Hi Brian, All the classes, including filters, in place are intended for their purpose for the start of AJS project. Some of the methods are blank because I've yet to implement them since I'm unable to get a valid session. Yes, initially it's anon only to work out the non-blocking application flow. Eventually, all access in the AJS will requires authentication, including possible 2 factors, and authorization. The AbstractWeb.validateSessionShiro() is to get a valid Shiro session as called initially by security filter. That same method is called by the mapped servlet via a controller.execute() to use the session. If you run the app, the web UI will show the same session ID as being logged by the FilterSecurity.doFilter() so the FilterChain works as desired. However, subsequent page reloads will generate a different session ID every time :( While responding, I've added some additional debug logging for quicker comparison/troubleshooting:
https://imgur.com/a/W23fupe It seems that a cookie was never set nor the Java HttpSession was started. - Does Shiro requires at least one type of realm (ini, JDBC, LDAP, or ActiveDirectory) to work? I have another project in mind down the road that requires session but no authentication / authorization since the information is non-sensitive. But that may change. - Since Shiro's Session is native, how does Shiro keep track of the session if a cookie is not set or does Shiro have a native cookie management also? - What if there are multiple applications at different contexts but all utilizes Shiro, how does Shiro handle the sessions for each context: ie /ajs/ and /myApp/ As it is now, my have main project at /myApp/ deployed and along with the /ajs/. Both using Shiro and both having the same session ID issue (ID is regenerated at every request). The latter AJS is per your request. I didn't intend to start on it until much later. As for the samples you've provided, I think they're all V based upon MVC. Neither includes: Subject subj = SecurityUtils.getSubject(); Session sess = subj.getSession(false); if (sess == null ) { sess = subj.getSession(true); // process for null session } // use session for specific user's request which is the issue I'm having integrating Shiro :( An old use case would be shoppers adding items to the basket for the session. After some thought, he/she decides to buy them which requires authentication. From that use case, I'm having issues with the first phase. Hence, I don't see any point trying to get an authentication realm (JDBC, ActiveDirecotory and/or LDAP) working which I'm more familiar with than coding for valid Java sessions unfortunately. Thanks, Tommy On Tue, Mar 3, 2020 at 1:05 PM Brian Demers <[email protected]> wrote: > It looks like there are a few layers of code left over from your real > application, logging, extra filter chain logic, etc. > And looks like it's configured for only anon access? > > My suggestion would be to start with something like this example: > https://github.com/apache/shiro/tree/master/samples/servlet-plugin > or this: https://github.com/apache/shiro/tree/master/samples/web > > Then add a custom servlet, filter, etc. (depending on your container, you > could do this via a web.xml, annotations, programmatically, etc) > > > > > > > > On Tue, Mar 3, 2020 at 3:39 PM Tommy Pham <[email protected]> wrote: > >> Hi Brian, >> >> Per your request: https://github.com/tommyhp2/ajs >> >> This is another project (web mail and control panel for Apache James >> Server) I've been wanting to work on. Since it's purpose is a lot simpler >> than my current main project, the back end mechanisms are simpler. The >> session ID issue still persists: >> >> Request -> access log Filter -> security Filter (block or get valid >> session) -> other filters -> mapped servlet (use session) >> >> The session ID is regenerated for subsequent page loads :( >> >> Thanks, >> Tommy >> >> >> >> On Tue, Mar 3, 2020 at 6:05 AM Brian Demers <[email protected]> >> wrote: >> >>> Can you put together a minimal example app the shows the problem You are >>> having and stick it on GitHub (or similar) >>> >>> -Brian >>> >>> On Mar 3, 2020, at 4:29 AM, Tommy Pham <[email protected]> wrote: >>> >>> >>> Hi Brian, >>> >>> I apologize for the confusion. Previously, I had to set the >>> SecurityManager via SecurityUtils because of the exception. Now I don't >>> need to. When I last sent the email, the Shiro session was working fine >>> w/o setting the SecurityManager and session ID doesn't change on subsequent >>> page reload. After a system restarts, unfortunately, I now have session ID >>> changing again w/o setting SecurityManager. As for Filter execution order, >>> it's working how I'd like to per the logs even though the Shiro Filter is >>> loaded first in the FilterRegistration: >>> >>> https://pastebin.com/ZD5Sx1i3 >>> >>> My security filter started a valid session and my mapped servlet >>> eventually retrieve that session w/o creation as seen in the above logs. >>> However, subsequent page reloads now generates a different ID :(... I did >>> have a look at Shiro's FilterChain definitions: >>> >>> https://shiro.apache.org/web.html#Web-FilterChainDefinitions >>> >>> From the looks of it, it doesn't have the flexibility of mapping to URLs >>> and/or Servlets with different DispatcherTypes at load time like how I'd be >>> able to via FilterRegistration in a class >>> implementing ServletContainerInitializer.onStartup(). My custom filter >>> loader and filter chain allows that flexibility at load time while >>> guarantees the load order. Currently, all of my filters have only the >>> necessary code to verify application (non-blocking) flow as desired. None >>> of them have behind scenes mechanisms yet. >>> >>> Also, I'm setting some preferred default values to SessionCookieConfig >>> before loading the listeners. Would that interfere with Shiro's >>> session/cookie management? >>> >>> This is the load order in the ServletContainerInitializer.onStartup(): >>> >>> 1. Set SessionCookieConfig preferred default values >>> 2. Load listeners >>> 3. Map static files path (CSS, JS, images) to the default servlet >>> 4. Load the servlets >>> 5. Load the Shiro Filter first >>> 1. Load other filters >>> 6. Configure Thymeleaf >>> >>> Thanks, >>> Tommy >>> >>> >>> On Mon, Mar 2, 2020 at 5:52 PM Brian Demers <[email protected]> >>> wrote: >>> >>>> Let’s take a step Barack, what are you trying to do with the >>>> SecurityManager? >>>> Sorry but I still feel like this thread is bouncing between two option. >>>> (This could just be me though) Let’s just consider the “working” Shiro.ini >>>> for now. >>>> >>>> Is the ShiroFilter getting processed before your code? >>>> >>>> >>>> >>>> >>>> -Brian >>>> >>>> On Mar 2, 2020, at 7:50 PM, Tommy Pham <[email protected]> wrote: >>>> >>>> >>>> Hi Alessio, >>>> >>>> I'm loading the Shiro Filter via FilterRegistration in a class >>>> implementing ServletContainerInitializer.onStartup(). Loading the >>>> filter(s) this way do not guaranteed ordering as loaded from my testing of >>>> various approaches (web.xml, annotations, and, preferably, >>>> programmatically). I have my own filter loader and filter chain that >>>> guarantees the order for my filters which are not visible in the >>>> FilterRegistration: >>>> >>>> ----------------------------- >>>> .onStartup:303 - -------- Filter Registrations >>>> ------------------------------ >>>> .lambda$onStartup$12:307 - Filter name: log4jServletFilter >>>> .lambda$onStartup$12:308 - Registered class: >>>> org.apache.logging.log4j.web.Log4jServletFilter >>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>> .lambda$onStartup$10:317 - /* >>>> .lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) Filter >>>> .lambda$onStartup$12:308 - Registered class: >>>> org.apache.tomcat.websocket.server.WsFilter >>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>> .lambda$onStartup$10:317 - /* >>>> .lambda$onStartup$12:307 - Filter name: AppFilterLoader >>>> .lambda$onStartup$12:308 - Registered class: >>>> com.domain.web.AppFilterLoader >>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>> .lambda$onStartup$10:317 - /* >>>> .lambda$onStartup$12:307 - Filter name: FilterDefaultJsp >>>> .lambda$onStartup$12:308 - Registered class: >>>> com.domain.web.FilterDefaultJsp >>>> .lambda$onStartup$12:311 - Servlet mapping(s): >>>> .lambda$onStartup$9:312 - default >>>> .lambda$onStartup$9:312 - jsp >>>> .lambda$onStartup$12:307 - Filter name: TestFilterSecure >>>> .lambda$onStartup$12:308 - Registered class: >>>> com.domain.web.TestFilterSecure >>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>> .lambda$onStartup$10:317 - /secure/* >>>> .lambda$onStartup$12:307 - Filter name: ShiroFilter >>>> .lambda$onStartup$12:308 - Registered class: >>>> org.apache.shiro.web.servlet.ShiroFilter >>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>> .lambda$onStartup$10:317 - /* >>>> .onStartup:325 - >>>> ------------------------------------------------------------ >>>> ----------------------------------------------------------- >>>> I've tried loading the Shiro Filter my custom loader but it failed >>>> because of invalid FilterChain type. Oddly enough, if I have the >>>> Shiro Filter loaded first, it works fine. I need to further test why this >>>> is and if it's consistent across web container restarts. I was hoping to >>>> have Filters executing in this order: >>>> >>>> logging -> security (block request or start Shiro session) -> other >>>> filters -> mapped servlet. >>>> >>>> since I have don't the desire to waste system resource to start a >>>> session when the request is blocked. But as long as I can get Shiro >>>> working, I can work with it for now. >>>> >>>> Thanks, >>>> Tommy >>>> >>>> On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla <[email protected]> >>>> wrote: >>>> >>>>> To me, it looks like the Shiro Filter is not installed or your own >>>>> filter runs before it has a chance to associate Shiro objects with the >>>>> thread. >>>>> >>>>> On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[email protected]> wrote: >>>>> >>>>>> Hi Brian, >>>>>> >>>>>> I'm still having issues getting a valid session when specifying >>>>>> SecurityManager via SecurityUtils. If I omit that, I get exceptions. >>>>>> After some more troubleshooting, I've added some fake test accounts from >>>>>> the official tutorial and set TRACE log level to org.apache.shiro. Below >>>>>> is the log: >>>>>> >>>>>> 02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any >>>>>> specified config locations. >>>>>> 02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI >>>>>> instance or config locations specified. Trying default config locations. >>>>>> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini.load:401 - Parsing [main] >>>>>> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini.load:401 - Parsing [users] >>>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>> key/value pair: root = secret, admin >>>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>> key/value pair: guest = guest, guest >>>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>> key/value pair: presidentskroob = 12345, president >>>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>> key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz >>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>> key/value pair: lonestarr = vespa, goodguy, schwartz >>>>>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini.load:401 - Parsing [roles] >>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>> key/value pair: admin = * >>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>> key/value pair: schwartz = lightsaber:* >>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>> key/value pair: goodguy = winnebago:drive:eagle5 >>>>>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini.load:401 - Parsing [urls] >>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>> key/value pair: /** = anon >>>>>> 02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered >>>>>> non-empty INI configuration at location '/WEB-INF/shiro.ini'. Using for >>>>>> configuration. >>>>>> 02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating >>>>>> instance from Ini [sections=users,roles,urls] >>>>>> 02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] >>>>>> org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or >>>>>> empty. Defaulting to the default section (name = "") >>>>>> 02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] >>>>>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 >>>>>> - >>>>>> Adding login url to applied paths. >>>>>> 02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered >>>>>> the [roles] section. Processing... >>>>>> 02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered >>>>>> the [users] section. Processing... >>>>>> 02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating >>>>>> instance from Ini [sections=users,roles,urls] >>>>>> 02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] >>>>>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 >>>>>> - >>>>>> Adding login url to applied paths. >>>>>> 02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] >>>>>> org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 >>>>>> - Before url processing. >>>>>> 02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 >>>>>> - >>>>>> Creating chain [/**] from String definition [anon] >>>>>> 02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 >>>>>> - Attempting to apply path [/**] to filter [anon] with config [null] >>>>>> 02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] >>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - >>>>>> Published >>>>>> WebEnvironment as ServletContext attribute with name >>>>>> [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY] >>>>>> 02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] >>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >>>>>> environment initialized in 352 ms. >>>>>> 02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] >>>>>> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web >>>>>> application archive [D:\apache-tomcat\webapps\erm.war] has finished in >>>>>> [9,120] ms >>>>>> 02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] >>>>>> com.domain.security.FilterSecurity.doFilter:147 - >> >>>>>> ThreadContext.getResources(): true 0 >>>>>> 02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] >>>>>> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >>>>>> [http-nio-8080-exec-181] >>>>>> 02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] >>>>>> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >>>>>> [http-nio-8080-exec-181] >>>>>> >>>>>> It seems that the resources is empty when i don't set the >>>>>> SecurityManager in SecurityUtils. Thus, from what I could tell from the >>>>>> code, the SecurityUtils.getSecurityManager() would fail since the >>>>>> resources >>>>>> map is empty and the cascade failure of getting a session. I haven't >>>>>> been >>>>>> able to track down how the resources in ThreadContext is set yet :( >>>>>> >>>>>> Thanks, >>>>>> Tommy >>>>>> >>>>>> >>>>>> On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> I'm not sure I'm following Tommy. You have a few different >>>>>>> messages, the one mentioning your shiro.ini >>>>>>> >>>>>>> > when the shiro.ini is indeed in /WEB-INF/ >>>>>>> >>>>>>> implies that you have fixed the original issue? by i'm guessing you >>>>>>> are still running into issues? >>>>>>> >>>>>>> >>>>>>> On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> I've added some debug logging to troubleshoot the session cookie: >>>>>>>> >>>>>>>> https://imgur.com/a/vaTZrxP >>>>>>>> >>>>>>>> And this is the Shiro's generated session ID: >>>>>>>> 1984c09f-ee77-461a-96f2-cb3d4cbac8eb >>>>>>>> >>>>>>>> On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> According this: >>>>>>>>> https://shiro.apache.org/web.html#Web-SessionCookieConfiguration >>>>>>>>> >>>>>>>>> Should I see a cookie for Shiro's session based upon my minimalist >>>>>>>>> configuration? I only see cookie for the JSESSIONID. >>>>>>>>> >>>>>>>>> On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> I've also tried: >>>>>>>>>> >>>>>>>>>> Factory<SecurityManager> factory = new >>>>>>>>>> IniSecurityManagerFactory("classpath:shiro.ini"); >>>>>>>>>> SecurityManager securityManager = factory.getInstance(); >>>>>>>>>> SecurityUtils.setSecurityManager(securityManager); >>>>>>>>>> >>>>>>>>>> and received this: >>>>>>>>>> >>>>>>>>>> org.apache.shiro.config.ConfigurationException: >>>>>>>>>> java.io.IOException: Resource [classpath:shiro.ini] could not be >>>>>>>>>> found. >>>>>>>>>> >>>>>>>>>> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250) >>>>>>>>>> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233) >>>>>>>>>> >>>>>>>>>> org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73) >>>>>>>>>> >>>>>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>>>>> >>>>>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153) >>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>> >>>>>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>> >>>>>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>>>>> >>>>>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>>>>> >>>>>>>>>> when the shiro.ini is indeed in /WEB-INF/. The log shows that >>>>>>>>>> the listener initialized successfully: >>>>>>>>>> >>>>>>>>>> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] >>>>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - >>>>>>>>>> Starting >>>>>>>>>> Shiro environment initialization. >>>>>>>>>> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] >>>>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - >>>>>>>>>> Shiro >>>>>>>>>> environment initialized in 282 ms. >>>>>>>>>> >>>>>>>>>> Does it matter if configuring both listener and filter in web.xml >>>>>>>>>> or via a class implementing ServletContainerInitializer.onStartup()? >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Tommy >>>>>>>>>> >>>>>>>>>> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Yes. If I omit setting the SecurityManager in the code per the >>>>>>>>>>> official guide/documentation, I get this exception: >>>>>>>>>>> >>>>>>>>>>> org.apache.shiro.UnavailableSecurityManagerException: No >>>>>>>>>>> SecurityManager accessible to the calling code, either bound to the >>>>>>>>>>> org.apache.shiro.util.ThreadContext or as a vm static singleton. >>>>>>>>>>> This is >>>>>>>>>>> an invalid application configuration. >>>>>>>>>>> >>>>>>>>>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>>>>>>>>>> >>>>>>>>>>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) >>>>>>>>>>> >>>>>>>>>>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) >>>>>>>>>>> >>>>>>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>>>>>> >>>>>>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149) >>>>>>>>>>> >>>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>>> >>>>>>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>>>>>> >>>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>>> >>>>>>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>>>>>> >>>>>>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>>>>>> >>>>>>>>>>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Are you creating a new security manager for each request? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I’m not sure how you are using this logic, but you should let >>>>>>>>>>>> Shiro do all of this for you (via the ShiroFilter). >>>>>>>>>>>> >>>>>>>>>>>> -Brian >>>>>>>>>>>> >>>>>>>>>>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2 <[email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> > >>>>>>>>>>>> > Hi Brian, >>>>>>>>>>>> > >>>>>>>>>>>> > Thanks for the prompt feedback. Here's the code I used to >>>>>>>>>>>> check for the >>>>>>>>>>>> > session: >>>>>>>>>>>> > >>>>>>>>>>>> > https://pastebin.com/F5SMmLpq >>>>>>>>>>>> > >>>>>>>>>>>> > The shiro.ini is very basic and minimal: >>>>>>>>>>>> > >>>>>>>>>>>> > [main] >>>>>>>>>>>> > [users] >>>>>>>>>>>> > [roles] >>>>>>>>>>>> > [urls] >>>>>>>>>>>> > /** = anon >>>>>>>>>>>> > >>>>>>>>>>>> > Most of the content (99%) in shiro.ini are comments and >>>>>>>>>>>> examples as notes >>>>>>>>>>>> > for future implementation of authentication and authorization. >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > -- >>>>>>>>>>>> > Sent from: http://shiro-user.582556.n2.nabble.com/ >>>>>>>>>>>> >>>>>>>>>>>
