Hi Alessio, I'm loading the Shiro Filter via FilterRegistration in a class implementing ServletContainerInitializer.onStartup(). Loading the filter(s) this way do not guaranteed ordering as loaded from my testing of various approaches (web.xml, annotations, and, preferably, programmatically). I have my own filter loader and filter chain that guarantees the order for my filters which are not visible in the FilterRegistration:
----------------------------- .onStartup:303 - -------- Filter Registrations ------------------------------ .lambda$onStartup$12:307 - Filter name: log4jServletFilter .lambda$onStartup$12:308 - Registered class: org.apache.logging.log4j.web.Log4jServletFilter .lambda$onStartup$12:316 - URL pattern mapping(s): .lambda$onStartup$10:317 - /* .lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) Filter .lambda$onStartup$12:308 - Registered class: org.apache.tomcat.websocket.server.WsFilter .lambda$onStartup$12:316 - URL pattern mapping(s): .lambda$onStartup$10:317 - /* .lambda$onStartup$12:307 - Filter name: AppFilterLoader .lambda$onStartup$12:308 - Registered class: com.domain.web.AppFilterLoader .lambda$onStartup$12:316 - URL pattern mapping(s): .lambda$onStartup$10:317 - /* .lambda$onStartup$12:307 - Filter name: FilterDefaultJsp .lambda$onStartup$12:308 - Registered class: com.domain.web.FilterDefaultJsp .lambda$onStartup$12:311 - Servlet mapping(s): .lambda$onStartup$9:312 - default .lambda$onStartup$9:312 - jsp .lambda$onStartup$12:307 - Filter name: TestFilterSecure .lambda$onStartup$12:308 - Registered class: com.domain.web.TestFilterSecure .lambda$onStartup$12:316 - URL pattern mapping(s): .lambda$onStartup$10:317 - /secure/* .lambda$onStartup$12:307 - Filter name: ShiroFilter .lambda$onStartup$12:308 - Registered class: org.apache.shiro.web.servlet.ShiroFilter .lambda$onStartup$12:316 - URL pattern mapping(s): .lambda$onStartup$10:317 - /* .onStartup:325 - ------------------------------------------------------------ ----------------------------------------------------------- I've tried loading the Shiro Filter my custom loader but it failed because of invalid FilterChain type. Oddly enough, if I have the Shiro Filter loaded first, it works fine. I need to further test why this is and if it's consistent across web container restarts. I was hoping to have Filters executing in this order: logging -> security (block request or start Shiro session) -> other filters -> mapped servlet. since I have don't the desire to waste system resource to start a session when the request is blocked. But as long as I can get Shiro working, I can work with it for now. Thanks, Tommy On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla <[email protected]> wrote: > To me, it looks like the Shiro Filter is not installed or your own filter > runs before it has a chance to associate Shiro objects with the thread. > > On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[email protected]> wrote: > >> Hi Brian, >> >> I'm still having issues getting a valid session when specifying >> SecurityManager via SecurityUtils. If I omit that, I get exceptions. >> After some more troubleshooting, I've added some fake test accounts from >> the official tutorial and set TRACE log level to org.apache.shiro. Below >> is the log: >> >> 02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] >> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any >> specified config locations. >> 02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] >> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI >> instance or config locations specified. Trying default config locations. >> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >> org.apache.shiro.config.Ini.load:401 - Parsing [main] >> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >> org.apache.shiro.config.Ini.load:401 - Parsing [users] >> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >> key/value pair: root = secret, admin >> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >> key/value pair: guest = guest, guest >> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >> key/value pair: presidentskroob = 12345, president >> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >> key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz >> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >> key/value pair: lonestarr = vespa, goodguy, schwartz >> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >> org.apache.shiro.config.Ini.load:401 - Parsing [roles] >> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >> key/value pair: admin = * >> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >> key/value pair: schwartz = lightsaber:* >> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >> key/value pair: goodguy = winnebago:drive:eagle5 >> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >> org.apache.shiro.config.Ini.load:401 - Parsing [urls] >> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >> key/value pair: /** = anon >> 02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] >> org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered >> non-empty INI configuration at location '/WEB-INF/shiro.ini'. Using for >> configuration. >> 02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] >> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating >> instance from Ini [sections=users,roles,urls] >> 02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] >> org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or >> empty. Defaulting to the default section (name = "") >> 02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] >> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - >> Adding login url to applied paths. >> 02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] >> org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered >> the [roles] section. Processing... >> 02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] >> org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered >> the [users] section. Processing... >> 02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] >> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating >> instance from Ini [sections=users,roles,urls] >> 02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] >> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - >> Adding login url to applied paths. >> 02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] >> org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 >> - Before url processing. >> 02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] >> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - >> Creating chain [/**] from String definition [anon] >> 02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] >> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 >> - Attempting to apply path [/**] to filter [anon] with config [null] >> 02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] >> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published >> WebEnvironment as ServletContext attribute with name >> [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY] >> 02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] >> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >> environment initialized in 352 ms. >> 02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] >> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web >> application archive [D:\apache-tomcat\webapps\erm.war] has finished in >> [9,120] ms >> 02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] >> com.domain.security.FilterSecurity.doFilter:147 - >> >> ThreadContext.getResources(): true 0 >> 02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] >> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >> [http-nio-8080-exec-181] >> 02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] >> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >> [http-nio-8080-exec-181] >> >> It seems that the resources is empty when i don't set the SecurityManager >> in SecurityUtils. Thus, from what I could tell from the code, the >> SecurityUtils.getSecurityManager() would fail since the resources map is >> empty and the cascade failure of getting a session. I haven't been able to >> track down how the resources in ThreadContext is set yet :( >> >> Thanks, >> Tommy >> >> >> On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[email protected]> >> wrote: >> >>> I'm not sure I'm following Tommy. You have a few different messages, >>> the one mentioning your shiro.ini >>> >>> > when the shiro.ini is indeed in /WEB-INF/ >>> >>> implies that you have fixed the original issue? by i'm guessing you are >>> still running into issues? >>> >>> >>> On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[email protected]> wrote: >>> >>>> I've added some debug logging to troubleshoot the session cookie: >>>> >>>> https://imgur.com/a/vaTZrxP >>>> >>>> And this is the Shiro's generated session ID: >>>> 1984c09f-ee77-461a-96f2-cb3d4cbac8eb >>>> >>>> On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[email protected]> wrote: >>>> >>>>> According this: >>>>> https://shiro.apache.org/web.html#Web-SessionCookieConfiguration >>>>> >>>>> Should I see a cookie for Shiro's session based upon my minimalist >>>>> configuration? I only see cookie for the JSESSIONID. >>>>> >>>>> On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[email protected]> wrote: >>>>> >>>>>> I've also tried: >>>>>> >>>>>> Factory<SecurityManager> factory = new >>>>>> IniSecurityManagerFactory("classpath:shiro.ini"); >>>>>> SecurityManager securityManager = factory.getInstance(); >>>>>> SecurityUtils.setSecurityManager(securityManager); >>>>>> >>>>>> and received this: >>>>>> >>>>>> org.apache.shiro.config.ConfigurationException: java.io.IOException: >>>>>> Resource [classpath:shiro.ini] could not be found. >>>>>> >>>>>> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250) >>>>>> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233) >>>>>> >>>>>> org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73) >>>>>> >>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153) >>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>> >>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>> >>>>>> when the shiro.ini is indeed in /WEB-INF/. The log shows that the >>>>>> listener initialized successfully: >>>>>> >>>>>> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] >>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting >>>>>> Shiro environment initialization. >>>>>> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] >>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >>>>>> environment initialized in 282 ms. >>>>>> >>>>>> Does it matter if configuring both listener and filter in web.xml or >>>>>> via a class implementing ServletContainerInitializer.onStartup()? >>>>>> >>>>>> Thanks, >>>>>> Tommy >>>>>> >>>>>> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[email protected]> wrote: >>>>>> >>>>>>> Yes. If I omit setting the SecurityManager in the code per the >>>>>>> official guide/documentation, I get this exception: >>>>>>> >>>>>>> org.apache.shiro.UnavailableSecurityManagerException: No >>>>>>> SecurityManager accessible to the calling code, either bound to the >>>>>>> org.apache.shiro.util.ThreadContext or as a vm static singleton. This >>>>>>> is >>>>>>> an invalid application configuration. >>>>>>> >>>>>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>>>>>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) >>>>>>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) >>>>>>> >>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>> >>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149) >>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>> >>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>> >>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>> >>>>>>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Are you creating a new security manager for each request? >>>>>>>> >>>>>>>> >>>>>>>> I’m not sure how you are using this logic, but you should let Shiro >>>>>>>> do all of this for you (via the ShiroFilter). >>>>>>>> >>>>>>>> -Brian >>>>>>>> >>>>>>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2 <[email protected]> wrote: >>>>>>>> > >>>>>>>> > Hi Brian, >>>>>>>> > >>>>>>>> > Thanks for the prompt feedback. Here's the code I used to check >>>>>>>> for the >>>>>>>> > session: >>>>>>>> > >>>>>>>> > https://pastebin.com/F5SMmLpq >>>>>>>> > >>>>>>>> > The shiro.ini is very basic and minimal: >>>>>>>> > >>>>>>>> > [main] >>>>>>>> > [users] >>>>>>>> > [roles] >>>>>>>> > [urls] >>>>>>>> > /** = anon >>>>>>>> > >>>>>>>> > Most of the content (99%) in shiro.ini are comments and examples >>>>>>>> as notes >>>>>>>> > for future implementation of authentication and authorization. >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > -- >>>>>>>> > Sent from: http://shiro-user.582556.n2.nabble.com/ >>>>>>>> >>>>>>>
