Responses inline: On Wed, May 19, 2021 at 5:31 PM alina.frey <[email protected]> wrote:
> 1. Anything in your logs? > If you are referring to Shiro logs, I don't know where they are recorded. > If you are referring to logs capture by my application, I do not see any of > the errors taht would be thrown by the supporting code below. > Your application logs, Shiro uses slf4j (de facto standard logging api), but where the logs go is up to your application. > > 2. What happens when the user isn't able to login? Are they redirected back > to the login page? > Yes. A relevant message is displayed in a pop up, and then the same login > page is displayed. > What is the "relevant" message (that part sounds important)? > > 3. Is your browser rejecting the cookie? (or is it sent back to the server > on the next request?) > Where do I need to look to see this? Where do I see the requests that are > being sent? In the Console or Network tabs of browser's Developer Tools? > Personally I used the networking tab of my browsers developer console/tools. You should be able to see the `Set-Cookie` header in the response from your server, and the browser should set a `Cookie` header when making requests back to your server. Your following code might actually be the problem, you _shouldn't_ need to do any of that, The `ShiroFilter` will do all of this for you. For example in this example just adds a login page that will post the user/pass to the login.jsp: https://github.com/apache/shiro/blob/shiro-root-1.7.1/samples/web/src/main/webapp/WEB-INF/shiro.ini#L59 (this is intercepted by the ShiroFilter) That said, that isn't a one-size-fits-all solution, but in those cases you still need to make sure the `ShiroFilter` gets executed early enough in your request that the `Subject` is created before you execute your code. For example this (in your code below) _shouldn't_ happen, as the subject would have been created automatically for you (even if it's anonymous user) ``` Subject newUser = SecurityUtils.getSubject(); if (newUser != null) { logger.debug("SessionID prior to logging in: " + newUser.getSession().getId()); ``` > Here is the supporting code for logging in with Shiro: > > public UserLoginBean tryLogin(String username, String password) > throws > Exception { > //check for null username or password > if(){//return null;} > > // get the login bean based on the user id > UserLoginBean loginBean = getUserRecord(username); > > // user does not exist > if(){//return null;} > > // password must have been reset to plain text > else if (loginBean.getSalt() == null) {...} > > // password is encrypted so verify user login > else { > try { > // get the currently executing user and create token > Subject newUser = SecurityUtils.getSubject(); > > if (newUser != null) { > > logger.debug("SessionID prior to > logging in: " + > newUser.getSession().getId()); > > ... > > // The username and password authentication token. Set > rememberMe to false > UsernamePasswordToken token = new > UsernamePasswordToken(username, password.toCharArray(), false); > newUser.login(token); > > ... > > > logger.debug("SessionID after to logging in: " + > newUser.getSession().getId()); > logger.debug("Is user authenticated? " + > newUser.isAuthenticated()); > > } > ... > > // successful login > logger.info("!!!!!!! Successful login > !!!!!!! "); > return loginBean; > > } catch (UnknownAccountException e) { > logger.error("LOGIN ERROR: No Such User Exists"); > throw new InvalidLoginException(); > } catch (IncorrectCredentialsException e) { > logger.error("LOGIN ERROR: Invalid Password"); > throw new InvalidLoginException(); > } catch (LockedAccountException e) { > logger.error("LOGIN ERROR: Locked Account"); > throw new AccountLockedException(); > } catch (AlreadyAuthenticatedException e) { > logger.error("LOGIN ERROR: User Already Logged In"); > throw new AlreadyLoggedInException(); > } catch (SessionNotAvailableException e) { > logger.error("LOGIN ERROR: Another user logged in using > current browser"); > throw new BrowserSessionTakenException(); > } catch (Exception e) { > logger.error(e.getMessage()); > logger.error("LOGIN ERROR: General Unspecific Login > Failure"); > return null; > } > } > } > > > > -- > Sent from: http://shiro-user.582556.n2.nabble.com/ >
