What does the request shiro receives look like? Is the rewrite also changing the request path? Does that affect the path filtering rules you have set up?
On Sat, Jan 19, 2019 at 2:53 PM Steinar Bang <[email protected]> wrote: > I'm working on a solution where a webapp[1] running in apache karaf > provides forms based authentication for nginx. The webapp uses Shiro to > handle the login and login check. > > It now sort of works: authentication for the rest of the website works > but authentication fails for the webapp itself. > > Is the path of the cookie(s) important for shiro authentication? > > What happens, is as follows: > 1. I open an nginx URL in a browser eg. > http://lorenzo.hjemme.lan/testauth.html > 2. The nginx auth module [2] makes a call to /authservice/check to > check the logged in state > 3. The /authservice/check URL is reverse proxie'd to > http://localhost:8181/authservice/check > 4. http://localhost:8181/authservice is a webapp with shiro, running in > apache karaf > 5. The http://localhost:8181/authservice/check URL returns 401 (Needs > Authentication) > 6. The 401 causes nginx to open > http://lorenzo.hjemme.lan/authservice/login > 7. http://lorenzo.hjemme.lan/authservice/login is reverse-proxied to > http://localhost:8181/authservice/login > 8. A successful login results in cookies with path=/authservice set on > the response and a 302 redirect to the original URL ( > http://lorenzo.hjemme.lan/testauth.html) > 9. The reverse proxy config rewrites path=/authservice to path=/ on the > cookies > 10. The browser again tries to open > http://lorenzo.hjemme.lan/testauth.html > this time with a shiro cookie with path=/ > 11. The nginx auth module makes a check call to /authservice/check with > the cookie, and the check URL returns 200 > 12. Nginx serves http://lorenzo.hjemme.lan/testauth.html Success! So > far, so good! > 13. Then I try opening http://lorenzo.hjemme.lan/authservice and then > shiro auth fails and redirects to the login page (this all happens > inside the shiro webapp, nginx isn't involved > 15. The http://localhost:8181/authservice/check is set up with anon > access in shiro, so by itself isn't redirected by shiro, and this > code returns true: > > Is it the changed path of the cookie that cause the shiro failure? What > can I do to create a cookie that works both inside /authservice and > outside? > > Thanks! > > References: > [1] <https://github.com/steinarb/authservice> > [2] <http://nginx.org/en/docs/http/ngx_http_auth_request_module.html> >
