas Mughal
