To me, it looks like the Shiro Filter is not installed or your own filter runs before it has a chance to associate Shiro objects with the thread.
On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[email protected]> wrote: > Hi Brian, > > I'm still having issues getting a valid session when specifying > SecurityManager via SecurityUtils. If I omit that, I get exceptions. > After some more troubleshooting, I've added some fake test accounts from > the official tutorial and set TRACE log level to org.apache.shiro. Below > is the log: > > 02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] > org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any > specified config locations. > 02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] > org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI > instance or config locations specified. Trying default config locations. > 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] > org.apache.shiro.config.Ini.load:401 - Parsing [main] > 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] > org.apache.shiro.config.Ini.load:401 - Parsing [users] > 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered > key/value pair: root = secret, admin > 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered > key/value pair: guest = guest, guest > 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered > key/value pair: presidentskroob = 12345, president > 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered > key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz > 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered > key/value pair: lonestarr = vespa, goodguy, schwartz > 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] > org.apache.shiro.config.Ini.load:401 - Parsing [roles] > 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered > key/value pair: admin = * > 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered > key/value pair: schwartz = lightsaber:* > 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered > key/value pair: goodguy = winnebago:drive:eagle5 > 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] > org.apache.shiro.config.Ini.load:401 - Parsing [urls] > 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered > key/value pair: /** = anon > 02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] > org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered > non-empty INI configuration at location '/WEB-INF/shiro.ini'. Using for > configuration. > 02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] > org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating > instance from Ini [sections=users,roles,urls] > 02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or > empty. Defaulting to the default section (name = "") > 02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] > org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - > Adding login url to applied paths. > 02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] > org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered > the [roles] section. Processing... > 02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] > org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered > the [users] section. Processing... > 02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] > org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating > instance from Ini [sections=users,roles,urls] > 02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] > org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - > Adding login url to applied paths. > 02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] > org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 > - Before url processing. > 02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] > org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - > Creating chain [/**] from String definition [anon] > 02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] > org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 > - Attempting to apply path [/**] to filter [anon] with config [null] > 02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] > org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published > WebEnvironment as ServletContext attribute with name > [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY] > 02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] > org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro > environment initialized in 352 ms. > 02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] > org.apache.catalina.startup.HostConfig.deployWAR Deployment of web > application archive [D:\apache-tomcat\webapps\erm.war] has finished in > [9,120] ms > 02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] > com.domain.security.FilterSecurity.doFilter:147 - >> > ThreadContext.getResources(): true 0 > 02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] > org.apache.shiro.util.ThreadContext.get:126 - get() - in thread > [http-nio-8080-exec-181] > 02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] > org.apache.shiro.util.ThreadContext.get:126 - get() - in thread > [http-nio-8080-exec-181] > > It seems that the resources is empty when i don't set the SecurityManager > in SecurityUtils. Thus, from what I could tell from the code, the > SecurityUtils.getSecurityManager() would fail since the resources map is > empty and the cascade failure of getting a session. I haven't been able to > track down how the resources in ThreadContext is set yet :( > > Thanks, > Tommy > > > On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[email protected]> > wrote: > >> I'm not sure I'm following Tommy. You have a few different messages, the >> one mentioning your shiro.ini >> >> > when the shiro.ini is indeed in /WEB-INF/ >> >> implies that you have fixed the original issue? by i'm guessing you are >> still running into issues? >> >> >> On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[email protected]> wrote: >> >>> I've added some debug logging to troubleshoot the session cookie: >>> >>> https://imgur.com/a/vaTZrxP >>> >>> And this is the Shiro's generated session ID: >>> 1984c09f-ee77-461a-96f2-cb3d4cbac8eb >>> >>> On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[email protected]> wrote: >>> >>>> According this: >>>> https://shiro.apache.org/web.html#Web-SessionCookieConfiguration >>>> >>>> Should I see a cookie for Shiro's session based upon my minimalist >>>> configuration? I only see cookie for the JSESSIONID. >>>> >>>> On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[email protected]> wrote: >>>> >>>>> I've also tried: >>>>> >>>>> Factory<SecurityManager> factory = new >>>>> IniSecurityManagerFactory("classpath:shiro.ini"); >>>>> SecurityManager securityManager = factory.getInstance(); >>>>> SecurityUtils.setSecurityManager(securityManager); >>>>> >>>>> and received this: >>>>> >>>>> org.apache.shiro.config.ConfigurationException: java.io.IOException: >>>>> Resource [classpath:shiro.ini] could not be found. >>>>> >>>>> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250) >>>>> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233) >>>>> >>>>> org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73) >>>>> >>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153) >>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>> >>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>> >>>>> when the shiro.ini is indeed in /WEB-INF/. The log shows that the >>>>> listener initialized successfully: >>>>> >>>>> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] >>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting >>>>> Shiro environment initialization. >>>>> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] >>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >>>>> environment initialized in 282 ms. >>>>> >>>>> Does it matter if configuring both listener and filter in web.xml or >>>>> via a class implementing ServletContainerInitializer.onStartup()? >>>>> >>>>> Thanks, >>>>> Tommy >>>>> >>>>> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[email protected]> wrote: >>>>> >>>>>> Yes. If I omit setting the SecurityManager in the code per the >>>>>> official guide/documentation, I get this exception: >>>>>> >>>>>> org.apache.shiro.UnavailableSecurityManagerException: No >>>>>> SecurityManager accessible to the calling code, either bound to the >>>>>> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is >>>>>> an invalid application configuration. >>>>>> >>>>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>>>>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) >>>>>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) >>>>>> >>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>> >>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149) >>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>> >>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>> >>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>> >>>>>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Are you creating a new security manager for each request? >>>>>>> >>>>>>> >>>>>>> I’m not sure how you are using this logic, but you should let Shiro >>>>>>> do all of this for you (via the ShiroFilter). >>>>>>> >>>>>>> -Brian >>>>>>> >>>>>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2 <[email protected]> wrote: >>>>>>> > >>>>>>> > Hi Brian, >>>>>>> > >>>>>>> > Thanks for the prompt feedback. Here's the code I used to check >>>>>>> for the >>>>>>> > session: >>>>>>> > >>>>>>> > https://pastebin.com/F5SMmLpq >>>>>>> > >>>>>>> > The shiro.ini is very basic and minimal: >>>>>>> > >>>>>>> > [main] >>>>>>> > [users] >>>>>>> > [roles] >>>>>>> > [urls] >>>>>>> > /** = anon >>>>>>> > >>>>>>> > Most of the content (99%) in shiro.ini are comments and examples >>>>>>> as notes >>>>>>> > for future implementation of authentication and authorization. >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > -- >>>>>>> > Sent from: http://shiro-user.582556.n2.nabble.com/ >>>>>>> >>>>>>
