Can you put together a minimal example app the shows the problem You are having and stick it on GitHub (or similar)
-Brian > On Mar 3, 2020, at 4:29 AM, Tommy Pham <[email protected]> wrote: > > > Hi Brian, > > I apologize for the confusion. Previously, I had to set the SecurityManager > via SecurityUtils because of the exception. Now I don't need to. When I > last sent the email, the Shiro session was working fine w/o setting the > SecurityManager and session ID doesn't change on subsequent page reload. > After a system restarts, unfortunately, I now have session ID changing again > w/o setting SecurityManager. As for Filter execution order, it's working how > I'd like to per the logs even though the Shiro Filter is loaded first in the > FilterRegistration: > > https://pastebin.com/ZD5Sx1i3 > > My security filter started a valid session and my mapped servlet eventually > retrieve that session w/o creation as seen in the above logs. However, > subsequent page reloads now generates a different ID :(... I did have a look > at Shiro's FilterChain definitions: > > https://shiro.apache.org/web.html#Web-FilterChainDefinitions > > From the looks of it, it doesn't have the flexibility of mapping to URLs > and/or Servlets with different DispatcherTypes at load time like how I'd be > able to via FilterRegistration in a class implementing > ServletContainerInitializer.onStartup(). My custom filter loader and filter > chain allows that flexibility at load time while guarantees the load order. > Currently, all of my filters have only the necessary code to verify > application (non-blocking) flow as desired. None of them have behind scenes > mechanisms yet. > > Also, I'm setting some preferred default values to SessionCookieConfig before > loading the listeners. Would that interfere with Shiro's session/cookie > management? > > This is the load order in the ServletContainerInitializer.onStartup(): > Set SessionCookieConfig preferred default values > Load listeners > Map static files path (CSS, JS, images) to the default servlet > Load the servlets > Load the Shiro Filter first > Load other filters > Configure Thymeleaf > Thanks, > Tommy > > >> On Mon, Mar 2, 2020 at 5:52 PM Brian Demers <[email protected]> wrote: >> Let’s take a step Barack, what are you trying to do with the SecurityManager? >> Sorry but I still feel like this thread is bouncing between two option. >> (This could just be me though) Let’s just consider the “working” Shiro.ini >> for now. >> >> Is the ShiroFilter getting processed before your code? >> >> >> >> >> -Brian >> >>>> On Mar 2, 2020, at 7:50 PM, Tommy Pham <[email protected]> wrote: >>>> >>> >>> Hi Alessio, >>> >>> I'm loading the Shiro Filter via FilterRegistration in a class implementing >>> ServletContainerInitializer.onStartup(). Loading the filter(s) this way do >>> not guaranteed ordering as loaded from my testing of various approaches >>> (web.xml, annotations, and, preferably, programmatically). I have my own >>> filter loader and filter chain that guarantees the order for my filters >>> which are not visible in the FilterRegistration: >>> >>> ----------------------------- >>> .onStartup:303 - -------- Filter Registrations >>> ------------------------------ >>> .lambda$onStartup$12:307 - Filter name: log4jServletFilter >>> .lambda$onStartup$12:308 - Registered class: >>> org.apache.logging.log4j.web.Log4jServletFilter >>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>> .lambda$onStartup$10:317 - /* >>> .lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) Filter >>> .lambda$onStartup$12:308 - Registered class: >>> org.apache.tomcat.websocket.server.WsFilter >>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>> .lambda$onStartup$10:317 - /* >>> .lambda$onStartup$12:307 - Filter name: AppFilterLoader >>> .lambda$onStartup$12:308 - Registered class: >>> com.domain.web.AppFilterLoader >>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>> .lambda$onStartup$10:317 - /* >>> .lambda$onStartup$12:307 - Filter name: FilterDefaultJsp >>> .lambda$onStartup$12:308 - Registered class: >>> com.domain.web.FilterDefaultJsp >>> .lambda$onStartup$12:311 - Servlet mapping(s): >>> .lambda$onStartup$9:312 - default >>> .lambda$onStartup$9:312 - jsp >>> .lambda$onStartup$12:307 - Filter name: TestFilterSecure >>> .lambda$onStartup$12:308 - Registered class: >>> com.domain.web.TestFilterSecure >>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>> .lambda$onStartup$10:317 - /secure/* >>> .lambda$onStartup$12:307 - Filter name: ShiroFilter >>> .lambda$onStartup$12:308 - Registered class: >>> org.apache.shiro.web.servlet.ShiroFilter >>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>> .lambda$onStartup$10:317 - /* >>> .onStartup:325 - >>> ------------------------------------------------------------ >>> ----------------------------------------------------------- >>> I've tried loading the Shiro Filter my custom loader but it failed >>> because of invalid FilterChain type. Oddly enough, if I have the Shiro >>> Filter loaded first, it works fine. I need to further test why this is and >>> if it's consistent across web container restarts. I was hoping to have >>> Filters executing in this order: >>> >>> logging -> security (block request or start Shiro session) -> other filters >>> -> mapped servlet. >>> >>> since I have don't the desire to waste system resource to start a session >>> when the request is blocked. But as long as I can get Shiro working, I can >>> work with it for now. >>> >>> Thanks, >>> Tommy >>> >>>> On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla <[email protected]> >>>> wrote: >>>> To me, it looks like the Shiro Filter is not installed or your own filter >>>> runs before it has a chance to associate Shiro objects with the thread. >>>> >>>>> On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[email protected]> wrote: >>>>> Hi Brian, >>>>> >>>>> I'm still having issues getting a valid session when specifying >>>>> SecurityManager via SecurityUtils. If I omit that, I get exceptions. >>>>> After some more troubleshooting, I've added some fake test accounts from >>>>> the official tutorial and set TRACE log level to org.apache.shiro. Below >>>>> is the log: >>>>> >>>>> 02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any >>>>> specified config locations. >>>>> 02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI >>>>> instance or config locations specified. Trying default config locations. >>>>> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini.load:401 - Parsing [main] >>>>> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini.load:401 - Parsing [users] >>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>> key/value pair: root = secret, admin >>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>> key/value pair: guest = guest, guest >>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>> key/value pair: presidentskroob = 12345, president >>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>> key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz >>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>> key/value pair: lonestarr = vespa, goodguy, schwartz >>>>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini.load:401 - Parsing [roles] >>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>> key/value pair: admin = * >>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>> key/value pair: schwartz = lightsaber:* >>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>> key/value pair: goodguy = winnebago:drive:eagle5 >>>>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini.load:401 - Parsing [urls] >>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>> key/value pair: /** = anon >>>>> 02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered >>>>> non-empty INI configuration at location '/WEB-INF/shiro.ini'. Using for >>>>> configuration. >>>>> 02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating >>>>> instance from Ini [sections=users,roles,urls] >>>>> 02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] >>>>> org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or >>>>> empty. Defaulting to the default section (name = "") >>>>> 02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] >>>>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 >>>>> - Adding login url to applied paths. >>>>> 02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered >>>>> the [roles] section. Processing... >>>>> 02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered >>>>> the [users] section. Processing... >>>>> 02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating >>>>> instance from Ini [sections=users,roles,urls] >>>>> 02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] >>>>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 >>>>> - Adding login url to applied paths. >>>>> 02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] >>>>> org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 >>>>> - Before url processing. >>>>> 02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 >>>>> - Creating chain [/**] from String definition [anon] >>>>> 02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 >>>>> - Attempting to apply path [/**] to filter [anon] with config [null] >>>>> 02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] >>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - >>>>> Published WebEnvironment as ServletContext attribute with name >>>>> [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY] >>>>> 02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] >>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >>>>> environment initialized in 352 ms. >>>>> 02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] >>>>> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web >>>>> application archive [D:\apache-tomcat\webapps\erm.war] has finished in >>>>> [9,120] ms >>>>> 02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] >>>>> com.domain.security.FilterSecurity.doFilter:147 - >> >>>>> ThreadContext.getResources(): true 0 >>>>> 02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] >>>>> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >>>>> [http-nio-8080-exec-181] >>>>> 02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] >>>>> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >>>>> [http-nio-8080-exec-181] >>>>> >>>>> It seems that the resources is empty when i don't set the SecurityManager >>>>> in SecurityUtils. Thus, from what I could tell from the code, the >>>>> SecurityUtils.getSecurityManager() would fail since the resources map is >>>>> empty and the cascade failure of getting a session. I haven't been able >>>>> to track down how the resources in ThreadContext is set yet :( >>>>> >>>>> Thanks, >>>>> Tommy >>>>> >>>>> >>>>>> On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[email protected]> >>>>>> wrote: >>>>>> I'm not sure I'm following Tommy. You have a few different messages, >>>>>> the one mentioning your shiro.ini >>>>>> >>>>>> > when the shiro.ini is indeed in /WEB-INF/ >>>>>> >>>>>> implies that you have fixed the original issue? by i'm guessing you are >>>>>> still running into issues? >>>>>> >>>>>> >>>>>>> On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[email protected]> wrote: >>>>>>> I've added some debug logging to troubleshoot the session cookie: >>>>>>> >>>>>>> https://imgur.com/a/vaTZrxP >>>>>>> >>>>>>> And this is the Shiro's generated session ID: >>>>>>> 1984c09f-ee77-461a-96f2-cb3d4cbac8eb >>>>>>> >>>>>>>> On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[email protected]> wrote: >>>>>>>> According this: >>>>>>>> https://shiro.apache.org/web.html#Web-SessionCookieConfiguration >>>>>>>> >>>>>>>> Should I see a cookie for Shiro's session based upon my minimalist >>>>>>>> configuration? I only see cookie for the JSESSIONID. >>>>>>>> >>>>>>>>> On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[email protected]> wrote: >>>>>>>>> I've also tried: >>>>>>>>> >>>>>>>>> Factory<SecurityManager> factory = new >>>>>>>>> IniSecurityManagerFactory("classpath:shiro.ini"); >>>>>>>>> SecurityManager securityManager = factory.getInstance(); >>>>>>>>> SecurityUtils.setSecurityManager(securityManager); >>>>>>>>> >>>>>>>>> and received this: >>>>>>>>> >>>>>>>>> org.apache.shiro.config.ConfigurationException: java.io.IOException: >>>>>>>>> Resource [classpath:shiro.ini] could not be found. >>>>>>>>> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250) >>>>>>>>> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233) >>>>>>>>> >>>>>>>>> org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73) >>>>>>>>> >>>>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>>>> >>>>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153) >>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>> >>>>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>> >>>>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>>>> >>>>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>>>> when the shiro.ini is indeed in /WEB-INF/. The log shows that the >>>>>>>>> listener initialized successfully: >>>>>>>>> >>>>>>>>> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] >>>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - >>>>>>>>> Starting Shiro environment initialization. >>>>>>>>> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] >>>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - >>>>>>>>> Shiro environment initialized in 282 ms. >>>>>>>>> >>>>>>>>> Does it matter if configuring both listener and filter in web.xml or >>>>>>>>> via a class implementing ServletContainerInitializer.onStartup()? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Tommy >>>>>>>>> >>>>>>>>>> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[email protected]> wrote: >>>>>>>>>> Yes. If I omit setting the SecurityManager in the code per the >>>>>>>>>> official guide/documentation, I get this exception: >>>>>>>>>> >>>>>>>>>> org.apache.shiro.UnavailableSecurityManagerException: No >>>>>>>>>> SecurityManager accessible to the calling code, either bound to the >>>>>>>>>> org.apache.shiro.util.ThreadContext or as a vm static singleton. >>>>>>>>>> This is an invalid application configuration. >>>>>>>>>> >>>>>>>>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>>>>>>>>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) >>>>>>>>>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) >>>>>>>>>> >>>>>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>>>>> >>>>>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149) >>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>> >>>>>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>>>>> >>>>>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>>>>> >>>>>>>>>>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers >>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>> Are you creating a new security manager for each request? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I’m not sure how you are using this logic, but you should let Shiro >>>>>>>>>>> do all of this for you (via the ShiroFilter). >>>>>>>>>>> >>>>>>>>>>> -Brian >>>>>>>>>>> >>>>>>>>>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2 <[email protected]> wrote: >>>>>>>>>>> > >>>>>>>>>>> > Hi Brian, >>>>>>>>>>> > >>>>>>>>>>> > Thanks for the prompt feedback. Here's the code I used to check >>>>>>>>>>> > for the >>>>>>>>>>> > session: >>>>>>>>>>> > >>>>>>>>>>> > https://pastebin.com/F5SMmLpq >>>>>>>>>>> > >>>>>>>>>>> > The shiro.ini is very basic and minimal: >>>>>>>>>>> > >>>>>>>>>>> > [main] >>>>>>>>>>> > [users] >>>>>>>>>>> > [roles] >>>>>>>>>>> > [urls] >>>>>>>>>>> > /** = anon >>>>>>>>>>> > >>>>>>>>>>> > Most of the content (99%) in shiro.ini are comments and examples >>>>>>>>>>> > as notes >>>>>>>>>>> > for future implementation of authentication and authorization. >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > -- >>>>>>>>>>> > Sent from: http://shiro-user.582556.n2.nabble.com/
