When using the container's session management Shiro doesn't control how the session is managed you would need to configure this in your container (Tomcat)
On Tue, Mar 3, 2020 at 7:52 PM Tommy Pham <[email protected]> wrote: > Hi Brian, > > Thanks for the references, I'll bookmark them for review later. After > some trial and errors, I've verified that these settings break Shiro's > native session management (per my minimalist shiro.ini): > > Session Cookie config: > 03-Mar-2020 15:49:31.134 DEBUG [Catalina-utility-1] > com.sointe.ajs.AjsInitializer.onStartup:115 - getComment: null > 03-Mar-2020 15:49:31.135 DEBUG [Catalina-utility-1] > com.sointe.ajs.AjsInitializer.onStartup:116 - getDomain: null > 03-Mar-2020 15:49:31.135 DEBUG [Catalina-utility-1] > com.sointe.ajs.AjsInitializer.onStartup:117 - getMaxAge: 2592000 > 03-Mar-2020 15:49:31.136 DEBUG [Catalina-utility-1] > com.sointe.ajs.AjsInitializer.onStartup:118 - getName: null > 03-Mar-2020 15:49:31.136 DEBUG [Catalina-utility-1] > com.sointe.ajs.AjsInitializer.onStartup:119 - getPath: null > 03-Mar-2020 15:49:31.137 DEBUG [Catalina-utility-1] > com.sointe.ajs.AjsInitializer.onStartup:120 - isHttpOnly: true > 03-Mar-2020 15:49:31.138 DEBUG [Catalina-utility-1] > com.sointe.ajs.AjsInitializer.onStartup:121 - isSecure: true > > I've confirmed for both main project and the AJS project. > > 1. Since Shiro native session doesn't seem to issue a > javax.servlet.http.Cookie per my last screen shot, why then does any > changes from default would break Shiro even though my search for > SessionCookieConfig in the github shows 0 results? > 2. How then does Shiro knows which session belongs to which client? > 3. In native mode, am I safe to assume it's done behind the scenes in > memory if session storage is not configured? In any event, allowing me to > focus more on session.setAttribute(key, value) or session.getAttribute(key) > with a valid session. > > If I need to set a specific cookie to the client even when session > expired, I presume I'd use: > > SimpleCookie cookie = new SimpleCookie(cookieName); > // set appropriately > cookie.saveTo(request, response); > > Since setting the SessionCookieConfig breaks Shiro's native session > management, how could I configure the default properties for the majorities > of the cookies? From > > https://shiro.apache.org/web.html#Web-%7B%7BDefaultWebSessionManager%7D%7D > > > I deduced to: > > securityManager.sessionManager.cookie.maxAge > securityManager.sessionManager.cookie.httpOnly > securityManager.sessionManager.cookie.secure > > Thanks, > Tommy > > > On Tue, Mar 3, 2020 at 3:36 PM Brian Demers <[email protected]> > wrote: > >> It depends on what you are doing, but in most cases, if you need the >> session, you would just use the standard HttpSession. >> >> The framework should handle most of this logic for you, so you >> _shouldn't_ need any code >> >> https://github.com/bdemers/shiro-via-gateway/tree/master/servlet-application/ >> a servlet: >> >> https://github.com/bdemers/shiro-via-gateway/blob/master/servlet-application/src/main/java/com/okta/example/servlet/UserProfileServlet.java >> >> As for sessions, you can let the container manage them, or you can let >> Shiro do it: >> https://shiro.apache.org/session-management.html#session-storage >> (but it's just setup/configuration and your application would work the >> same way) >> >> You will need some type of realm to manage your users, otherwise, you >> wouldn't be able to identify a user. >> >> My suggestion is to start with a simple app (add security early/first) >> and then add/test features as you go. >> - Anonymous user state persistence (HttpSession api or something similar) >> - Login that user in (configure a Shiro realm) and make sure you can >> still access the session >> - profit ;) >> >> I'd also suggest using the `DefaultWebSessionManager` to manage your >> sessions. >> >> >> >> >> >> >> On Tue, Mar 3, 2020 at 5:53 PM Tommy Pham <[email protected]> wrote: >> >>> Hi Brian, >>> >>> All the classes, including filters, in place are intended for their >>> purpose for the start of AJS project. Some of the methods are blank >>> because I've yet to implement them since I'm unable to get a valid >>> session. Yes, initially it's anon only to work out the non-blocking >>> application flow. Eventually, all access in the AJS will requires >>> authentication, including possible 2 factors, and authorization. The >>> AbstractWeb.validateSessionShiro() is to get a valid Shiro session as >>> called initially by security filter. That same method is called by the >>> mapped servlet via a controller.execute() to use the session. If you run >>> the app, the web UI will show the same session ID as being logged by the >>> FilterSecurity.doFilter() so the FilterChain works as desired. However, >>> subsequent page reloads will generate a different session ID every time :( >>> While responding, I've added some additional debug logging for quicker >>> comparison/troubleshooting: >>> >>> https://imgur.com/a/W23fupe >>> >>> It seems that a cookie was never set nor the Java HttpSession was >>> started. >>> >>> - Does Shiro requires at least one type of realm (ini, JDBC, LDAP, >>> or ActiveDirectory) to work? I have another project in mind down the >>> road >>> that requires session but no authentication / authorization since the >>> information is non-sensitive. But that may change. >>> - Since Shiro's Session is native, how does Shiro keep track of the >>> session if a cookie is not set or does Shiro have a native cookie >>> management also? >>> - What if there are multiple applications at different contexts but >>> all utilizes Shiro, how does Shiro handle the sessions for each context: >>> ie /ajs/ and /myApp/ As it is now, my have main project at /myApp/ >>> deployed and along with the /ajs/. Both using Shiro and both having the >>> same session ID issue (ID is regenerated at every request). The latter >>> AJS >>> is per your request. I didn't intend to start on it until much later. >>> >>> As for the samples you've provided, I think they're all V based upon >>> MVC. Neither includes: >>> >>> Subject subj = SecurityUtils.getSubject(); >>> Session sess = subj.getSession(false); >>> if (sess == null ) { >>> sess = subj.getSession(true); >>> // process for null session >>> } >>> // use session for specific user's request >>> >>> which is the issue I'm having integrating Shiro :( An old use case >>> would be shoppers adding items to the basket for the session. After some >>> thought, he/she decides to buy them which requires authentication. From >>> that use case, I'm having issues with the first phase. Hence, I don't see >>> any point trying to get an authentication realm (JDBC, >>> ActiveDirecotory and/or LDAP) working which I'm more familiar with than >>> coding for valid Java sessions unfortunately. >>> >>> Thanks, >>> Tommy >>> >>> >>> On Tue, Mar 3, 2020 at 1:05 PM Brian Demers <[email protected]> >>> wrote: >>> >>>> It looks like there are a few layers of code left over from your real >>>> application, logging, extra filter chain logic, etc. >>>> And looks like it's configured for only anon access? >>>> >>>> My suggestion would be to start with something like this example: >>>> https://github.com/apache/shiro/tree/master/samples/servlet-plugin >>>> or this: https://github.com/apache/shiro/tree/master/samples/web >>>> >>>> Then add a custom servlet, filter, etc. (depending on your container, >>>> you could do this via a web.xml, annotations, programmatically, etc) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Tue, Mar 3, 2020 at 3:39 PM Tommy Pham <[email protected]> wrote: >>>> >>>>> Hi Brian, >>>>> >>>>> Per your request: https://github.com/tommyhp2/ajs >>>>> >>>>> This is another project (web mail and control panel for Apache James >>>>> Server) I've been wanting to work on. Since it's purpose is a lot simpler >>>>> than my current main project, the back end mechanisms are simpler. The >>>>> session ID issue still persists: >>>>> >>>>> Request -> access log Filter -> security Filter (block or get valid >>>>> session) -> other filters -> mapped servlet (use session) >>>>> >>>>> The session ID is regenerated for subsequent page loads :( >>>>> >>>>> Thanks, >>>>> Tommy >>>>> >>>>> >>>>> >>>>> On Tue, Mar 3, 2020 at 6:05 AM Brian Demers <[email protected]> >>>>> wrote: >>>>> >>>>>> Can you put together a minimal example app the shows the problem You >>>>>> are having and stick it on GitHub (or similar) >>>>>> >>>>>> -Brian >>>>>> >>>>>> On Mar 3, 2020, at 4:29 AM, Tommy Pham <[email protected]> wrote: >>>>>> >>>>>> >>>>>> Hi Brian, >>>>>> >>>>>> I apologize for the confusion. Previously, I had to set the >>>>>> SecurityManager via SecurityUtils because of the exception. Now I don't >>>>>> need to. When I last sent the email, the Shiro session was working fine >>>>>> w/o setting the SecurityManager and session ID doesn't change on >>>>>> subsequent >>>>>> page reload. After a system restarts, unfortunately, I now have session >>>>>> ID >>>>>> changing again w/o setting SecurityManager. As for Filter execution >>>>>> order, >>>>>> it's working how I'd like to per the logs even though the Shiro Filter is >>>>>> loaded first in the FilterRegistration: >>>>>> >>>>>> https://pastebin.com/ZD5Sx1i3 >>>>>> >>>>>> My security filter started a valid session and my mapped servlet >>>>>> eventually retrieve that session w/o creation as seen in the above logs. >>>>>> However, subsequent page reloads now generates a different ID :(... I >>>>>> did >>>>>> have a look at Shiro's FilterChain definitions: >>>>>> >>>>>> https://shiro.apache.org/web.html#Web-FilterChainDefinitions >>>>>> >>>>>> From the looks of it, it doesn't have the flexibility of mapping to >>>>>> URLs and/or Servlets with different DispatcherTypes at load time like how >>>>>> I'd be able to via FilterRegistration in a class >>>>>> implementing ServletContainerInitializer.onStartup(). My custom filter >>>>>> loader and filter chain allows that flexibility at load time while >>>>>> guarantees the load order. Currently, all of my filters have only the >>>>>> necessary code to verify application (non-blocking) flow as desired. >>>>>> None >>>>>> of them have behind scenes mechanisms yet. >>>>>> >>>>>> Also, I'm setting some preferred default values to >>>>>> SessionCookieConfig before loading the listeners. Would that interfere >>>>>> with Shiro's session/cookie management? >>>>>> >>>>>> This is the load order in the ServletContainerInitializer.onStartup(): >>>>>> >>>>>> 1. Set SessionCookieConfig preferred default values >>>>>> 2. Load listeners >>>>>> 3. Map static files path (CSS, JS, images) to the default servlet >>>>>> 4. Load the servlets >>>>>> 5. Load the Shiro Filter first >>>>>> 1. Load other filters >>>>>> 6. Configure Thymeleaf >>>>>> >>>>>> Thanks, >>>>>> Tommy >>>>>> >>>>>> >>>>>> On Mon, Mar 2, 2020 at 5:52 PM Brian Demers <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Let’s take a step Barack, what are you trying to do with the >>>>>>> SecurityManager? >>>>>>> Sorry but I still feel like this thread is bouncing between two >>>>>>> option. (This could just be me though) Let’s just consider the “working” >>>>>>> Shiro.ini for now. >>>>>>> >>>>>>> Is the ShiroFilter getting processed before your code? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -Brian >>>>>>> >>>>>>> On Mar 2, 2020, at 7:50 PM, Tommy Pham <[email protected]> wrote: >>>>>>> >>>>>>> >>>>>>> Hi Alessio, >>>>>>> >>>>>>> I'm loading the Shiro Filter via FilterRegistration in a class >>>>>>> implementing ServletContainerInitializer.onStartup(). Loading the >>>>>>> filter(s) this way do not guaranteed ordering as loaded from my testing >>>>>>> of >>>>>>> various approaches (web.xml, annotations, and, preferably, >>>>>>> programmatically). I have my own filter loader and filter chain >>>>>>> that guarantees the order for my filters which are not visible in the >>>>>>> FilterRegistration: >>>>>>> >>>>>>> ----------------------------- >>>>>>> .onStartup:303 - -------- Filter Registrations >>>>>>> ------------------------------ >>>>>>> .lambda$onStartup$12:307 - Filter name: log4jServletFilter >>>>>>> .lambda$onStartup$12:308 - Registered class: >>>>>>> org.apache.logging.log4j.web.Log4jServletFilter >>>>>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>>>>> .lambda$onStartup$10:317 - /* >>>>>>> .lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) >>>>>>> Filter >>>>>>> .lambda$onStartup$12:308 - Registered class: >>>>>>> org.apache.tomcat.websocket.server.WsFilter >>>>>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>>>>> .lambda$onStartup$10:317 - /* >>>>>>> .lambda$onStartup$12:307 - Filter name: AppFilterLoader >>>>>>> .lambda$onStartup$12:308 - Registered class: >>>>>>> com.domain.web.AppFilterLoader >>>>>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>>>>> .lambda$onStartup$10:317 - /* >>>>>>> .lambda$onStartup$12:307 - Filter name: FilterDefaultJsp >>>>>>> .lambda$onStartup$12:308 - Registered class: >>>>>>> com.domain.web.FilterDefaultJsp >>>>>>> .lambda$onStartup$12:311 - Servlet mapping(s): >>>>>>> .lambda$onStartup$9:312 - default >>>>>>> .lambda$onStartup$9:312 - jsp >>>>>>> .lambda$onStartup$12:307 - Filter name: TestFilterSecure >>>>>>> .lambda$onStartup$12:308 - Registered class: >>>>>>> com.domain.web.TestFilterSecure >>>>>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>>>>> .lambda$onStartup$10:317 - /secure/* >>>>>>> .lambda$onStartup$12:307 - Filter name: ShiroFilter >>>>>>> .lambda$onStartup$12:308 - Registered class: >>>>>>> org.apache.shiro.web.servlet.ShiroFilter >>>>>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>>>>> .lambda$onStartup$10:317 - /* >>>>>>> .onStartup:325 - >>>>>>> ------------------------------------------------------------ >>>>>>> ----------------------------------------------------------- >>>>>>> I've tried loading the Shiro Filter my custom loader but it >>>>>>> failed because of invalid FilterChain type. Oddly enough, if I >>>>>>> have the Shiro Filter loaded first, it works fine. I need to further >>>>>>> test >>>>>>> why this is and if it's consistent across web container restarts. I was >>>>>>> hoping to have Filters executing in this order: >>>>>>> >>>>>>> logging -> security (block request or start Shiro session) -> other >>>>>>> filters -> mapped servlet. >>>>>>> >>>>>>> since I have don't the desire to waste system resource to start a >>>>>>> session when the request is blocked. But as long as I can get Shiro >>>>>>> working, I can work with it for now. >>>>>>> >>>>>>> Thanks, >>>>>>> Tommy >>>>>>> >>>>>>> On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> To me, it looks like the Shiro Filter is not installed or your own >>>>>>>> filter runs before it has a chance to associate Shiro objects with the >>>>>>>> thread. >>>>>>>> >>>>>>>> On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Brian, >>>>>>>>> >>>>>>>>> I'm still having issues getting a valid session when specifying >>>>>>>>> SecurityManager via SecurityUtils. If I omit that, I get exceptions. >>>>>>>>> After some more troubleshooting, I've added some fake test accounts >>>>>>>>> from >>>>>>>>> the official tutorial and set TRACE log level to org.apache.shiro. >>>>>>>>> Below >>>>>>>>> is the log: >>>>>>>>> >>>>>>>>> 02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking >>>>>>>>> any >>>>>>>>> specified config locations. >>>>>>>>> 02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI >>>>>>>>> instance or config locations specified. Trying default config >>>>>>>>> locations. >>>>>>>>> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini.load:401 - Parsing [main] >>>>>>>>> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini.load:401 - Parsing [users] >>>>>>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>>> key/value pair: root = secret, admin >>>>>>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>>> key/value pair: guest = guest, guest >>>>>>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>>> key/value pair: presidentskroob = 12345, president >>>>>>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>>> key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz >>>>>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>>> key/value pair: lonestarr = vespa, goodguy, schwartz >>>>>>>>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini.load:401 - Parsing [roles] >>>>>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>>> key/value pair: admin = * >>>>>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>>> key/value pair: schwartz = lightsaber:* >>>>>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>>> key/value pair: goodguy = winnebago:drive:eagle5 >>>>>>>>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini.load:401 - Parsing [urls] >>>>>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>>> key/value pair: /** = anon >>>>>>>>> 02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - >>>>>>>>> Discovered >>>>>>>>> non-empty INI configuration at location '/WEB-INF/shiro.ini'. Using >>>>>>>>> for >>>>>>>>> configuration. >>>>>>>>> 02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - >>>>>>>>> Creating >>>>>>>>> instance from Ini [sections=users,roles,urls] >>>>>>>>> 02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or >>>>>>>>> empty. Defaulting to the default section (name = "") >>>>>>>>> 02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] >>>>>>>>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 >>>>>>>>> - >>>>>>>>> Adding login url to applied paths. >>>>>>>>> 02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - >>>>>>>>> Discovered >>>>>>>>> the [roles] section. Processing... >>>>>>>>> 02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - >>>>>>>>> Discovered >>>>>>>>> the [users] section. Processing... >>>>>>>>> 02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - >>>>>>>>> Creating >>>>>>>>> instance from Ini [sections=users,roles,urls] >>>>>>>>> 02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] >>>>>>>>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 >>>>>>>>> - >>>>>>>>> Adding login url to applied paths. >>>>>>>>> 02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] >>>>>>>>> org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 >>>>>>>>> - Before url processing. >>>>>>>>> 02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 >>>>>>>>> - >>>>>>>>> Creating chain [/**] from String definition [anon] >>>>>>>>> 02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 >>>>>>>>> - Attempting to apply path [/**] to filter [anon] with config [null] >>>>>>>>> 02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] >>>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - >>>>>>>>> Published >>>>>>>>> WebEnvironment as ServletContext attribute with name >>>>>>>>> [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY] >>>>>>>>> 02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] >>>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >>>>>>>>> environment initialized in 352 ms. >>>>>>>>> 02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] >>>>>>>>> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web >>>>>>>>> application archive [D:\apache-tomcat\webapps\erm.war] has finished in >>>>>>>>> [9,120] ms >>>>>>>>> 02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] >>>>>>>>> com.domain.security.FilterSecurity.doFilter:147 - >> >>>>>>>>> ThreadContext.getResources(): true 0 >>>>>>>>> 02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] >>>>>>>>> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >>>>>>>>> [http-nio-8080-exec-181] >>>>>>>>> 02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] >>>>>>>>> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >>>>>>>>> [http-nio-8080-exec-181] >>>>>>>>> >>>>>>>>> It seems that the resources is empty when i don't set the >>>>>>>>> SecurityManager in SecurityUtils. Thus, from what I could tell from >>>>>>>>> the >>>>>>>>> code, the SecurityUtils.getSecurityManager() would fail since the >>>>>>>>> resources >>>>>>>>> map is empty and the cascade failure of getting a session. I haven't >>>>>>>>> been >>>>>>>>> able to track down how the resources in ThreadContext is set yet :( >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Tommy >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Mar 2, 2020 at 7:59 AM Brian Demers < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> I'm not sure I'm following Tommy. You have a few different >>>>>>>>>> messages, the one mentioning your shiro.ini >>>>>>>>>> >>>>>>>>>> > when the shiro.ini is indeed in /WEB-INF/ >>>>>>>>>> >>>>>>>>>> implies that you have fixed the original issue? by i'm guessing >>>>>>>>>> you are still running into issues? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> I've added some debug logging to troubleshoot the session cookie: >>>>>>>>>>> >>>>>>>>>>> https://imgur.com/a/vaTZrxP >>>>>>>>>>> >>>>>>>>>>> And this is the Shiro's generated session ID: >>>>>>>>>>> 1984c09f-ee77-461a-96f2-cb3d4cbac8eb >>>>>>>>>>> >>>>>>>>>>> On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> According this: >>>>>>>>>>>> https://shiro.apache.org/web.html#Web-SessionCookieConfiguration >>>>>>>>>>>> >>>>>>>>>>>> Should I see a cookie for Shiro's session based upon my >>>>>>>>>>>> minimalist configuration? I only see cookie for the JSESSIONID. >>>>>>>>>>>> >>>>>>>>>>>> On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> I've also tried: >>>>>>>>>>>>> >>>>>>>>>>>>> Factory<SecurityManager> factory = new >>>>>>>>>>>>> IniSecurityManagerFactory("classpath:shiro.ini"); >>>>>>>>>>>>> SecurityManager securityManager = factory.getInstance(); >>>>>>>>>>>>> SecurityUtils.setSecurityManager(securityManager); >>>>>>>>>>>>> >>>>>>>>>>>>> and received this: >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.shiro.config.ConfigurationException: >>>>>>>>>>>>> java.io.IOException: Resource [classpath:shiro.ini] could not be >>>>>>>>>>>>> found. >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250) >>>>>>>>>>>>> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73) >>>>>>>>>>>>> >>>>>>>>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>>>>>>>> >>>>>>>>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153) >>>>>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>>>>> >>>>>>>>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>>>>> >>>>>>>>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>>>>>>>> >>>>>>>>>>>>> when the shiro.ini is indeed in /WEB-INF/. The log shows that >>>>>>>>>>>>> the listener initialized successfully: >>>>>>>>>>>>> >>>>>>>>>>>>> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] >>>>>>>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - >>>>>>>>>>>>> Starting >>>>>>>>>>>>> Shiro environment initialization. >>>>>>>>>>>>> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] >>>>>>>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - >>>>>>>>>>>>> Shiro >>>>>>>>>>>>> environment initialized in 282 ms. >>>>>>>>>>>>> >>>>>>>>>>>>> Does it matter if configuring both listener and filter in >>>>>>>>>>>>> web.xml or via a class implementing >>>>>>>>>>>>> ServletContainerInitializer.onStartup()? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> Tommy >>>>>>>>>>>>> >>>>>>>>>>>>> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[email protected]> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Yes. If I omit setting the SecurityManager in the code per >>>>>>>>>>>>>> the official guide/documentation, I get this exception: >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.shiro.UnavailableSecurityManagerException: No >>>>>>>>>>>>>> SecurityManager accessible to the calling code, either bound to >>>>>>>>>>>>>> the >>>>>>>>>>>>>> org.apache.shiro.util.ThreadContext or as a vm static singleton. >>>>>>>>>>>>>> This is >>>>>>>>>>>>>> an invalid application configuration. >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) >>>>>>>>>>>>>> >>>>>>>>>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>>>>>>>>> >>>>>>>>>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149) >>>>>>>>>>>>>> >>>>>>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>>>>>> >>>>>>>>>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>>>>>>>>> >>>>>>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>>>>>> >>>>>>>>>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Are you creating a new security manager for each request? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I’m not sure how you are using this logic, but you should >>>>>>>>>>>>>>> let Shiro do all of this for you (via the ShiroFilter). >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -Brian >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2 <[email protected]> >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > Hi Brian, >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > Thanks for the prompt feedback. Here's the code I used to >>>>>>>>>>>>>>> check for the >>>>>>>>>>>>>>> > session: >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > https://pastebin.com/F5SMmLpq >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > The shiro.ini is very basic and minimal: >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > [main] >>>>>>>>>>>>>>> > [users] >>>>>>>>>>>>>>> > [roles] >>>>>>>>>>>>>>> > [urls] >>>>>>>>>>>>>>> > /** = anon >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > Most of the content (99%) in shiro.ini are comments and >>>>>>>>>>>>>>> examples as notes >>>>>>>>>>>>>>> > for future implementation of authentication and >>>>>>>>>>>>>>> authorization. >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > -- >>>>>>>>>>>>>>> > Sent from: http://shiro-user.582556.n2.nabble.com/ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>
