Hi, Yes, it's better to have the ShiroFilter as the first Filter in the chain.
regards, François [email protected] Le 03/03/2020 à 01:49, Tommy Pham a écrit : > Hi Alessio, > > I'm loading the Shiro Filter via FilterRegistration in a class > implementing ServletContainerInitializer.onStartup(). Loading the > filter(s) this way do not guaranteed ordering as loaded from my > testing of various approaches (web.xml, annotations, and, preferably, > programmatically). I have my own filter loader and filter chain that > guarantees the order for my filters which are not visible in the > FilterRegistration: > > ----------------------------- > .onStartup:303 - -------- Filter Registrations > ------------------------------ > .lambda$onStartup$12:307 - Filter name: log4jServletFilter > .lambda$onStartup$12:308 - Registered class: > org.apache.logging.log4j.web.Log4jServletFilter > .lambda$onStartup$12:316 - URL pattern mapping(s): > .lambda$onStartup$10:317 - /* > .lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) Filter > .lambda$onStartup$12:308 - Registered class: > org.apache.tomcat.websocket.server.WsFilter > .lambda$onStartup$12:316 - URL pattern mapping(s): > .lambda$onStartup$10:317 - /* > .lambda$onStartup$12:307 - Filter name: AppFilterLoader > .lambda$onStartup$12:308 - Registered class: > com.domain.web.AppFilterLoader > .lambda$onStartup$12:316 - URL pattern mapping(s): > .lambda$onStartup$10:317 - /* > .lambda$onStartup$12:307 - Filter name: FilterDefaultJsp > .lambda$onStartup$12:308 - Registered class: > com.domain.web.FilterDefaultJsp > .lambda$onStartup$12:311 - Servlet mapping(s): > .lambda$onStartup$9:312 - default > .lambda$onStartup$9:312 - jsp > .lambda$onStartup$12:307 - Filter name: TestFilterSecure > .lambda$onStartup$12:308 - Registered class: > com.domain.web.TestFilterSecure > .lambda$onStartup$12:316 - URL pattern mapping(s): > .lambda$onStartup$10:317 - /secure/* > .lambda$onStartup$12:307 - Filter name: ShiroFilter > .lambda$onStartup$12:308 - Registered class: > org.apache.shiro.web.servlet.ShiroFilter > .lambda$onStartup$12:316 - URL pattern mapping(s): > .lambda$onStartup$10:317 - /* > .onStartup:325 - > ------------------------------------------------------------ > ----------------------------------------------------------- > I've tried loading the Shiro Filter mycustom loader but it failed > because of invalid FilterChain type. Oddly enough, if I have the > Shiro Filter loaded first, it works fine. I need to further test why > this is and if it's consistent across web container restarts. I was > hoping to have Filters executing in this order: > > logging -> security (block request or start Shiro session) -> other > filters -> mapped servlet. > > since I have don't the desire to waste system resource to start a > session when the request is blocked. But as long as I can get Shiro > working, I can work with it for now. > > Thanks, > Tommy > > On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla <[email protected] > <mailto:[email protected]>> wrote: > > To me, it looks like the Shiro Filter is not installed or your own > filter runs before it has a chance to associate Shiro objects with > the thread. > > On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[email protected] > <mailto:[email protected]>> wrote: > > Hi Brian, > > I'm still having issues getting a valid session when > specifying SecurityManager via SecurityUtils. If I omit that, > I get exceptions. After some more troubleshooting, I've > added some fake test accounts from the official tutorial and > set TRACE log level to org.apache.shiro. Below is the log: > > 02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] > org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - > Checking any specified config locations. > 02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] > org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - > No INI instance or config locations specified. Trying default > config locations. > 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] > org.apache.shiro.config.Ini.load:401 - Parsing [main] > 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] > org.apache.shiro.config.Ini.load:401 - Parsing [users] > 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - > Discovered key/value pair: root = secret, admin > 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - > Discovered key/value pair: guest = guest, guest > 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - > Discovered key/value pair: presidentskroob = 12345, president > 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - > Discovered key/value pair: darkhelmet = ludicrousspeed, > darklord, schwartz > 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - > Discovered key/value pair: lonestarr = vespa, goodguy, schwartz > 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] > org.apache.shiro.config.Ini.load:401 - Parsing [roles] > 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - > Discovered key/value pair: admin = * > 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - > Discovered key/value pair: schwartz = lightsaber:* > 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - > Discovered key/value pair: goodguy = winnebago:drive:eagle5 > 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] > org.apache.shiro.config.Ini.load:401 - Parsing [urls] > 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini$Section.splitKeyValue:604 - > Discovered key/value pair: /** = anon > 02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] > org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - > Discovered non-empty INI configuration at location > '/WEB-INF/shiro.ini'. Using for configuration. > 02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] > org.apache.shiro.config.IniFactorySupport.createInstance:149 - > Creating instance from Ini [sections=users,roles,urls] > 02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] > org.apache.shiro.config.Ini.cleanName:168 - Specified name was > null or empty. Defaulting to the default section (name = "") > 02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] > > org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 > - Adding login url to applied paths. > 02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] > org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - > Discovered the [roles] section. Processing... > 02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] > org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - > Discovered the [users] section. Processing... > 02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] > org.apache.shiro.config.IniFactorySupport.createInstance:149 - > Creating instance from Ini [sections=users,roles,urls] > 02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] > > org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 > - Adding login url to applied paths. > 02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] > > org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 > - Before url processing. > 02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] > > org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 > - Creating chain [/**] from String definition [anon] > 02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] > > org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 > - Attempting to apply path [/**] to filter [anon] with config > [null] > 02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] > org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 > - Published WebEnvironment as ServletContext attribute with > name > [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY] > 02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] > org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 > - Shiro environment initialized in 352 ms. > 02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] > org.apache.catalina.startup.HostConfig.deployWAR Deployment of > web application archive [D:\apache-tomcat\webapps\erm.war] has > finished in [9,120] ms > 02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] > com.domain.security.FilterSecurity.doFilter:147 - >> > ThreadContext.getResources(): true 0 > 02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] > org.apache.shiro.util.ThreadContext.get:126 - get() - in > thread [http-nio-8080-exec-181] > 02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] > org.apache.shiro.util.ThreadContext.get:126 - get() - in > thread [http-nio-8080-exec-181] > > It seems that the resources is empty when i don't set the > SecurityManager in SecurityUtils. Thus, from what I could > tell from the code, the SecurityUtils.getSecurityManager() > would fail since the resources map is empty and the cascade > failure of getting a session. I haven't been able to track > down how the resources in ThreadContext is set yet :( > > Thanks, > Tommy > > > On Mon, Mar 2, 2020 at 7:59 AM Brian Demers > <[email protected] <mailto:[email protected]>> wrote: > > I'm not sure I'm following Tommy. You have a few > different messages, the one mentioning your shiro.ini > > > when the shiro.ini is indeed in /WEB-INF/ > > implies that you have fixed the original issue? by i'm > guessing you are still running into issues? > > > On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham > <[email protected] <mailto:[email protected]>> wrote: > > I've added some debug logging to troubleshoot the > session cookie: > > https://imgur.com/a/vaTZrxP > > And this is the Shiro's generated session ID: > 1984c09f-ee77-461a-96f2-cb3d4cbac8eb > > On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham > <[email protected] <mailto:[email protected]>> wrote: > > According > this: > https://shiro.apache.org/web.html#Web-SessionCookieConfiguration > > > Should I see a cookie for Shiro's session based > upon my minimalist configuration? I only see > cookie for the JSESSIONID. > > On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham > <[email protected] <mailto:[email protected]>> > wrote: > > I've also tried: > > Factory<SecurityManager> factory = new > IniSecurityManagerFactory("classpath:shiro.ini"); > SecurityManager securityManager = > factory.getInstance(); > SecurityUtils.setSecurityManager(securityManager); > > and received this: > > org.apache.shiro.config.ConfigurationException: > java.io.IOException: Resource > [classpath:shiro.ini] could not be found. > > > org.apache.shiro.config.Ini.loadFromPath(Ini.java:250) > > org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233) > > org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73) > > com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) > > com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153) > > com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) > > com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) > > com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) > > com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) > > org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) > > when the shiro.ini is indeed in /WEB-INF/. > The log shows that the listener initialized > successfully: > > 01-Mar-2020 14:11:28.432 INFO > [Catalina-utility-1] > > org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 > - Starting Shiro environment initialization. > 01-Mar-2020 14:11:28.714 INFO > [Catalina-utility-1] > > org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 > - Shiro environment initialized in 282 ms. > > Does it matter if configuring both > listener and filter in web.xml or via a class > implementing > ServletContainerInitializer.onStartup()? > > Thanks, > Tommy > > On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham > <[email protected] > <mailto:[email protected]>> wrote: > > Yes. If I omit setting the SecurityManager > in the code per the official > guide/documentation, I get this exception: > > > org.apache.shiro.UnavailableSecurityManagerException: > No SecurityManager accessible to the > calling code, either bound to the > org.apache.shiro.util.ThreadContext or as > a vm static singleton. This is an invalid > application configuration. > > > org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) > > > org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) > > > org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) > > > com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) > > > com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149) > > > com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) > > > com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) > > > com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) > > > com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) > > > org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) > > On Sun, Mar 1, 2020 at 12:59 PM Brian > Demers <[email protected] > <mailto:[email protected]>> wrote: > > Are you creating a new security > manager for each request? > > > I’m not sure how you are using this > logic, but you should let Shiro do all > of this for you (via the ShiroFilter). > > -Brian > > > On Mar 1, 2020, at 2:43 PM, tommyhp2 > <[email protected] > <mailto:[email protected]>> wrote: > > > > Hi Brian, > > > > Thanks for the prompt feedback. > Here's the code I used to check for the > > session: > > > > https://pastebin.com/F5SMmLpq > > > > The shiro.ini is very basic and minimal: > > > > [main] > > [users] > > [roles] > > [urls] > > /** = anon > > > > Most of the content (99%) in > shiro.ini are comments and examples as > notes > > for future implementation of > authentication and authorization. > > > > > > > > -- > > Sent from: > http://shiro-user.582556.n2.nabble.com/ >
