Hey Steinar! Rewriting and redirecting are different features.
Seems like you were able to figure out how to disable rewriting, ` sessionmanager.setSessionIdUrlRewritingEnabled(false)` Redirecting is dependent on which filter you are using, for example the `auth` filter will redirect to a login page (it sounds like this is what you are using?). Maybe you want the `authBasic` filter instead? (which uses BASIC auth, and it sounds like that is what your nginx module is expecting?) If i'm making the wrong assumptions here, let me know, and share your configuration. On Sun, Jan 13, 2019 at 1:47 PM Steinar Bang <[email protected]> wrote: > Platform: debian 9.7 "stretch", amd64 > openjdk8 8u181-b13-2~deb9u1 > nginx-extras 1.10.3-1+deb9u2 > karaf 4.1.7 > shiro 1.3.1 > > I'm trying to use a web whiteboard webapp based on shiro running in > karaf as the authentication check mechanism for the nginx auth module: > > https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ > http://nginx.org/en/docs/http/ngx_http_auth_request_module.html > > My setup if failing right now, because the check login URL returns 302 > with a redirect to a URL including jsessionid, and the nginx auth module > only accepts the status codes 200 (for a successful authentication), 401 > or 403 from the auth stat checker. Receiving a 302 status code causes > the auth module to return a 500 internal server error. > > I have tried to disable this redirect by setting > sessionIdUrlRewritingEnabled > to false, but the shiro filter still keeps returning 302 redirects: > @Activate > public void activate() { > WebIniSecurityManagerFactory securityManagerFactory = new > WebIniSecurityManagerFactory(INI_FILE); > DefaultWebSecurityManager securityManager = > (DefaultWebSecurityManager) securityManagerFactory.createInstance(); > DefaultWebSessionManager sessionmanager = new > DefaultWebSessionManager(); > sessionmanager.setSessionDAO(session); > sessionmanager.setSessionIdUrlRewritingEnabled(false); > securityManager.setSessionManager(sessionmanager); > setSecurityManager(securityManager); > securityManager.setRealm(realm); > > IniFilterChainResolverFactory filterChainResolverFactory = new > IniFilterChainResolverFactory(INI_FILE, securityManagerFactory.getBeans()); > FilterChainResolver resolver = > filterChainResolverFactory.createInstance(); > setFilterChainResolver(resolver); > } > > Is there a way to *completely* disable adding JSESSIONID to the URL? > > Thanks! > > > - Steinar >
