Hi Brian, Per your request: https://github.com/tommyhp2/ajs
This is another project (web mail and control panel for Apache James Server) I've been wanting to work on. Since it's purpose is a lot simpler than my current main project, the back end mechanisms are simpler. The session ID issue still persists: Request -> access log Filter -> security Filter (block or get valid session) -> other filters -> mapped servlet (use session) The session ID is regenerated for subsequent page loads :( Thanks, Tommy On Tue, Mar 3, 2020 at 6:05 AM Brian Demers <[email protected]> wrote: > Can you put together a minimal example app the shows the problem You are > having and stick it on GitHub (or similar) > > -Brian > > On Mar 3, 2020, at 4:29 AM, Tommy Pham <[email protected]> wrote: > > > Hi Brian, > > I apologize for the confusion. Previously, I had to set the > SecurityManager via SecurityUtils because of the exception. Now I don't > need to. When I last sent the email, the Shiro session was working fine > w/o setting the SecurityManager and session ID doesn't change on subsequent > page reload. After a system restarts, unfortunately, I now have session ID > changing again w/o setting SecurityManager. As for Filter execution order, > it's working how I'd like to per the logs even though the Shiro Filter is > loaded first in the FilterRegistration: > > https://pastebin.com/ZD5Sx1i3 > > My security filter started a valid session and my mapped servlet > eventually retrieve that session w/o creation as seen in the above logs. > However, subsequent page reloads now generates a different ID :(... I did > have a look at Shiro's FilterChain definitions: > > https://shiro.apache.org/web.html#Web-FilterChainDefinitions > > From the looks of it, it doesn't have the flexibility of mapping to URLs > and/or Servlets with different DispatcherTypes at load time like how I'd be > able to via FilterRegistration in a class > implementing ServletContainerInitializer.onStartup(). My custom filter > loader and filter chain allows that flexibility at load time while > guarantees the load order. Currently, all of my filters have only the > necessary code to verify application (non-blocking) flow as desired. None > of them have behind scenes mechanisms yet. > > Also, I'm setting some preferred default values to SessionCookieConfig > before loading the listeners. Would that interfere with Shiro's > session/cookie management? > > This is the load order in the ServletContainerInitializer.onStartup(): > > 1. Set SessionCookieConfig preferred default values > 2. Load listeners > 3. Map static files path (CSS, JS, images) to the default servlet > 4. Load the servlets > 5. Load the Shiro Filter first > 1. Load other filters > 6. Configure Thymeleaf > > Thanks, > Tommy > > > On Mon, Mar 2, 2020 at 5:52 PM Brian Demers <[email protected]> > wrote: > >> Let’s take a step Barack, what are you trying to do with the >> SecurityManager? >> Sorry but I still feel like this thread is bouncing between two option. >> (This could just be me though) Let’s just consider the “working” Shiro.ini >> for now. >> >> Is the ShiroFilter getting processed before your code? >> >> >> >> >> -Brian >> >> On Mar 2, 2020, at 7:50 PM, Tommy Pham <[email protected]> wrote: >> >> >> Hi Alessio, >> >> I'm loading the Shiro Filter via FilterRegistration in a class >> implementing ServletContainerInitializer.onStartup(). Loading the >> filter(s) this way do not guaranteed ordering as loaded from my testing of >> various approaches (web.xml, annotations, and, preferably, >> programmatically). I have my own filter loader and filter chain that >> guarantees the order for my filters which are not visible in the >> FilterRegistration: >> >> ----------------------------- >> .onStartup:303 - -------- Filter Registrations >> ------------------------------ >> .lambda$onStartup$12:307 - Filter name: log4jServletFilter >> .lambda$onStartup$12:308 - Registered class: >> org.apache.logging.log4j.web.Log4jServletFilter >> .lambda$onStartup$12:316 - URL pattern mapping(s): >> .lambda$onStartup$10:317 - /* >> .lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) Filter >> .lambda$onStartup$12:308 - Registered class: >> org.apache.tomcat.websocket.server.WsFilter >> .lambda$onStartup$12:316 - URL pattern mapping(s): >> .lambda$onStartup$10:317 - /* >> .lambda$onStartup$12:307 - Filter name: AppFilterLoader >> .lambda$onStartup$12:308 - Registered class: >> com.domain.web.AppFilterLoader >> .lambda$onStartup$12:316 - URL pattern mapping(s): >> .lambda$onStartup$10:317 - /* >> .lambda$onStartup$12:307 - Filter name: FilterDefaultJsp >> .lambda$onStartup$12:308 - Registered class: >> com.domain.web.FilterDefaultJsp >> .lambda$onStartup$12:311 - Servlet mapping(s): >> .lambda$onStartup$9:312 - default >> .lambda$onStartup$9:312 - jsp >> .lambda$onStartup$12:307 - Filter name: TestFilterSecure >> .lambda$onStartup$12:308 - Registered class: >> com.domain.web.TestFilterSecure >> .lambda$onStartup$12:316 - URL pattern mapping(s): >> .lambda$onStartup$10:317 - /secure/* >> .lambda$onStartup$12:307 - Filter name: ShiroFilter >> .lambda$onStartup$12:308 - Registered class: >> org.apache.shiro.web.servlet.ShiroFilter >> .lambda$onStartup$12:316 - URL pattern mapping(s): >> .lambda$onStartup$10:317 - /* >> .onStartup:325 - >> ------------------------------------------------------------ >> ----------------------------------------------------------- >> I've tried loading the Shiro Filter my custom loader but it failed >> because of invalid FilterChain type. Oddly enough, if I have the Shiro >> Filter loaded first, it works fine. I need to further test why this is and >> if it's consistent across web container restarts. I was hoping to have >> Filters executing in this order: >> >> logging -> security (block request or start Shiro session) -> other >> filters -> mapped servlet. >> >> since I have don't the desire to waste system resource to start a session >> when the request is blocked. But as long as I can get Shiro working, I can >> work with it for now. >> >> Thanks, >> Tommy >> >> On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla <[email protected]> >> wrote: >> >>> To me, it looks like the Shiro Filter is not installed or your own >>> filter runs before it has a chance to associate Shiro objects with the >>> thread. >>> >>> On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[email protected]> wrote: >>> >>>> Hi Brian, >>>> >>>> I'm still having issues getting a valid session when specifying >>>> SecurityManager via SecurityUtils. If I omit that, I get exceptions. >>>> After some more troubleshooting, I've added some fake test accounts from >>>> the official tutorial and set TRACE log level to org.apache.shiro. Below >>>> is the log: >>>> >>>> 02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any >>>> specified config locations. >>>> 02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI >>>> instance or config locations specified. Trying default config locations. >>>> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.config.Ini.load:401 - Parsing [main] >>>> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.config.Ini.load:401 - Parsing [users] >>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>> key/value pair: root = secret, admin >>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>> key/value pair: guest = guest, guest >>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>> key/value pair: presidentskroob = 12345, president >>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>> key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz >>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>> key/value pair: lonestarr = vespa, goodguy, schwartz >>>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.config.Ini.load:401 - Parsing [roles] >>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>> key/value pair: admin = * >>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>> key/value pair: schwartz = lightsaber:* >>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>> key/value pair: goodguy = winnebago:drive:eagle5 >>>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.config.Ini.load:401 - Parsing [urls] >>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>> key/value pair: /** = anon >>>> 02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered >>>> non-empty INI configuration at location '/WEB-INF/shiro.ini'. Using for >>>> configuration. >>>> 02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating >>>> instance from Ini [sections=users,roles,urls] >>>> 02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] >>>> org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or >>>> empty. Defaulting to the default section (name = "") >>>> 02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] >>>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - >>>> Adding login url to applied paths. >>>> 02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered >>>> the [roles] section. Processing... >>>> 02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered >>>> the [users] section. Processing... >>>> 02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating >>>> instance from Ini [sections=users,roles,urls] >>>> 02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] >>>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - >>>> Adding login url to applied paths. >>>> 02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] >>>> org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 >>>> - Before url processing. >>>> 02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - >>>> Creating chain [/**] from String definition [anon] >>>> 02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 >>>> - Attempting to apply path [/**] to filter [anon] with config [null] >>>> 02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] >>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published >>>> WebEnvironment as ServletContext attribute with name >>>> [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY] >>>> 02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] >>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >>>> environment initialized in 352 ms. >>>> 02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] >>>> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web >>>> application archive [D:\apache-tomcat\webapps\erm.war] has finished in >>>> [9,120] ms >>>> 02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] >>>> com.domain.security.FilterSecurity.doFilter:147 - >> >>>> ThreadContext.getResources(): true 0 >>>> 02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] >>>> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >>>> [http-nio-8080-exec-181] >>>> 02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] >>>> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >>>> [http-nio-8080-exec-181] >>>> >>>> It seems that the resources is empty when i don't set the >>>> SecurityManager in SecurityUtils. Thus, from what I could tell from the >>>> code, the SecurityUtils.getSecurityManager() would fail since the resources >>>> map is empty and the cascade failure of getting a session. I haven't been >>>> able to track down how the resources in ThreadContext is set yet :( >>>> >>>> Thanks, >>>> Tommy >>>> >>>> >>>> On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[email protected]> >>>> wrote: >>>> >>>>> I'm not sure I'm following Tommy. You have a few different messages, >>>>> the one mentioning your shiro.ini >>>>> >>>>> > when the shiro.ini is indeed in /WEB-INF/ >>>>> >>>>> implies that you have fixed the original issue? by i'm guessing you >>>>> are still running into issues? >>>>> >>>>> >>>>> On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[email protected]> wrote: >>>>> >>>>>> I've added some debug logging to troubleshoot the session cookie: >>>>>> >>>>>> https://imgur.com/a/vaTZrxP >>>>>> >>>>>> And this is the Shiro's generated session ID: >>>>>> 1984c09f-ee77-461a-96f2-cb3d4cbac8eb >>>>>> >>>>>> On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[email protected]> wrote: >>>>>> >>>>>>> According this: >>>>>>> https://shiro.apache.org/web.html#Web-SessionCookieConfiguration >>>>>>> >>>>>>> Should I see a cookie for Shiro's session based upon my minimalist >>>>>>> configuration? I only see cookie for the JSESSIONID. >>>>>>> >>>>>>> On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> I've also tried: >>>>>>>> >>>>>>>> Factory<SecurityManager> factory = new >>>>>>>> IniSecurityManagerFactory("classpath:shiro.ini"); >>>>>>>> SecurityManager securityManager = factory.getInstance(); >>>>>>>> SecurityUtils.setSecurityManager(securityManager); >>>>>>>> >>>>>>>> and received this: >>>>>>>> >>>>>>>> org.apache.shiro.config.ConfigurationException: >>>>>>>> java.io.IOException: Resource [classpath:shiro.ini] could not be found. >>>>>>>> >>>>>>>> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250) >>>>>>>> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233) >>>>>>>> >>>>>>>> org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73) >>>>>>>> >>>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>>> >>>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153) >>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>> >>>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>> >>>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>>> >>>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>>> >>>>>>>> when the shiro.ini is indeed in /WEB-INF/. The log shows that the >>>>>>>> listener initialized successfully: >>>>>>>> >>>>>>>> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] >>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - >>>>>>>> Starting >>>>>>>> Shiro environment initialization. >>>>>>>> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] >>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >>>>>>>> environment initialized in 282 ms. >>>>>>>> >>>>>>>> Does it matter if configuring both listener and filter in web.xml >>>>>>>> or via a class implementing ServletContainerInitializer.onStartup()? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Tommy >>>>>>>> >>>>>>>> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Yes. If I omit setting the SecurityManager in the code per the >>>>>>>>> official guide/documentation, I get this exception: >>>>>>>>> >>>>>>>>> org.apache.shiro.UnavailableSecurityManagerException: No >>>>>>>>> SecurityManager accessible to the calling code, either bound to the >>>>>>>>> org.apache.shiro.util.ThreadContext or as a vm static singleton. >>>>>>>>> This is >>>>>>>>> an invalid application configuration. >>>>>>>>> >>>>>>>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>>>>>>>> >>>>>>>>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) >>>>>>>>> >>>>>>>>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) >>>>>>>>> >>>>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>>>> >>>>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149) >>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>> >>>>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>> >>>>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>>>> >>>>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>>>> >>>>>>>>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Are you creating a new security manager for each request? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I’m not sure how you are using this logic, but you should let >>>>>>>>>> Shiro do all of this for you (via the ShiroFilter). >>>>>>>>>> >>>>>>>>>> -Brian >>>>>>>>>> >>>>>>>>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2 <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> > >>>>>>>>>> > Hi Brian, >>>>>>>>>> > >>>>>>>>>> > Thanks for the prompt feedback. Here's the code I used to >>>>>>>>>> check for the >>>>>>>>>> > session: >>>>>>>>>> > >>>>>>>>>> > https://pastebin.com/F5SMmLpq >>>>>>>>>> > >>>>>>>>>> > The shiro.ini is very basic and minimal: >>>>>>>>>> > >>>>>>>>>> > [main] >>>>>>>>>> > [users] >>>>>>>>>> > [roles] >>>>>>>>>> > [urls] >>>>>>>>>> > /** = anon >>>>>>>>>> > >>>>>>>>>> > Most of the content (99%) in shiro.ini are comments and >>>>>>>>>> examples as notes >>>>>>>>>> > for future implementation of authentication and authorization. >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > -- >>>>>>>>>> > Sent from: http://shiro-user.582556.n2.nabble.com/ >>>>>>>>>> >>>>>>>>>
