>>>>> Brian Demers <[email protected]>:
> Hey Steinar!
> Rewriting and redirecting are different features.
> Seems like you were able to figure out how to disable rewriting, `
> sessionmanager.setSessionIdUrlRewritingEnabled(false)`
> Redirecting is dependent on which filter you are using, for example the
> `auth` filter will redirect to a login page (it sounds like this is what
> you are using?). Maybe you want the `authBasic` filter instead? (which
> uses BASIC auth, and it sounds like that is what your nginx module is
> expecting?)
Nope, if I wanted to use basic auth, I would have used the built-in
support of nginx. :-)
I want to provide nginx with forms-and-cookie-based authentication so
that iOS devices can store the logins and the sessions.
To that purpose I was trying to use the nginx auth module to
authenticate against a shiro application running in karaf.
The nginx auth module needs a URL that can be used to check if a user is
logged in. That URL must return 200OK if the user is logged in, and 401
for not logged in and 403 for denied.
To allow access to the check URL the shiro.ini looks like this:
[main]
authc.loginUrl = /login
[users]
[urls]
/check = anon
/** = authc
(And this sort of worked until I started getting the good idea of
transferring the original URL to the check URL...)
> If i'm making the wrong assumptions here, let me know, and share your
> configuration.
Right. With your hints above I was able to figure out what the problem
was. It wasn't a jsession 302, but an attempt to redirect to the login
page.
I was trying to pass the URL I wanted authenticated in a way that
the jersey resource backing /check could pick it up, ie. like this:
auth_request
/authservice/check?originalUri=$scheme://$http_host$request_uri;
And that didn't work out well, because the request wasn't translated in
the way I wanted... here's a wireshark trace of the traffic on port
8181:
GET /authservice/check%3ForiginalUri=$scheme://$http_host$request_uri HTTP/1.0
Host: localhost:8181
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: nb-NO,nb;q=0.9,no;q=0.8,nn;q=0.7,en-US;q=0.6,en;q=0.5
HTTP/1.1 302 Found
Set-Cookie: JSESSIONID=cd980e11-3067-4baf-8f53-db5f8386d58a; Path=/authservice;
HttpOnly
Location: http://localhost:8181/authservice/login
Content-Length: 0
Server: Jetty(9.3.21.v20170918)
The problem is the path behind the GET: it's not something that will
match "/check" and parse as query parameters. Not something that works
with shiro (shiro thinks it needs authentication and 302 redirects to
login), and not something that would work with jersey if auth was
successful (it won't match a jersey path and you would get a 404).
(I wanted to pass the URL to the check URL to try to do a bit of
authorization in addition to authentication... but it didn't look like
it was possible. The auth module is purely authentication)
Thanks for your help! :-)
