[
https://issues.apache.org/jira/browse/SHIRO-170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14622023#comment-14622023
]
Nagaraju Kurma commented on SHIRO-170:
--------------------------------------
Hi Devendra Mani,
I am thankful you for spending your valuable time on this.
Still i am not clear about our custom filter configuration... I came with
my application code which is as follows.
*MyFormAuthenticationFilter.java*
package net.enh.snc.auth.filter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
public class MyFormAuthenticationFilter extends FormAuthenticationFilter {
@Override
protected boolean onLoginSuccess(AuthenticationToken token, Subject
subject, ServletRequest request, ServletResponse response) throws Exception
{
issueSuccessRedirect(request, response);
return false;
}
@Override
protected boolean onLoginFailure(AuthenticationToken token,
AuthenticationException e, ServletRequest request, ServletResponse
response) {
if ((!(e instanceof org.apache.shiro.authc.UnknownAccountException))) {
setFailureAttribute(request, e);
} else {
setFailureAttribute(request, e);
}
return true;
}
}
*in shiro configuration xml file*
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="filters">
<map>
<entry key="*auth_c*">
<bean class="*net.enhancesys.snoc.auth.filter.MyFormAuthenticationFilter*
"></bean>
</entry>
</map>
</property>
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/anon/refresh" />
<property name="successUrl" value="/main/dashboard/home?cat=dashboard" />
<property name="unauthorizedUrl" value="/common/accessDenied" />
<property name="filterChainDefinitions">
<value>
/anon/* = anon
/anon/login/* = anon
/*/*/logout = logout
/*/logout = logout
/** = *auth_c*
</value>
</property>
</bean>
Does the above one is correct? Is that ways of filter configuration in
shiro environment?
I thought as we are having default filters like
Filter NameClassanonorg.apache.shiro.web.filter.authc.AnonymousFilter
<http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/authc/AnonymousFilter.html>
authcorg.apache.shiro.web.filter.authc.FormAuthenticationFilter
<http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/authc/FormAuthenticationFilter.html>
authcBasicorg.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
<http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.html>
logoutorg.apache.shiro.web.filter.authc.LogoutFilter
<http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/authc/LogoutFilter.html>
noSessionCreationorg.apache.shiro.web.filter.session.NoSessionCreationFilter
<http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/session/NoSessionCreationFilter.html>
permsorg.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
<http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/authz/PermissionsAuthorizationFilter.html>
portorg.apache.shiro.web.filter.authz.PortFilter
<http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/authz/PortFilter.html>
restorg.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
<http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/authz/HttpMethodPermissionFilter.html>
rolesorg.apache.shiro.web.filter.authz.RolesAuthorizationFilter
<http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/authz/RolesAuthorizationFilter.html>
sslorg.apache.shiro.web.filter.authz.SslFilter
<http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/authz/SslFilter.html>
userorg.apache.shiro.web.filter.authc.UserFilter
<http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/authc/UserFilter.html>
In the above way i replaced our custom filter with the default filter,
Anything wrong?
Could you please suggest where it might went wrong and the way forward...
On Fri, Jul 10, 2015 at 12:40 PM, Devendra Mani (JIRA) <[email protected]>
--
Thanks&Regards
Nagaraju Yadav
> Force New Session ID on Authentication
> --------------------------------------
>
> Key: SHIRO-170
> URL: https://issues.apache.org/jira/browse/SHIRO-170
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Configuration
> Affects Versions: 1.0.0, 1.1.0, 1.2.0
> Reporter: Jakob Külzer
> Priority: Minor
> Fix For: 1.3.0
>
>
> I am working on an application that has very high security standards. One of
> the issues raised after a full audit of the app is that it might be
> vulnerable for session fixation attacks. Shiro does not reset the Session ID
> after successful authentication, which would prevent this type of attack.
> IMHO this would add another level of security to Shiro beneficial for all
> kinds of applications.
> OWASP has a good page on session fixation attacks:
> http://www.owasp.org/index.php/Session_fixation
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
