Re: Proposal: Release Shiro 2.0 Beta

[Brian Demers]

+1

On Thu, Feb 8, 2024 at 1:59 AM Francois Papon 
wrote:

> +1
> On 07/02/2024 01:55, le...@flowlogix.com wrote:
>
> Proposal: Release Shiro 2.x Beta
> Since docs are well on their way and there are no more showstoppers…
> What do you think?
>
>

Re: CVE-2023-46749: Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting

[Brian Demers]

We are looking into getting this corrected.  Thanks for letting us know!

On Fri, Jan 19, 2024 at 4:01 AM Marcel Stör  wrote:
>
> The description in the NVD is not correct. It says "Apache Shiro before
> 1.130" - note the missing dot. Furthermore, it's missing a "Known
> Affected Software Configurations" (listing CPEs) that formally declares
> that 1.13.0 is safe. Without it, no tool can reliably report that my
> project using 1.13.0 is fine.
>
> Does Apache have a chance to get this entry corrected?
>
> On 2024/01/12 16:21:39 Brian Demers wrote:
> > Severity: low
> >
> > Affected versions:
> >
> > - Apache Shiro before 1.13.0
> > - Apache Shiro 2.0.0-alpha-1 before 2.0.0-alpha-4
> >
> > Description:
> >
> > Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path 
> > traversal attack that results in an authentication bypass when used 
> > together with path rewriting
> >
> > Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure 
> > `blockSemicolon` is enabled (this is the default).
> >
> > References:
> >
> > https://shiro.apache.org/
> > https://www.cve.org/CVERecord?id=CVE-2023-46749
> >
> >
> --
> Marcel Stör, https://frightanic.com
> My PGP key: https://frightanic.com/pgp/
> Twitter: https://twitter.com/frightanic

CVE-2023-46749: Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting

[Brian Demers]

Severity: low

Affected versions:

- Apache Shiro before 1.13.0
- Apache Shiro 2.0.0-alpha-1 before 2.0.0-alpha-4

Description:

Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path 
traversal attack that results in an authentication bypass when used together 
with path rewriting 

Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure 
`blockSemicolon` is enabled (this is the default).

References:

https://shiro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-46749

CVE-2023-46750: Apache Shiro: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Shiro.

[Brian Demers]

Severity: moderate

Affected versions:

- Apache Shiro before 1.13.0
- Apache Shiro 2.0.0-alpha-1 before 2.0.0-alpha-4

Description:

URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" 
authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.

Credit:

Claudio Villella (finder)

References:

https://shiro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-46750

Re: [VOTE] Apache Shiro 1.13.0 release (#2)

[Brian Demers]

Great idea!

On Fri, Nov 3, 2023 at 4:17 PM Francois Papon 
wrote:

> Hi Brian,
>
> Very nice maven cmd to verify the stagging release!
>
> I will add it into the release guide on ASF Confluence :)
>
> regards,
>
> François
>
> On 02/11/2023 18:49, Brian Demers wrote:
> > mvn install artifact:compare -Pdocs,apache-release -DskipITs
> > -DskipTests
> > -Dreference.repo='
> https://repository.apache.org/content/repositories/orgapacheshiro-1056/'
>

Re: [VOTE] Apache Shiro 1.13.0 release (#2)

[Brian Demers]

+1 (binding)

I checked the build for reproducibility (based on recommendations
from Hervé Boutemy at Community Over Code - ApacheCon).

Assuming I ran the command correctly, I checked the 1.13.0 tag and source
dist by running:

mvn install artifact:compare -Pdocs,apache-release -DskipITs -DskipTests
-Dreference.repo='
https://repository.apache.org/content/repositories/orgapacheshiro-1056/'

No errors!

On Tue, Oct 31, 2023 at 5:13 AM fpapon  wrote:

> Hi everyone,
>
> I submit Apache Shiro 1.13.0 release to your vote.
>
> Release Notes:
> https://github.com/apache/shiro/releases/tag/shiro-root-1.13.0
>
> Staging Maven repository:
> https://repository.apache.org/content/repositories/orgapacheshiro-1056
>
> Staging dist repository:
> https://dist.apache.org/repos/dist/dev/shiro/
>
> Please vote to approve this release:
> [ ] +1 Approve the release
> [ ] -1 Don't approve the release (please provide specific comments)
>
> This vote will be open for at least 72 hours.
>
> --
> --
> François
>
>

CVE-2023-34478: Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normal

[Brian Demers]

Severity: important

Affected versions:

- Apache Shiro before 1.12.0
- Apache Shiro before 2.0.0-alpha-3

Description:

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path 
traversal attack that results in an authentication bypass when used together 
with APIs or other web frameworks that route requests based on non-normalized 
requests.

Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

Credit:

tkswifty (finder)
Ha1c9on (finder)

References:

https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk
https://shiro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-34478

Re: Apache Shiro Vulnerabilities

[Brian Demers]

For that version, users are expected to update to a newer minor version.

On Wed, Jul 19, 2023 at 4:43 PM Mihir Chhaya  wrote:

> Thank you for your response. Following is the link I am referring to for
> the Shiro Vulnerabilities associated with respective versions.
>
> https://mvnrepository.com/artifact/org.apache.shiro/shiro-core
>
> For example - following are reported in version 1.9.
> CVE-2022-40664
> 
> CVE-2022-32532
> 
>
> Thank you,
> -Mihir.
>
> On Wed, Jul 19, 2023 at 1:59 PM  wrote:
>
>> Hi, Mihir,
>>
>> I am not quite sure what you are asking. Can you clarify what exact
>> vulnerabilities you are referring to?
>> Perhaps a link or two?
>>
>> Thank you
>>
>> On Jul 18, 2023, at 7:39 AM, Mihir Chhaya  wrote:
>>
>> Hello,
>>
>> I see the Authentication bypass vulnerability existing in almost every
>> release of the Apache Shiro.
>>
>> Is there any solution for this? We are evaluating the options to
>> implement the security and not able to decide if these vulnerabilities will
>> ever get resolved.
>>
>> Any suggestions?
>>
>> Thank you,
>> -Mihir.
>>
>>
>>

Re: [VOTE] Release Apache Shiro 1.12.0

[Brian Demers]

+1 (binding)

On Tue, Jul 11, 2023 at 9:57 AM fpapon  wrote:

> This is a call to vote in favor of releasing Apache Shiro version 1.12.0.
>
> We solved 1 Issue:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310950=12353403
>
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1051
>
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/1.12.0/
>
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
>
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
>
> Vote open for 72 hours.
>
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
>
> --
> --
> François
>
>

Re: [VOTE] Set minimal JDK11 for Shiro 2.x

[Brian Demers]

+1

On Fri, Jan 20, 2023 at 5:25 AM fpapon  wrote:

> Hi,
>
> After several discussion on the mailing, I would like to start a vote to
> set the minimal version of the JDK to the version 11 starting to Shiro 2.x.
>
> Vote open for 72 hours:
>
> [ ] +1 (set JDK11 min version for Shiro 2.x)
> [ ] +0
> [ ] -1 (please include reasoning)
>
> regards,
>
> --
> --
> François
>
>

Re: How to manage Role base access using Keycloak

[Brian Demers]

You may want to ask in one of the Jena lists. But from a quick read of the
docs, it looks like you could provide a custom implementation of a Realm
similar to the example I provided.

I haven't used Jena, and I don't know how these systems are used, so I
don't want to suggest something if they have a better solution.

If you ask on another list, please keep us posted with what you have found!
-Brian

On Wed, Jan 18, 2023 at 4:28 AM Jonathan MERCIER
 wrote:

> Thanks a lot brian for your insight ,
>
> Can you describe your use case a bit more? I'm not 100% sure what you mean
> by "Shiro embedded into Jena into Keycloak"
>
> yes to my understanding shiro is shipped into jena and can be configurer
> through a config file; As describe here:
> -> https://jena.apache.org/documentation/fuseki2/fuseki-security.html
> It is tell to take a look to shiro for sophisticated setup.
> And as you well said I would kie to use the bearer token provided by
> keycloak.
>
> If you just need to validate a JWT passed as a bearer token (i.e. an
> `Authorization` header with the `Bearer` prefix), you can do that.
> Here is an example I created for Okta (you would have to replace the JWT
> parsing logic to fit your own use case)
>
> https://github.com/oktadev/okta-shiro-plugin/blob/1f22f79d2fdb36551e98fc7afd946c43e018c777/core/src/main/java/com/okta/shiro/realm/OktaResourceServerRealm.java
>
> https://github.com/oktadev/okta-shiro-plugin/blob/1f22f79d2fdb36551e98fc7afd946c43e018c777/examples/jaxrs/src/main/resources/shiro.ini
>
>
> So in this case I have to modify fuseki source code in order be
> configurable through the config file, isn't it ?
>
> Thanks a lot
> I wish you a good day
>

Re: How to manage Role base access using Keycloak

[Brian Demers]

Can you describe your use case a bit more? I'm not 100% sure what you mean
by "Shiro embedded into Jena into Keycloak"

If you just need to validate a JWT passed as a bearer token (i.e. an
`Authorization` header with the `Bearer` prefix), you can do that.
Here is an example I created for Okta (you would have to replace the JWT
parsing logic to fit your own use case)
https://github.com/oktadev/okta-shiro-plugin/blob/1f22f79d2fdb36551e98fc7afd946c43e018c777/core/src/main/java/com/okta/shiro/realm/OktaResourceServerRealm.java
https://github.com/oktadev/okta-shiro-plugin/blob/1f22f79d2fdb36551e98fc7afd946c43e018c777/examples/jaxrs/src/main/resources/shiro.ini


On Tue, Jan 17, 2023 at 11:46 AM Jonathan MERCIER
 wrote:

> Dear community,
>
> We plan to use keycloak as IAM service for all our application and one of
> our tools used (Apache Jena) manage authorization with apache shiro.
> So I would like to know if one of below  it is possible to :
> 1. register apache Shiro embeded into Jena into Keycloak? in order to
> forward autorization throuhgt a JWT containing encrypted role
> 2. Detach  Jena/shiro, in order to get 1 server for apache shiro (as IAM
> service instead of keycloak) and 1 another server for Jena
> and all our internal application would use apache shiro to validate an
> user Identity/Authorization
>
> To me I would prefer the first one as it imply less devlopment
>
> Thanks for your help and your insight
>
> Best regards
>
>
>

[ANNOUNCE][CVE-2023-22602] Apache Shiro 1.11.0 released

[Brian Demers]

The Apache Shiro team is pleased to announce the release of Apache Shiro
version 1.11.0.
This is a feature release for 1.x.

This release solves 3 issues since the 1.11.0 release and is available for
download now[1].

This release includes classifiers for the Jakarta namespace.

CVE-2023-22602

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a
specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using
different pattern-matching techniques. Both Shiro and Spring Boot < 2.6
default to Ant style pattern matching.


Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot
configuration value:

spring.mvc.pathmatch.matching-strategy = ant_path_matcher


Credit:
Apache Shiro would like to thank v3ged0ge and Adamytd for reporting this
issue.


Bugs

* [SHIRO-903] - Shiro must use ant pattern matching with Spring
* [SHIRO-899] - Jakarta 9+ fails with Shiro native sessions

Improvements

* [SHIRO-889] - Provide Jakarta jar modules

Release binaries (.jars) are also available through Maven Central and
source bundles through Apache distribution mirrors.

For more information on Shiro, please read the documentation [2].

-The Apache Shiro Team

[1] http://shiro.apache.org/download.html
[2] http://shiro.apache.org/documentation.html

CVE-2023-22602: Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request

[Brian Demers]

Description:

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a 
specially crafted HTTP request may cause an authentication bypass.

The authentication bypass occurs when Shiro and Spring Boot are using different 
pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant 
style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot 
configuration value:  `spring.mvc.pathmatch.matching-strategy = 
ant_path_matcher`

Credit:

v3ged0ge and Adamytd (finder)

References:

https://shiro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-22602

Re: using DefaultLdapRealm with UTF-8

[Brian Demers]

Was the problem the charset?

On Tue, Oct 25, 2022 at 2:35 PM David Bonnafous  wrote:
>
> searching more deeply... reading the web and the doc...
> I found a solution in the Tomcat doc.
> https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Add_Default_Character_Set_Filter
>
> Thank you.
> --
> David Bonnafous
> Toulouse, France

Re: using DefaultLdapRealm with UTF-8

[Brian Demers]

I'll take a guess, but to be sure, you would probably need to set a
breakpoint in the DefaultLdapRealm class.

The default character encoding defined in the servlet spec is
ISO-8859-1, any password form you have may need to explicitly set the
character set: 
https://stackoverflow.com/questions/708915/detecting-the-character-encoding-of-an-http-post-request

Keep us posted!
-Brian

On Tue, Oct 25, 2022 at 12:26 PM David Bonnafous  wrote:
>
> hi,
>
> I can't figure out how to configure (use) Apache Shiro to handle password 
> containing UTF-8 char ? (exemple ®, £,...)
>
> Use case: I change the LDAP password with one containing UTF-8 char (using 
> DirectoryStudio or ldappasswd) then I can bind using ldapsearch but I can't 
> authenticate using my app with Shiro. But it's working with an ASCII password 
> !
>
> Thank you.
>
> --
> David Bonnafous
> Toulouse, France

Re: Jakarta JARs

[Brian Demers]

It was pushed out, it needs a little more work.

If you are interested in helping test it out, jump over to the dev list!
https://shiro.apache.org/mailing-lists.html

On Wed, Oct 12, 2022 at 12:31 PM Julian Fernandez 
wrote:

> Hi all,
>
> I wanted to confirm whether the Jakarta-packaged Shiro artifacts will be
> available with the release of Shiro 1.10.0 as suggested here:
> https://shiro.apache.org/blog/2022/06/30/jakarta-work.html
>
> Have the new artifacts been pushed to 1.11.0 as SHIRO-889's fix version
> seems to indicate?
>
> Thank you,
> Julian

[ANNOUNCE][CVE-2022-40664] Apache Shiro 1.10.0 released

[Brian Demers]

The Shiro team is pleased to announce the release of Apache Shiro version 1
.10.0.

This security release contains 7 fixes since the 1.9.1 release and is
available for Download now [1].

CVE-2022-40664:

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro
when forwarding or including via RequestDispatcher.


Credit:
Apache Shiro would like to thank Y4tacker for reporting this issue.


Bug

* [SHIRO-512] - Race condition in Shiro's web container session timeout
handling
* [SHIRO-887] - FormAuthenticationFilter trims passwords which start and/or
end with one or more space character(s)

Improvement

* [SHIRO-891] - fix source jar Reproducible Builds issue
* [SHIRO-884] - fix source jar Reproducible Builds issue
* [SHIRO-885] - Use OWASP Java Encoder with OSGi manifest
* [SHIRO-890] - Avoid another proxy creator when @EnableAspectJAutoProxy
enabled
* [SHIRO-891] - Allow for direct configuration of ShiroFilter through
WebEnvironment

Behavior Changes

As of 1.10.0, Shiro may filter a request multiple times, e.g. when
including or forwarding requests.
This behavior can be reverted by setting the following property:
`shiro.filterOncePerRequest=true`


Release binaries (.jars) are also available through Maven Central and
source bundles through Apache distribution mirrors.

For more information on Shiro, please read the documentation [2].

-The Apache Shiro Team

[1] http://shiro.apache.org/download.html
[2] http://shiro.apache.org/documentation.html

[ANNOUNCE][CVE-2022-32532] Apache Shiro 1.9.1 released

[Brian Demers]

The Shiro team is pleased to announce the release of Apache Shiro version
1.9.1.

This security release contains 6 fixes since the 1.9.0 release and is
available for Download now [1].

Improvement
* [SHIRO-871] - ActiveDirectoryRealm - append suffix only if missing
from username
* [SHIRO-872] - fix Reproducible Builds issues
* [SHIRO-883] - Add support for case insensitive regex path matching

Dependency upgrade
* [SHIRO-878] - Update Spring Dependencies to 5.2.20
* [SHIRO-882] - Upgrade to apache pom parent 26
* [SHIRO-881] - pom.xml in samples/web may lack dependency

CVE-2022-32532:

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be
bypassed on some servlet containers. Applications using RegExPatternMatcher
with `.` in the regular expression are possibly vulnerable to an
authorization bypass.


Credit:
Apache Shiro would like the thank 4ra1n for reporting this issue.


Release binaries (.jars) are also available through Maven Central and
source bundles through Apache distribution mirrors.

For more information on Shiro, please read the documentation [2].

-The Apache Shiro Team

[1] http://shiro.apache.org/download.html
[2] http://shiro.apache.org/documentation.html

Re: Shiro 2.0 and jakarta servlet

[Brian Demers]

Thanks for reaching out Alex!

There was another thread recently on the topic:
https://lists.apache.org/thread/bfx1df1ykf1r91xr33h836dpyg83fq15
If you are interested in helping out with the effort let us know!

-Brian


On Wed, Jun 22, 2022 at 5:32 AM Alex Orlov  wrote:

> Hello.
>
> Could anyone say if there are plans to move to jakarta servlet API? I mean:
>
> import jakarta.servlet.ServletRequest;
> instead of
> import javax.servlet.ServletRequest
>
> I found this issue https://issues.apache.org/jira/browse/SHIRO-750 but it
> seems they say only
> about rest services.
>
> --
> Best regards, Alex Orlov
>

Re: Active Directory: Can authorise and authenticate with E-Mail, but only authorise per User ID

[Brian Demers]

Sorry for the delay Andreas!

This is a great idea, I've created an issue:
https://issues.apache.org/jira/browse/SHIRO-871
and made a quick pass at a PR based on your patch:
https://github.com/apache/shiro/pull/350

Thanks Again!

On Sun, Mar 6, 2022 at 7:55 PM Andreas Reichel <
andr...@manticore-projects.com> wrote:

> Compliments of the day,
>
> after looking up the code, I figured it out. One have to set:
>
> *realm.principalSuffix = @email.com *
>
>
> However, there is a caveat: The principalSuffix is ALWAYS appended, even
> when the userPrincipalName ends with it already. Thus either "John.Doe" or"
> john@email.com" would work, but not both correct logons.
>
> The attached patch fixes this and allows both "John.Doe" and also "
> john@email.com" to authorise against groups.
>
> Best regards
>
> Andreas
>

Re: [VOTE] Release Apache Shiro 1.9.0 - Take #3

[Brian Demers]

+1 (binding)

Thanks Francois!!

On Thu, Mar 17, 2022 at 12:17 PM Jean-Baptiste Onofré 
wrote:

> +1 (binding)
>
> Thanks,
> Regards
> JB
>
> On Wed, Mar 16, 2022 at 1:55 PM Francois Papon <
> francois.pa...@openobject.fr>
> wrote:
>
> > This is a call to vote in favor of releasing Apache Shiro version 1.9.0.
> >
> > We solved 20 issues for 1.9.0:
> >
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310950=12350639
> >
> >
> > Bug
> >
> >  [SHIRO-829] - beanPostProcessor and FactoryBean cause aop to fail
> > in the same Configuration
> >  [SHIRO-845] - Dependencies for test-jars missing
> >
> > Improvement
> >
> >  [SHIRO-804] - Avoid conflicts with spring boot aop
> >  [SHIRO-836] - Delete jsecurty-sample.jks
> >  [SHIRO-838] - Create SHA512-Hashes
> >  [SHIRO-846] - Creation of site takes very long time
> >  [SHIRO-848] - Relative Path in pom.xml is not needed
> >  [SHIRO-850] - The profile name jdk19-plus is misleading
> >  [SHIRO-851] - Handling properties for compile/enconding vs. default
> > configurations of plugins
> >  [SHIRO-852] - Configuration for maven-release-plugin prepationGoal
> > should be changed
> >  [SHIRO-853] - Versions of maven-surefire/failsafe/report plugin are
> > not in sync
> >  [SHIRO-854] - Konfiguration includes/excludes maven-failsafe-plugin
> > can be reduced to default
> >  [SHIRO-860] - update logback to 1.2.10
> >  [SHIRO-862] - Replace Google Analytics with Matomo for new Javadocs
> >
> > Task
> >
> >  [SHIRO-841] - NullPointerException from
> > SessionsSecurityManager.start()
> >  [SHIRO-867] - Skip Deployment of integration-test and samples
> > artifacts
> >
> > Dependency upgrade
> >
> >  [SHIRO-828] - aspectj-maven-plugin 1.14.0
> >  [SHIRO-842] - shiro-web depends on older log4j
> >  [SHIRO-843] - Update maven-project-info-reports
> >  [SHIRO-844] - Update maven-javadoc-plugin to 3.3.1
> >
> > Staging repo:
> > https://repository.apache.org/content/repositories/orgapacheshiro-1040
> >
> >
> >
> https://repository.apache.org/content/repositories/orgapacheshiro-1040/org/apache/shiro/shiro-root/1.9.0/shiro-root-1.9.0-source-release.zip
> >
> >
> > Source release checksum(s):
> > shiro-root-1.9.0-source-release.zip sha512:
> >
> >
> 4f1eaeac2b88203d053bf9edb575bbf130335f755a6388c26f85d6bbd050971186308b65a873f91cf23e5484d0cfd1c1090cd61152fcab0467d2c5e5495c2d55
> >
> > Project website (just for informational purposes, not to be voted upon):
> > http://shiro.apache.org/
> >
> > Guide to testing staged releases:
> > http://maven.apache.org/guides/development/guide-testing-releases.html
> >
> > Vote open for 72 hours. Please examine the source and binaries before
> > voting.
> >
> > [ ] +1
> > [ ] +0
> > [ ] -1 (please include reasoning)
> >
>

Re: [VOTE] Release Apache Shiro 1.9.0 - Take #2

[Brian Demers]

Definitely not your fault! And thank you for managing the release!

-Brian

> On Mar 11, 2022, at 3:48 AM, Francois Papon  
> wrote:
> 
> 
> Good catch, my bad :(
> 
> No problem to cancel the release and update the notice and release notes.
> 
> If we are all agree with that, I can cancel the vote and restart it next week?
> 
> regards,
> 
> On 11/03/2022 05:31, Brian Demers wrote:
>> Good catch on the notice and the release notes!
>> 
>> I think we should respin the release because of this, these files are 
>> included in the source-zip (even though the last release missed them)
>> Sorry Francois, I know you have already done this twice,I can volunteer to 
>> help next week when I'm back at my desk.
>> 
>> 
>> On Thu, Mar 10, 2022 at 1:57 AM Colm O hEigeartaigh  
>> wrote:
>>> +1. However the NOTICE year was out of date, and the release notes
>>> don't appear to have been updated in a while. I pushed a fix for the
>>> NOTICE year.
>>> 
>>> Colm.
>>> 
>>> On Wed, Mar 9, 2022 at 10:04 AM Jean-Baptiste Onofré  
>>> wrote:
>>> >
>>> > Thanks. If the most important thing is to have dist updated at the end of
>>> > the day, I think it's interesting to give a chance to review the source
>>> > artifact on a staging dist (dev), just to double check what we official
>>> > publish ;)
>>> >
>>> > Anyway, here's my +1 (binding)
>>> >
>>> > Thanks again !
>>> >
>>> > Regards
>>> > JB
>>> >
>>> > On Wed, Mar 9, 2022 at 9:40 AM Francois Papon 
>>> > 
>>> > wrote:
>>> >
>>> > > Hi,
>>> > >
>>> > > The sources has been pushed to dist dev:
>>> > >
>>> > > https://dist.apache.org/repos/dist/dev/shiro/1.9.0/
>>> > >
>>> > > I will update the release process wiki page.
>>> > >
>>> > > regards,
>>> > >
>>> > > François
>>> > >
>>> > > On 09/03/2022 09:16, Francois Papon wrote:
>>> > > > Hi JB,
>>> > > >
>>> > > > We never pushed sources to the dev dist and it may be a missing step
>>> > > > in the process:
>>> > > >
>>> > > > https://cwiki.apache.org/confluence/display/SHIRO/Performing+a+Release
>>> > > >
>>> > > > We only push to the dist prod but we can add a step to push on dev.
>>> > > >
>>> > > > regards,
>>> > > >
>>> > > > On 09/03/2022 05:47, Jean-Baptiste Onofré wrote:
>>> > > >> I checked and I don’t see the staged artifact on
>>> > > >> dist.apache.org/dist/dev/shiro.
>>> > > >>
>>> > > >> As reminder it’s required to have source artifact on dist.apache.org.
>>> > > >>
>>> > > >> It’s the same as maven repository but dist is mandatory from Apache
>>> > > >> standpoint (common to any project even the ones not using maven).
>>> > > >>
>>> > > >> Can you please upload source artifact to dist ?
>>> > > >>
>>> > > >> Thanks
>>> > > >> Regards
>>> > > >> JB
>>> > > >>
>>> > > >> Le mar. 8 mars 2022 à 22:47, Francois Papon
>>> > > >> 
>>> > > >> a écrit :
>>> > > >>
>>> > > >>> This is a call to vote in favor of releasing Apache Shiro version
>>> > > >>> 1.9.0.
>>> > > >>>
>>> > > >>> We solved 20 issues for 1.9.0:
>>> > > >>>
>>> > > >>>
>>> > > >>>
>>> > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310950=12350639
>>> > > >>>
>>> > > >>>
>>> > > >>>
>>> > > >>> Bug
>>> > > >>>
>>> > > >>>   [SHIRO-829] - beanPostProcessor and FactoryBean cause aop to 
>>> > > >>> fail
>>> > > >>> in the same Configuration
>>> > > >>>   [SHIRO-845] - Dependencies for test-jars missing
>>> > > >>>
>>> > > >>> Improvement
&g

Re: [VOTE] Release Apache Shiro 1.9.0 - Take #2

[Brian Demers]

Good catch on the notice and the release notes!

I think we should respin the release because of this, these files are
included in the source-zip (even though the last release missed them)
Sorry Francois, I know you have already done this twice,I can volunteer to
help next week when I'm back at my desk.


On Thu, Mar 10, 2022 at 1:57 AM Colm O hEigeartaigh 
wrote:

> +1. However the NOTICE year was out of date, and the release notes
> don't appear to have been updated in a while. I pushed a fix for the
> NOTICE year.
>
> Colm.
>
> On Wed, Mar 9, 2022 at 10:04 AM Jean-Baptiste Onofré 
> wrote:
> >
> > Thanks. If the most important thing is to have dist updated at the end of
> > the day, I think it's interesting to give a chance to review the source
> > artifact on a staging dist (dev), just to double check what we official
> > publish ;)
> >
> > Anyway, here's my +1 (binding)
> >
> > Thanks again !
> >
> > Regards
> > JB
> >
> > On Wed, Mar 9, 2022 at 9:40 AM Francois Papon <
> francois.pa...@openobject.fr>
> > wrote:
> >
> > > Hi,
> > >
> > > The sources has been pushed to dist dev:
> > >
> > > https://dist.apache.org/repos/dist/dev/shiro/1.9.0/
> > >
> > > I will update the release process wiki page.
> > >
> > > regards,
> > >
> > > François
> > >
> > > On 09/03/2022 09:16, Francois Papon wrote:
> > > > Hi JB,
> > > >
> > > > We never pushed sources to the dev dist and it may be a missing step
> > > > in the process:
> > > >
> > > >
> https://cwiki.apache.org/confluence/display/SHIRO/Performing+a+Release
> > > >
> > > > We only push to the dist prod but we can add a step to push on dev.
> > > >
> > > > regards,
> > > >
> > > > On 09/03/2022 05:47, Jean-Baptiste Onofré wrote:
> > > >> I checked and I don’t see the staged artifact on
> > > >> dist.apache.org/dist/dev/shiro.
> > > >>
> > > >> As reminder it’s required to have source artifact on
> dist.apache.org.
> > > >>
> > > >> It’s the same as maven repository but dist is mandatory from Apache
> > > >> standpoint (common to any project even the ones not using maven).
> > > >>
> > > >> Can you please upload source artifact to dist ?
> > > >>
> > > >> Thanks
> > > >> Regards
> > > >> JB
> > > >>
> > > >> Le mar. 8 mars 2022 à 22:47, Francois Papon
> > > >> 
> > > >> a écrit :
> > > >>
> > > >>> This is a call to vote in favor of releasing Apache Shiro version
> > > >>> 1.9.0.
> > > >>>
> > > >>> We solved 20 issues for 1.9.0:
> > > >>>
> > > >>>
> > > >>>
> > >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310950=12350639
> > > >>>
> > > >>>
> > > >>>
> > > >>> Bug
> > > >>>
> > > >>>   [SHIRO-829] - beanPostProcessor and FactoryBean cause aop to
> fail
> > > >>> in the same Configuration
> > > >>>   [SHIRO-845] - Dependencies for test-jars missing
> > > >>>
> > > >>> Improvement
> > > >>>
> > > >>>   [SHIRO-804] - Avoid conflicts with spring boot aop
> > > >>>   [SHIRO-836] - Delete jsecurty-sample.jks
> > > >>>   [SHIRO-838] - Create SHA512-Hashes
> > > >>>   [SHIRO-846] - Creation of site takes very long time
> > > >>>   [SHIRO-848] - Relative Path in pom.xml is not needed
> > > >>>   [SHIRO-850] - The profile name jdk19-plus is misleading
> > > >>>   [SHIRO-851] - Handling properties for compile/enconding vs.
> > > >>> default
> > > >>> configurations of plugins
> > > >>>   [SHIRO-852] - Configuration for maven-release-plugin
> > > >>> prepationGoal
> > > >>> should be changed
> > > >>>   [SHIRO-853] - Versions of maven-surefire/failsafe/report
> > > >>> plugin are
> > > >>> not in sync
> > > >>>   [SHIRO-854] - Konfiguration includes/excludes
> > > >>> maven-failsafe-plugin
> > > >>> can be reduced to default
> > > >>>   [SHIRO-860] - update logback to 1.2.10
> > > >>>   [SHIRO-862] - Replace Google Analytics with Matomo for new
> > > >>> Javadocs
> > > >>>
> > > >>> Task
> > > >>>
> > > >>>   [SHIRO-841] - NullPointerException from
> > > >>> SessionsSecurityManager.start()
> > > >>>   [SHIRO-867] - Skip Deployment of integration-test and samples
> > > >>> artifacts
> > > >>>
> > > >>> Dependency upgrade
> > > >>>
> > > >>>   [SHIRO-828] - aspectj-maven-plugin 1.14.0
> > > >>>   [SHIRO-842] - shiro-web depends on older log4j
> > > >>>   [SHIRO-843] - Update maven-project-info-reports
> > > >>>   [SHIRO-844] - Update maven-javadoc-plugin to 3.3.1
> > > >>>
> > > >>> Staging repo:
> > > >>>
> https://repository.apache.org/content/repositories/orgapacheshiro-1039
> > > >>>
> > > >>>
> > > >>>
> > >
> https://repository.apache.org/content/repositories/orgapacheshiro-1039/org/apache/shiro/shiro-root/1.9.0/shiro-root-1.9.0-source-release.zip
> > > >>>
> > > >>> <
> > > >>>
> > >
> https://repository.apache.org/content/repositories/orgapacheshiro-1039/org/apache/shiro/shiro-root/1.9.0/shiro-root-1.9.0-source-release.zip
> > > >>>
> > > >>> Source release checksum(s):
> > > >>> shiro-root-1.9.0-source-release.zip sha512:
> > > >>>
> > > >>>
> > >
> 

Re: Best place to debug Shiro Authentication in JAX-RS CXF Application

[Brian Demers]

Hi!

Shiro's JAX-RS support requires the use of a servlet stack, (or an
equivalent filter in your application)
This can be auto configured if your container supports it:
https://github.com/apache/shiro/blob/1.8.x/samples/jaxrs/pom.xml#L69-L72

Otherwise you can configure a web.xml, similar to this:
https://github.com/apache/shiro/blob/1.8.x/support/servlet-plugin/src/main/resources/META-INF/web-fragment.xml



On Mon, Jan 24, 2022 at 10:58 PM lewis john mcgibbney 
wrote:

> Hi user@,
> I'm trying to implement LDAP authentication in the Apache Nutch webserver
> [0]. When I remotely debug a running server I can see the LDAP realm and
> associated configuration being loaded by the Shiro SecurityManager.
> shiro.ini looks something like this
>
> [main]
> ldapRealm = org.apache.shiro.realm.ldap.DefaultLdapRealm
> ldapRealm.userDnTemplate = uid={0},ou=users,dc=mycompany,dc=com
> ldapRealm.contextFactory.url = ldaps://my-company:636
> securityManager.realms = $ldapRealm
>
> The initial resource I'm trying to secure can be seen at [1]. When I
> execute a GET against /admin path with basic authentication credentials,
> Shiro returns a 401 Unauthorized.
>
> It is not clear to me how I should go about debugging Shiro behavior for a
> specific request to a specific /path.
>
> Can someone please take a look and point me in the right direction? I
> would very much like to contribute my learning experience back to the Shiro
> examples. Currently none exist for CXF-based
> JAX-RS services.
>
> Thanks
> lewismc
>
> [0]
> https://github.com/lewismc/nutch/blob/NUTCH-2925/src/java/org/apache/nutch/service/NutchServer.java#L104-L107
> [1]
> https://github.com/lewismc/nutch/blob/NUTCH-2925/src/java/org/apache/nutch/service/resources/AdminResource.java#L55-L66
>
> --
> http://home.apache.org/~lewismc/
> http://people.apache.org/keys/committer/lewismc
>

Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass

[Brian Demers]

Philip, I heard back from the Sec team, this IS something that
_should_ be available in the future. Sounds like there is a new CVE
related schema that should help fill in some of the gaps!

- https://cve.mitre.org/community/board/meeting_summaries/21_July_2021.pdf
- 
https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0.schema

Thanks for reaching out!

On Wed, Sep 29, 2021 at 1:40 PM Philip Whitehouse  wrote:
>
> If I have to fix the vulnerability scanner that’s a price probably worth 
> paying :)
>
> Best,
>
> Philip Whitehouse
>
> > On 29 Sep 2021, at 16:51, Brian Demers  wrote:
> >
> > I think so, the ASF has been creating a lot of tooling to help improve
> > CVE reporting process, hopefully the CPE/artifact name can be added to
> > the report. I'll follow up with the ASF Infra team.
> >
> > NOTE: Even if we can add it, some vulns scanners use fuzzy matching,
> > which causes false positives. (mainly because the Maven artifact
> > coordinates are not listed in CVEs)
> >
> >> On Wed, Sep 29, 2021 at 6:02 AM philip  wrote:
> >>
> >> Is it practical to look at separating the Spring library from the rest
> >> of Shiro?
> >> It seems like we see a fair number of vulnerabilities for the Spring
> >> code which don't affect other modules / usage.
> >>
> >> Best regards,
> >>
> >> Philip Whitehouse
> >>
> >>> On 2021-09-16 21:19, Brian Demers wrote:
> >>> Description:
> >>>
> >>> Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a
> >>> specially crafted HTTP request may cause an authentication bypass.
> >>>
> >>> Users should update to Apache Shiro 1.8.0.
> >>>
> >>> Credit:
> >>>
> >>> Apache Shiro would like to thank tsug0d for reporting this issue.
>

Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass

[Brian Demers]

I think so, the ASF has been creating a lot of tooling to help improve
CVE reporting process, hopefully the CPE/artifact name can be added to
the report. I'll follow up with the ASF Infra team.

NOTE: Even if we can add it, some vulns scanners use fuzzy matching,
which causes false positives. (mainly because the Maven artifact
coordinates are not listed in CVEs)

On Wed, Sep 29, 2021 at 6:02 AM philip  wrote:
>
> Is it practical to look at separating the Spring library from the rest
> of Shiro?
> It seems like we see a fair number of vulnerabilities for the Spring
> code which don't affect other modules / usage.
>
> Best regards,
>
> Philip Whitehouse
>
> On 2021-09-16 21:19, Brian Demers wrote:
> > Description:
> >
> > Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a
> > specially crafted HTTP request may cause an authentication bypass.
> >
> > Users should update to Apache Shiro 1.8.0.
> >
> > Credit:
> >
> > Apache Shiro would like to thank tsug0d for reporting this issue.

CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass

[Brian Demers]

Description:

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a
specially crafted HTTP request may cause an authentication bypass.

Users should update to Apache Shiro 1.8.0.

Credit:

Apache Shiro would like to thank tsug0d for reporting this issue.

Re: [SHIRO-206] JSF support

[Brian Demers]

+1 to remove

JSF support could be done in a third-party repo until it gains more
support/usage (and a few folks to help maintain it)
(said third-party repo could also be pushed to Maven Central)

Another option is to create a `apache/shiro-labs` git repo to test out
ideas for things that are NOT ready for the main tree.  (Maven does
something similar with https://github.com/apache/maven-studies/)

On Sun, Aug 1, 2021 at 4:00 PM Benjamin Marwell  wrote:

> Hi everyone,
>
> we had a discussion in slack, that later versions of shiro might want
> to concentrate on CDI-ish/jndi based usages. Not that this would be a
> target for 2.0, but SHIRO-206 [1] wants to add JSF support.
>
> Unless someone wants to maintain it actively in the project, I would
> vote to remove this feature from the 2.0 milestone.
>
> WDYT?
>
> - Ben
>
> [1] - https://issues.apache.org/jira/browse/SHIRO-206
>

Re: Shiro - Session Loss

[Brian Demers]

Where you able to get the log output?

On Fri, Jun 18, 2021 at 3:50 PM alina.frey  wrote:

> A little update with my discoveries so far.
>
> The code breaks when upgrading from shiro 1.2.6 to shiro 1.3.0.
>
> I was able to access the server side as soon as I modified the URLs in
> Shiro.ini to reflect path without the slash "/" at the beginning of the
> path:
>
> [urls]
>
> /FileUploadServlet = authc
> /FileDownloadServlet = authc
> /UserUnloadServlet = authc
> /soa_service = authc
> /data_update = authc
> /data_view = authc
> /load_lists = authc
> /error_services = authc
> /query_db = authc
> .html = authc
>
> Also, another discovery is that currentUser.isAuthenticated() returns TRUE
> with Shiro 1.2.6 and FALSE with Shiro 1.3.0. That's why my application was
> not loading. This is the code used for that:
>
> Subject currentUser = SecurityUtils.getSubject();
> if (currentUser.isAuthenticated()) {
>   return true;
> } else {
>   return false;
> }
>
> Also, currentUser.getPrincipal() returns null with shiro 1.3.0, while it
> returns the logged in user with shiro 1.2.6.
>
> So, I have to figure out if I need to call the current user in a different
> way, or is there something that I need to change in my shiro.ini.
>
> ANY suggestion would be very much appreciated.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: Shiro - Session Loss

[Brian Demers]

You have two SLF4J implements on your class path, I’m guessing you need to 
remove SLF4J-simple.

-Brian

> On May 31, 2021, at 9:59 AM, alina.frey  wrote:
> 
> I have slf4j-log4j12-1.7.9.jar alongside log4j-1.2.17.jar.
> Please see attached an image of all the libraries that are included in the
> class path.
> 
>  
> 
> 
> 
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/

Re: Shiro - Session Loss

[Brian Demers]

Do you have the SLF4J log4j implementation on your class path?

http://logging.apache.org/log4j/2.x/log4j-slf4j-impl/

-Brian

> On May 28, 2021, at 3:28 PM, alina.frey  wrote:
> 
> I set up Shiro to the last working version: shiro-all-1.2.6.jar
> Set logging to DEBUG, in log4j.properties:
> 
> # Default Shiro logging
> log4j.logger.org.apache.shiro=DEBUG
> log4j.logger.org.apache.shiro.realm.text.PropertiesRealm=DEBUG
> log4j.logger.org.apache.shiro.cache.ehcache.EhCache=DEBUG
> log4j.logger.org.apache.shiro.io=DEBUG
> log4j.logger.org.apache.shiro.web.servlet=DEBUG
> log4j.logger.org.apache.shiro.util.ThreadContext=DEBUG
> 
> Logging in successfully, but Shiro logs are NOT printed out.
> 
> What am I supposed to see?
> Are there any examples of shiro logs anywhere? Just so I can get an idea
> what I'm looking for.
> I assume the logs would be printed out in the log file mentioned in the
> log4j.properties, correct?
> 
> 
> 
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/

Re: Shiro - Session Loss

[Brian Demers]

With that log configuration, you should see Shiro log events very request. I’d 
suggest turning up that last one “ThreadContext” to at least debug as well.

You can try to turn them up to “trace” as well. 

I’d suggest taking a step back and changing one thing at a time (this is still 
my go to strategy when debugging a problem).  Go back to your working version 
and increase the logging (make sure you see log output from Shiro).

Once you have that going, increase the Shiro version and repeat the process, 
compare the logs and look for differences.

If that doesn’t help I’d recommend creating a simple standalone app that will 
reproduce the problem, put on GitHub (or similar) and we can take a look.

-Brian

> On May 27, 2021, at 3:17 PM, alina.frey  wrote:
> 
> ThreadContext

Re: Shiro - Session Loss

[Brian Demers]

Oh, a GWT app.

My suggestion would be to turn up logging on both sides.  I'm assuming that
InvocationException has a cause.  You set `org.apache.shiro` log level to
DEBUG or TRACE, and you should be able to get more info.

On Tue, May 25, 2021 at 3:04 PM alina.frey  wrote:

> I tried to pinpoint at what version of Shiro my application starts to lose
> session.
> So, nothing is changed in my application other than the shiro library.
> Discovered that the session loss happens starting with Shiro 1.3.2.
> o   shiro-all.1.2.3.jar: No session loss. Login works.
> - Current version
> o   shiro-all.1.2.6.jar: No session loss. Login works.
> o   shiro-all.1.3.2.jar: Session loss!!
> Need to figure out what changed between version 1.2.6. and 1.3.2,
> and
> change settings.
> Maybe shiro.ini needs to change, but I don't know what to change.
>
> Narrowing down to where the application actually crashes:
> o   In UserLoginWindow.loginAttempt - Client side
> > MainEntryPoint.loginService.tryLogin(username,
> password, callBack) -
> Client side
> > LoginServiceImpl.tryLogin(username,
> password) - Server side
> > The user is authenticated (Log
> messages from server side are
> visible).
> > the callBack is onSuccess - Client side
> o   Inside onSuccess:
> > The callBack returns the UserLoginBean, which is
> not null and all
> properties (username, password, etc.) have assigned value, with the
> exception of sToken
> > there are three cases:
> 1.  userLoginBean = null - this is the
> case where Access is denied, and
> it prompts the user to login again
> 2.  userLoginBean.getSalt == null -
> this is the case where the user needs
> to change password
> 3.  All other cases
> > In our case we are passing the first two steps,
> landing in the third
> case.
> > In the third case, it calls a few functions,
> from the Client side to
> the Server side, but it looks like the application never reaches the server
> side.
> > The very first function that is called from the
> Client side to the
> Server side returns onFailure in its callBack!! - This is where the
> sessionID that is displayed in the web browser changes.
> > Every other function that is called after this,
> from the Client side to
> the Server side, returns onFailure.
>
> So, in conclusion, it looks like the application crashes right after the
> user is logged in with Shiro 1.3.2, and ANY call is made from the Client
> side to the Server side.
>
> To answer the follow-ups:
>
> 1. What is the error message that displays on your login page?
> The message that is displayed is a general message for the cases when the
> exception caught is an instance of
> com.google.gwt.user.client.rpc.InvocationException. The actual text
> displayed is "The session has expired. The user needs to relogin." But it's
> not relevant, as it doesn't explain why it's an InvocationException :).
>
> 2. What else changed in your application?
> Nothing other than changing Shiro from 1.2.3 to 1.2.6 to 1.3.2. Shiro 1.3.2
> breaks the application.
>
> 3. Do you have a minimal repro example you can share on GitHub (or
> similar)?
> I don not have one, and I don't think I can share much :).
>
> 4. Were you able to look at the cookies in your browser?
> Yes, I can see the sessionID in the browser. For Shiro 1.2.3 and 1.2.6, the
> sessionID stays the same and the application is able to load after
> successful login.
> When Shiro is changed to 1.3.2, the sessionID changes, right after the user
> is authenticated on the server side. On the Client side under callBack
> onSuccess, the very first function that is called is a call to Server side.
> That function returns onFailure, like every other function after that,
> which
> are calls to the Server side.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: Shiro - Session Loss

[Brian Demers]

Release notes: https://shiro.apache.org/news.html (includes links to
release notes)
Diffs:
https://github.com/apache/shiro/compare/shiro-root-1.2.6..shiro-root-1.3.2

Follow-ups:
What is the error message that displays on your login page?
What else changed in your application?
Do you have a minimal repro example you can share on GitHub (or similar)?
Were you able to look at the cookies in your browser?


On Sun, May 23, 2021 at 5:54 PM alina.frey  wrote:

> Does anybody know where I can find info regarding what changed from one
> version of Shiro to another? Specifically I'm interested what changed from
> version 1.2.6 to version 1.3.2.
>
> shiro-all-1.2.3.jar: No session loss. Login works. - Current Shiro.
> shiro-all-1.2.6.jar: No session loss. Login works.
> shiro-all-1.3.2.jar: Session loss!!!
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: Re[4]: Subject login/logout in tests

[Brian Demers]

Yes, it's totally fine.

You can use a Subject Builder, instead of the SecurityUtils:
https://shiro.apache.org/subject.html#Subject-Subject.Builder

And `subject.execute()`, and you should be able to avoid any before/after
test cleanup.

But either option works ;)

On Fri, May 21, 2021 at 10:34 AM Alex Orlov  wrote:

> Yes, you are right. But what about the question — is it correct to use
> subject login/logout in IT tests?
> Not subject mock, but a real subject with real realm work?
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Пятница, 21 мая 2021, 17:25 +03:00 от Brian Demers  >:
>
> In your case the subject is bound from `SecurityUtils.getSubject()`
>
>
> https://github.com/apache/shiro/blob/df81077726b407f905ba16a9f57ba731b7736375/core/src/main/java/org/apache/shiro/SecurityUtils.java#L53-L60
>
> On Fri, May 21, 2021 at 12:55 AM Alex Orlov  > wrote:
>
> Hm… I am sure, that when we do subjec.login(..) then under the hood
> subject is bound to the tread.
> I use the code I posted in integration tests and everything works as
> expected. I pass token, I see how
> my realm does it work.
>
> What did you mean, saying «login and out do not bind the user to the
> thread.»? I am saying that after calling
> subject.login() subject is bound to thread and after subject.logout()
> subject is unbound from thread.
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Четверг, 20 мая 2021, 22:52 +03:00 от Brian Demers  >:
>
> login and out do not bind the user to the thread. Typically I use the
> ThreadContext directly when I need to do anything with threading
>
> For example, mock a subject, and bind it to the thread:
>
> https://github.com/apache/shiro/blob/df81077726b407f905ba16a9f57ba731b7736375/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/ShiroSecurityContextTest.groovy#L167-L168
> Then unbind it:
>
> https://github.com/apache/shiro/blob/df81077726b407f905ba16a9f57ba731b7736375/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/ShiroSecurityContextTest.groovy#L188
>
> Though if you are using a "real" subject, you could just use the built in
> thread execution as well:
> https://shiro.apache.org/subject.html#thread-association
>
>
> On Thu, May 20, 2021 at 11:34 AM Alex Orlov  <http://e.mail.ru/compose/?mailto=mailto%3aooo_satu...@mail.ru>> wrote:
>
> Hello all,
>
> Can I use in one thread tests subject login/logout. Something like this:
>
> @BeforeAll
> protected void doBeforeAll() {
> Subject subject = SecurityUtils.getSubject();
> subject.login(token);
> }
> @AfterAll
> protected void doAfterAll() {
> Subject subject = SecurityUtils.getSubject();
> subject.logout();
> }
>
> As I understand, subject.login() does thread binding, and subject.logout()
> does thread unbinding. So, could anyone say
> if this code is correct.
>
> --
> Best regards, Alex Orlov
>
>
>
>
>

Re: Re[2]: Subject login/logout in tests

[Brian Demers]

In your case the subject is bound from `SecurityUtils.getSubject()`

https://github.com/apache/shiro/blob/df81077726b407f905ba16a9f57ba731b7736375/core/src/main/java/org/apache/shiro/SecurityUtils.java#L53-L60

On Fri, May 21, 2021 at 12:55 AM Alex Orlov  wrote:

> Hm… I am sure, that when we do subjec.login(..) then under the hood
> subject is bound to the tread.
> I use the code I posted in integration tests and everything works as
> expected. I pass token, I see how
> my realm does it work.
>
> What did you mean, saying «login and out do not bind the user to the
> thread.»? I am saying that after calling
> subject.login() subject is bound to thread and after subject.logout()
> subject is unbound from thread.
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Четверг, 20 мая 2021, 22:52 +03:00 от Brian Demers  >:
>
> login and out do not bind the user to the thread. Typically I use the
> ThreadContext directly when I need to do anything with threading
>
> For example, mock a subject, and bind it to the thread:
>
> https://github.com/apache/shiro/blob/df81077726b407f905ba16a9f57ba731b7736375/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/ShiroSecurityContextTest.groovy#L167-L168
> Then unbind it:
>
> https://github.com/apache/shiro/blob/df81077726b407f905ba16a9f57ba731b7736375/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/ShiroSecurityContextTest.groovy#L188
>
> Though if you are using a "real" subject, you could just use the built in
> thread execution as well:
> https://shiro.apache.org/subject.html#thread-association
>
>
> On Thu, May 20, 2021 at 11:34 AM Alex Orlov  > wrote:
>
> Hello all,
>
> Can I use in one thread tests subject login/logout. Something like this:
>
> @BeforeAll
> protected void doBeforeAll() {
> Subject subject = SecurityUtils.getSubject();
> subject.login(token);
> }
> @AfterAll
> protected void doAfterAll() {
> Subject subject = SecurityUtils.getSubject();
> subject.logout();
> }
>
> As I understand, subject.login() does thread binding, and subject.logout()
> does thread unbinding. So, could anyone say
> if this code is correct.
>
> --
> Best regards, Alex Orlov
>
>
>

Re: Subject login/logout in tests

[Brian Demers]

login and out do not bind the user to the thread. Typically I use the
ThreadContext directly when I need to do anything with threading

For example, mock a subject, and bind it to the thread:
https://github.com/apache/shiro/blob/df81077726b407f905ba16a9f57ba731b7736375/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/ShiroSecurityContextTest.groovy#L167-L168
Then unbind it:
https://github.com/apache/shiro/blob/df81077726b407f905ba16a9f57ba731b7736375/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/ShiroSecurityContextTest.groovy#L188

Though if you are using a "real" subject, you could just use the built in
thread execution as well:
https://shiro.apache.org/subject.html#thread-association


On Thu, May 20, 2021 at 11:34 AM Alex Orlov  wrote:

> Hello all,
>
> Can I use in one thread tests subject login/logout. Something like this:
>
> @BeforeAll
> protected void doBeforeAll() {
> Subject subject = SecurityUtils.getSubject();
> subject.login(token);
> }
> @AfterAll
> protected void doAfterAll() {
> Subject subject = SecurityUtils.getSubject();
> subject.logout();
> }
>
> As I understand, subject.login() does thread binding, and subject.logout()
> does thread unbinding. So, could anyone say
> if this code is correct.
>
> --
> Best regards, Alex Orlov
>

Re: Shiro - Session Loss

[Brian Demers]

Responses inline:

On Wed, May 19, 2021 at 5:31 PM alina.frey  wrote:

> 1. Anything in your logs?
> If you are referring to Shiro logs, I don't know where they are recorded.
> If you are referring to logs capture by my application, I do not see any of
> the errors taht would be thrown by the supporting code below.
>

Your application logs, Shiro uses slf4j (de facto standard logging api),
but where the logs go is up to your application.


>
> 2. What happens when the user isn't able to login? Are they redirected back
> to the login page?
> Yes. A relevant message is displayed in a pop up, and then the same login
> page is displayed.
>

What is the "relevant" message (that part sounds important)?


>
> 3. Is your browser rejecting the cookie? (or is it sent back to the server
> on the next request?)
> Where do I need to look to see this? Where do I see the requests that are
> being sent? In the Console or Network tabs of browser's Developer Tools?
>

Personally I used the networking tab of my browsers developer
console/tools.  You should be able to see the `Set-Cookie` header in the
response from your server, and the browser should set a `Cookie` header
when making requests back to your server.

Your following code might actually be the problem, you _shouldn't_ need to
do any of that, The `ShiroFilter` will do all of this for you.
For example in this example just adds a login page that will post the
user/pass to the login.jsp:
https://github.com/apache/shiro/blob/shiro-root-1.7.1/samples/web/src/main/webapp/WEB-INF/shiro.ini#L59
(this is intercepted by the ShiroFilter)

That said, that isn't a one-size-fits-all solution, but in those cases you
still need to make sure the `ShiroFilter` gets executed early enough in
your request that the `Subject` is created before you execute your code.

For example this  (in your code below) _shouldn't_ happen, as the subject
would have been created automatically for you (even if it's anonymous user)

```
Subject newUser = SecurityUtils.getSubject();
if (newUser != null) {
logger.debug("SessionID prior to logging in: " +
newUser.getSession().getId());
```


> Here is the supporting code for logging in with Shiro:
>
> public UserLoginBean tryLogin(String username, String password)
> throws
> Exception {
> //check for null username or password
> if(){//return null;}
>
> // get the login bean based on the user id
> UserLoginBean loginBean = getUserRecord(username);
>
> // user does not exist
> if(){//return null;}
>
> // password must have been reset to plain text
> else if (loginBean.getSalt() == null) {...}
>
> // password is encrypted so verify user login
> else {
> try {
> // get the currently executing user and create token
> Subject newUser = SecurityUtils.getSubject();
>
> if (newUser != null) {
>
> logger.debug("SessionID prior to
> logging in: " +
> newUser.getSession().getId());
>
> ...
>
> // The username and password authentication token. Set
> rememberMe to false
> UsernamePasswordToken token = new
> UsernamePasswordToken(username, password.toCharArray(), false);
> newUser.login(token);
>
> ...
>
>
> logger.debug("SessionID after to logging in: " +
> newUser.getSession().getId());
> logger.debug("Is user authenticated? " +
> newUser.isAuthenticated());
>
> }
> ...
>
> // successful login
> logger.info("!!! Successful login
> !!! ");
> return loginBean;
>
> } catch (UnknownAccountException e) {
> logger.error("LOGIN ERROR: No Such User Exists");
> throw new InvalidLoginException();
> } catch (IncorrectCredentialsException e) {
> logger.error("LOGIN ERROR: Invalid Password");
> throw new InvalidLoginException();
> } catch (LockedAccountException e) {
> logger.error("LOGIN ERROR: Locked Account");
> throw new AccountLockedException();
> } catch (AlreadyAuthenticatedException e) {
> logger.error("LOGIN ERROR: User Already Logged In");
> throw new AlreadyLoggedInException();
> } catch (SessionNotAvailableException e) {
> logger.error("LOGIN ERROR: Another user logged in using
> current browser");
> throw new BrowserSessionTakenException();
> } catch (Exception e) {
> logger.error(e.getMessage());
> logger.error("LOGIN ERROR: General Unspecific Login
> Failure");
> return null;
> }
> }
> 

Re: Shiro - Session Loss

[Brian Demers]

Anything in your logs?

What happens when the user isn't able to login? Are they redirected back to
the login page?

Is your browser rejecting the cookie? (or is it sent back the the server on
the next request?)

On Wed, May 19, 2021 at 12:04 PM alina.frey  wrote:

> I will try to replace Shiro with intermediary versions between 1.2.3 and ,
> and will get back to you with results.
>
> Meanwhile, here is what I have in the shiro.ini file.
>
>
>
>
> # ===
> # Shiro INI configuration
> # ===
>
> [main]
>
> # authorization paths
> shiro.loginUrl = /_main.html
>
> #Sha256 encryption
> credentialsMatcher =
> org.apache.shiro.authc.credential.Sha256CredentialsMatcher
> credentialsMatcher.storedCredentialsHexEncoded = false
> credentialsMatcher.hashIterations = 1024
>
> # Oracle DataSource JNDI Remote Connection (Production)
> ds = org.apache.shiro.jndi.JndiObjectFactory
> ds.requiredType = javax.sql.DataSource
> ds.resourceName = jdbc/dbConnectionDS
>
> # JDBC Realm Setup
> jdbcRealm = .server.auth.CustomJdbcRealm
>
> jdbcRealm.permissionsLookupEnabled = true
> jdbcRealm.dataSource = $ds
> jdbcRealm.credentialsMatcher = $credentialsMatcher
>
> ### SQL Queries, Modified and System Default
> # User Query
> jdbcRealm.authenticationQuery = SELECT password, salt FROM 
> WHERE user_id = ?
>
> # User Roles
> jdbcRealm.userRolesQuery = SELECT lab_id FROM  WHERE user_id =
> ?
>
> # User Permissions
> jdbcRealm.permissionsLookupEnabled = false
>
> # Set Security Manager Properties
> cookie = org.apache.shiro.web.servlet.SimpleCookie
> cookie.name = .session
> cookie.path = /;
> #sessionValidationScheduler =
> org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
> #sessionValidationScheduler.interval = 18
> sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> sessionManager.sessionDAO = $sessionDAO
> sessionManager.sessionIdCookie = $cookie
> # Session timeout in msec...currently 15 mins
> sessionManager.globalSessionTimeout = 90
> #sessionManager.sessionValidationScheduler = $sessionValidationScheduler
> securityManager = .server.auth.UniquePrincipalSecurityManager
> securityManager.sessionManager = $sessionManager
> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> securityManager.cacheManager = $cacheManager
> securityManager.realms = $jdbcRealm
>
> [users]
>
>
> [roles]
>
>
> [urls]
>
> /_main.html = authc
> /logout = logout
> //FileUploadServlet = authc
> //FileDownloadServlet = authc
> //UserUnloadServlet = authc
> //soa_service = authc
> //data_update = authc
> //data_view = authc
> //load_lists = authc
> //error_services = authc
> //query_db = authc
>
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: Manual shiro configuration - No realms have been configured!

[Brian Demers]

Shiro's Servlet Filter has a SecurityManager instance, which is configured
from your INI file. Shiro also supports a "static" security manager for
dealing with requests in your application that are NOT bound to a request
thread (queues, thread pools, scheduled tasks, etc).  Setting the "static"
security manager does NOT affect web requests.

My guess is you can simplify this configuration by just interpolating the
INI configuration (filtering in env vars and system properties)
https://stormpath.com/blog/string-interpolation-apache-shiro



On Wed, Apr 21, 2021 at 10:07 AM Schloool  wrote:

> Hey folks!
> While setting up a custom shiro-environment I came across a problem
> outsourcing the realm initialization. Using environment variables the user
> may choose a custom auth-method, such as LDAP, Database, etc.
> Therefore, the corresponding shiro.ini does *not* set a specific realm
> instance:
>
>
> [main]
> authc.loginUrl = /login
> vaadin = org.vaadin.shiro.VaadinNavigationRolesAuthorizationFilter
> vaadin.loginUrl = /login
> authSetup = com.project.auth.AuthSetup
>
> [urls]
> / = anon, vaadin
> /login = anon, vaadin
> /stations = authc, vaadin[admin]
> /organizations = authc, vaadin[admin]
> /station-types = authc, vaadin[admin]
> /projects = authc, vaadin[admin]
>
>
> However, as you can see, an instance of my class AuthSetup is initialized.
> This class resolves the auth method the user wants and therefore
> instantiates the custom realm. In my example, the Realm I use is a class
> setting up a DefaultLdapRealm:
>
>
> @Override
> public Realm initRealm() {
> JndiLdapContextFactory contextFactory = new
> JndiLdapContextFactory();
>
> contextFactory.setUrl(environmentResolver.getUrl());
> contextFactory.setSystemUsername("cn=read-only-admin, dc=example,
> dc=com");
> contextFactory.setSystemPassword("admin");
>
> DefaultLdapRealm realm = new DefaultLdapRealm();
> realm.setUserDnTemplate(environmentResolver.getUserDnTemplate());
> realm.setContextFactory(contextFactory);
> return realm;
> }
>
>
> The data insertes by the environment-vars are the LDAP-URL
> (ldap://ldap.forumsys.com:389) and the user DN-Template
> (uid={0},dc=example,dc=com). All of these data are read out correctly as I
> can tell from the debug messages I am printing to my logs.
> Finally, the realm created in the given method, is passed using this method
> called by initializing my AuthSetup:
>
>
> private void processAuthMethod(AuthMethodChoice authMethodChoice) {
> AuthMethodFactory authMethodFactory = new AuthMethodFactory();
>
> AuthMethod authMethod =
> authMethodFactory.getAuthMethod(authMethodChoice);
> initAuthEnvironmentResolver(authMethod);
>
> Realm realm = authMethod.initRealm();
> SecurityManager securityManager = new
> DefaultSecurityManager(realm);
> SecurityUtils.setSecurityManager(securityManager);
> System.out.println(format("Auth SecurityManager instance
> initialized
> with custom Realm %s.", realm.getClass().getSimpleName()));
> }
>
>
> As you can tell by the last lines of code in this method, I try to pass in
> the loaded Realm using a DefaultSecurityManager. Also, the success message
> gets printed successfully ("Auth SecurityManager instance initialized with
> custom Realm DefaultLdapRealm."). Moreover, the DefaultSecurityManager
> seems
> to be set correctly using the method, as SecurityUtils.getSecurityManager()
> returns an DefaultSecurityManager instance again.
> --
>
> So far so good. The problem occurs when logging in using the default shiro
> login()-Method. Whenever logging in, the following exception comes up:
>
>
> WARN org.apache.shiro.authc.AbstractAuthenticator - Authentication failed
> for token submission [org.apache.shiro.authc.UsernamePasswordToken -
> ExampleUser, rememberMe=false].  Possible unexpected error? (Typical or
> expected login exceptions should extend from AuthenticationException).
> java.lang.IllegalStateException: Configuration error:  No realms have been
> configured!  One or more realms must be present to execute an
> authentication
> attempt.
>
>
> Can anybody explain why no realm seems to be set although everything
> descripted above gets executed correctly? Also, I am willing to provide
> more
> information regarding my background system when needed.
> I am thankful for every advice you can give.
>
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: Strange issue on logout

[Brian Demers]

Thanks for following up David!

On Mon, Apr 12, 2021 at 9:54 AM David Stutzman  wrote:

> Actually that created another error:
> 09:44:53,127 WARNING
> [javax.enterprise.resource.webcontainer.jsf.lifecycle] (default task-7)
> #{login.login()}: java.lang.IllegalStateException: UT010033: No session:
> javax.faces.FacesException: #{login.login()}:
> java.lang.IllegalStateException: UT010033: No session
>
> What appears to have fixed it for us is adding to the web.xml:
>  
>  COOKIE
>  
>
> Which appears to accomplish the same thing of getting the container to
> NOT write the jsessionid into the url and then have Shiro block it due
> to the semicolon.  It's quite possible we have other settings/setup that
> are getting in the way of turning off the url rewriting from within
> Shiro.  Either way...we are back to a fully working setup as far as I
> can tell.
>
> Thanks,
> Dave
>
> On 4/8/2021 1:41 PM, Brian Demers wrote:
> > Hi David!
> >
> > Can you try making sure session rewriting is disabled:
> >
> > securityManager.sessionManager.sessionIdUrlRewritingEnabled
> >
> >
> https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29
> > <
> https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29
> >
> >
> > This could also be happing from your servlet container (but my guess
> > is the above will fix your issue).
> >
> > Let us know!
>

Re: Strange issue on logout

[Brian Demers]

Hi David!

Can you try making sure session rewriting is disabled:

securityManager.sessionManager.sessionIdUrlRewritingEnabled

https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29

This could also be happing from your servlet container (but my guess is the
above will fix your issue).

Let us know!

On Thu, Apr 8, 2021 at 10:39 AM David Stutzman  wrote:

> I went back and took another look at this and turned on trace logging
> and figured out the InvalidRequestFilter is tripping, specifically on a
> semicolon in the URL.  That filter was added in 1.6.0 hence that's the
> first version we see the issue.
>
> So now the part I'm not sure about is how/why the URL is being modified
> after logout.  If I click the login button the URL in the browser is:
> https://localhost:8443/app/login.xhtml;jsessionid= and, as
> advertised by the IRF, I get a 400 response code.
>
> The logout process is done through a servlet with the following
> implementation:
>  protected void processRequest(HttpServletRequest request,
> HttpServletResponse response) throws ServletException, IOException {
>  SecurityUtils.getSubject().logout();
>  request.getSession().invalidate();
> response.sendRedirect(request.getServletContext().getContextPath());
>  }
>
> And it is on the index page that things start to break.  There's a
> single image that doesn't load due to the request url having the
> jssessionid appended and that gets a 400 response and if I click the
> "Log In" button and it goes to that url (with the appended jsessionid),
> I get the main error that results in a blank page with just "Invalid
> request".
>
> So am I doing something wrong in my logout logic or is this a Shiro issue?
>
> Thanks!
>
> On 12/17/2020 9:55 AM, Francois Papon wrote:
> > Ok thanks, we will take a look.
> >
> > regards,
> >
> > François
> > fpa...@apache.org
>

Re: shiro 1.7.0 + spring beans

[Brian Demers]

No worries!  If you figure it out let us know what it was. Someone else
might stumble on the same problem, or it could lead us to improve something
;)

On Mon, Dec 21, 2020 at 3:08 PM ry99  wrote:

> Well, I'm feeling a little sheepish now, because as I was trying to make a
> minimally viable project, I couldn't reproduce the behavior I was seeing.
> My
> only conclusion is that the bug lay somewhere in all the cruft I hacked
> out.
> Sorry for the run-around.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: shiro 1.7.0 + spring beans

[Brian Demers]

Can you create a simple sample project and stick it on GitHub?  That might
help us narrow down what is going on.


On Sun, Dec 20, 2020 at 8:01 AM ry99  wrote:

> Hi Folks,
> I'm trying to use Shiro to protect a REST-based web service. I'm using
> Spring 5.3.2 and Shiro 1.7.0, and following the instructions at
> https://shiro.apache.org/spring-framework.html#web-applications.
>
> However, it appears that the recommended imports only use default values,
> and do not reference the other beans I've created. For example, following
> the instructions, I have created a bean to provide a
> ShiroFilterChainDefinition, but AbstractShiroWebFilterConfiguration doesn't
> use mine; it already has a default one autowired. The same seems to hold
> true for my Realm--my bean creating it is called, but the object isn't
> used.
>
> How do I use my beans instead of the defaults?
>
> Please advise,
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: How to build mock subject for test having certain permissions?

[Brian Demers]

Are you using a mock framework like Mockito or EasyMock? Here is an example
that uses EasyMock (and still sets up the thread context):
https://github.com/apache/shiro/blob/master/core/src/test/java/org/apache/shiro/test/ExampleShiroUnitTest.java


On Sat, Dec 5, 2020 at 8:12 AM Alex Orlov  wrote:

> Hello all,
>
> I am trying to build mock subject for my tests. In my system I use the
> following code to check authorization:
> var permission = new ResourcePermission(this.getResourceId(),
> action);
> if (!subject.isPermitted(permission)) {
> throw new AuthorizationException();
> }
>
> Now, I am trying to build a mock subject for my test:
>
> Subject subjectUnderTest = new Subject
> .Builder(securityManager)
> .authenticated(true)
> .???
> .buildSubject();
>
> Could anyone say, how to build a mock subject having certain permissions?
> Or do I miss something?
>
>
>
>
> --
> Best regards, Alex Orlov
>

Re: Re[4]: Must Realm#onInit be called when SecurityManager is created manually?

[Brian Demers]

I agree, pull requests are always welcome :D

On Tue, Nov 24, 2020 at 1:56 AM Alex Orlov  wrote:

> Hello Brian,
>
> Thank you for clarifying this moment. I think, it would be fine to add
> information about
> LifecycleUtils here
> https://shiro.apache.org/configuration.html#programmatic-configuration
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Вторник, 24 ноября 2020, 1:55 +03:00 от Brian Demers <
> brian.dem...@gmail.com>:
>
> Correct,
>
> Most of the time these methods would be transparently called via (Shiro's
> INI feature, Spring, Guice, or potentially CDI),
>
> On Sat, Nov 21, 2020 at 3:12 PM Alex Orlov  > wrote:
>
> Do I understand it correctly if we control realm and security manager
> manually we need to use:
>
> to init Realm → LifecycleUtils.init(realm);
> to destroy SecurityManager → LifecycleUtils.destroy(securityManager);
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Суббота, 21 ноября 2020, 19:12 +03:00 от Brian Demers <
> brian.dem...@gmail.com
> >:
>
> Shiro has "lifecycle" methods that can be plugged into a DI container.  If
> you are not using a Shiro integration, you can just need to call the
> `onInit` method directly.
>
> On Sat, Nov 21, 2020 at 6:11 AM Alex Orlov  <http://e.mail.ru/compose/?mailto=mailto%3aooo_satu...@mail.ru>> wrote:
>
> Hello all,
>
> I have two security managers — web and default. When shiro filter creates
> web manager
> the method onInit(
> https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/realm/AuthorizingRealm.html#onInit()
> )
> of my Realm is called.
>
> However, when I create SM manually
> var realm = new SecurityRealm();
>...
> DefaultSecurityManager sm = new DefaultSecurityManager(realm);
> sm.setCacheManager(new MemoryConstrainedCacheManager());
> this.securityManager = sm;
>
> this method (onInit) is not called.
>
> Could anyone say if it is a bug or I miss something (I use shiro 1.7.0)?
>
>
> --
> Best regards, Alex Orlov
>
>
>
>
>

Re: Re[2]: Must Realm#onInit be called when SecurityManager is created manually?

[Brian Demers]

Correct,

Most of the time these methods would be transparently called via (Shiro's
INI feature, Spring, Guice, or potentially CDI),

On Sat, Nov 21, 2020 at 3:12 PM Alex Orlov  wrote:

> Do I understand it correctly if we control realm and security manager
> manually we need to use:
>
> to init Realm → LifecycleUtils.init(realm);
> to destroy SecurityManager → LifecycleUtils.destroy(securityManager);
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Суббота, 21 ноября 2020, 19:12 +03:00 от Brian Demers <
> brian.dem...@gmail.com>:
>
> Shiro has "lifecycle" methods that can be plugged into a DI container.  If
> you are not using a Shiro integration, you can just need to call the
> `onInit` method directly.
>
> On Sat, Nov 21, 2020 at 6:11 AM Alex Orlov  > wrote:
>
> Hello all,
>
> I have two security managers — web and default. When shiro filter creates
> web manager
> the method onInit(
> https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/realm/AuthorizingRealm.html#onInit()
> )
> of my Realm is called.
>
> However, when I create SM manually
> var realm = new SecurityRealm();
>...
> DefaultSecurityManager sm = new DefaultSecurityManager(realm);
> sm.setCacheManager(new MemoryConstrainedCacheManager());
> this.securityManager = sm;
>
> this method (onInit) is not called.
>
> Could anyone say if it is a bug or I miss something (I use shiro 1.7.0)?
>
>
> --
> Best regards, Alex Orlov
>
>
>

Re: Shiro web + Spring -> No realms have been configured!

[Brian Demers]

Have you tried without setting those scopes?

I would guess setting those scope _shouldn't_ matter, as the default should
be a Singleton.

If that doesn't help can you create a simple project that reproduces the
problem on GitHub?

On Sat, Nov 21, 2020 at 5:38 PM Alex Orlov  wrote:

> Hello all,
>
> I try to configure Shiro web + Spring + my custrom Realm but I have a
> problem.
>
> This is my web initializer:
>
> @Order(Ordered.HIGHEST_PRECEDENCE)
> public class WebInitializer implements WebApplicationInitializer {
> @Override
> public void onStartup(ServletContext servletContext) throws
> ServletException {
> var diContext = new AnnotationConfigWebApplicationContext();
> diContext.register(TempConfig.class);
> diContext.setServletContext(servletContext);
> var servlet = servletContext.addServlet("SpringServlet", new
> DispatcherServlet(diContext));
> servlet.setLoadOnStartup(1);
> servlet.addMapping("/");
>
> FilterRegistration.Dynamic filterRegistration =
> servletContext.addFilter("ShiroFilter",
> "org.apache.shiro.web.servlet.ShiroFilter");
> filterRegistration.addMappingForUrlPatterns(
> EnumSet. of(
> DispatcherType.REQUEST,
> DispatcherType.FORWARD,
> DispatcherType.INCLUDE,
> DispatcherType.ERROR
> ),
> false, "/*");
>
> servletContext.addListener("org.apache.shiro.web.env.EnvironmentLoaderListener");
> }
> }
>
> This is Spring config:
>
> @Configuration
> @ComponentScan(basePackageClasses = {
> MyController.class,
> })
> @EnableWebMvc
> @Import ({
> ShiroBeanConfiguration.class,
> ShiroAnnotationProcessorConfiguration.class,
> ShiroWebConfiguration.class,
> ShiroWebFilterConfiguration.class,
> ShiroRequestMappingConfig.class
> })
> public class TempConfig implements WebMvcConfigurer {
> public TempConfig() {
> }
>
> @Bean
> @Scope(value = ConfigurableBeanFactory.SCOPE_SINGLETON)
> public CacheManager cacheManager() {
> var manager = new MemoryConstrainedCacheManager();
> return manager;
> }
>
> @Bean
> @Scope(value = ConfigurableBeanFactory.SCOPE_SINGLETON)
> public Realm realm() {
> var realm = new SecurityRealm();// <- this is my custom realm.
> return realm;
> }
> }
>
> And this is what I get:
>
> WARN  org.apache.shiro.authc.AbstractAuthenticator - Authentication failed
> for token submission [temp.security.WebAuthenticationToken@79ffcf2c].
> Possible unexpected error? (Typical or expected login exceptions should
> extend from AuthenticationException).
> java.lang.IllegalStateException: Configuration error:  No realms have been
> configured!  One or more realms must be present to execute an
> authentication attempt.
> at
> org.apache.shiro.authc.pam.ModularRealmAuthenticator.assertRealmsConfigured(ModularRealmAuthenticator.java:161)
> ~[shiro-all-1.7.0.jar:?]
> at
> org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:270)
> ~[shiro-all-1.7.0.jar:?]
> at
> org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
> [shiro-all-1.7.0.jar:?]
> at
> org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
> [shiro-all-1.7.0.jar:?]
> at
> org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:275)
> [shiro-all-1.7.0.jar:?]
> at
> org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:260)
> [shiro-all-1.7.0.jar:?]
>
> At the same time, I see in log, that my realm#onInit method was called and
> the realm was intialized. However, Shiro doesn’t see it. I use jetty 9 +
> spring 5. I do NOT use spring boot. Could anyone say, how to fix it?
>
> --
> Best regards, Alex Orlov
>

Re: Must Realm#onInit be called when SecurityManager is created manually?

[Brian Demers]

Shiro has "lifecycle" methods that can be plugged into a DI container.  If
you are not using a Shiro integration, you can just need to call the
`onInit` method directly.

On Sat, Nov 21, 2020 at 6:11 AM Alex Orlov  wrote:

> Hello all,
>
> I have two security managers — web and default. When shiro filter creates
> web manager
> the method onInit(
> https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/realm/AuthorizingRealm.html#onInit()
> )
> of my Realm is called.
>
> However, when I create SM manually
> var realm = new SecurityRealm();
>...
> DefaultSecurityManager sm = new DefaultSecurityManager(realm);
> sm.setCacheManager(new MemoryConstrainedCacheManager());
> this.securityManager = sm;
>
> this method (onInit) is not called.
>
> Could anyone say if it is a bug or I miss something (I use shiro 1.7.0)?
>
>
> --
> Best regards, Alex Orlov
>

Re: Is it possible to use one SecurityRealm instance in two SecurityManagers?

[Brian Demers]

IIRC you _should_ be able to use the same SecurityManager for web and
non-web requests.

However, two different SecurityManager's with the same Realm may cause
issues, especially if they are using caches.
We have a Spring RMI example here:
https://github.com/apache/shiro/blob/f782eb1084df73eff3e2ac0f9780cb4a4f429041/support/spring/src/main/java/org/apache/shiro/spring/remoting/SecureRemoteInvocationExecutor.java

(It's been a while since I've done anything with RMI, so someone else might
be able to give you better advice)

On Fri, Nov 20, 2020 at 3:14 PM Alex Orlov  wrote:

> I have an application that can be accessed by http and rmi protocols.
>
> When an user uses http protocol he passes shiro web filter — everything is
> clear here, no problem.
> I wanted to use the same SecurityManager and for rmi protocol, but, of
> course, it didn’t work:
>
> 22:21:44.599 [HTTP-Dispatcher] WARN
> org.apache.shiro.authc.AbstractAuthenticator - Authentication failed for
> token submission [myapp.security.AuthenticationToken@325c75dc].  Possible
> unexpected error? (Typical or expected login exceptions should extend from
> AuthenticationException).
> java.lang.IllegalArgumentException: SessionContext must be an HTTP
> compatible implementation.
> at
> org.apache.shiro.web.session.mgt.ServletContainerSessionManager.createSession(ServletContainerSessionManager.java:103)
> ~[shiro-all-1.7.0.jar:?]
> at
> org.apache.shiro.web.session.mgt.ServletContainerSessionManager.start(ServletContainerSessionManager.java:64)
> ~[shiro-all-1.7.0.jar:?]
> at
> org.apache.shiro.mgt.SessionsSecurityManager.start(SessionsSecurityManager.java:152)
> ~[shiro-all-1.7.0.jar:?]
> at
> org.apache.shiro.subject.support.DelegatingSubject.getSession(DelegatingSubject.java:340)
> ~[shiro-all-1.7.0.jar:?]
>
> As I understand, for rmi server I must create another security manager:
> SecurityManager securityManager = new DefaultSecurityManager(myRealm);
>
> Could anyone say — if it is possible to use the same Realm instance
> (already initialized) for the second security manager?
>
>
> --
> Best regards, Alex Orlov
>

Re: EnvironmentLoaderListener Error for shiro 1.2.2 on Weblogic 12c

[Brian Demers]

I think we are going to need a little more info.  What how are you
deploying your application? as the WAR/EAR changed between deployments, if
so what has changed? Have you diffed the contents?
Is the `shiro-web` jar on your classpath? If not how was it getting loaded
in with your previous deployment?  Was it on some shared classpath?

On Fri, Nov 20, 2020 at 2:43 PM Indrajit57 
wrote:

> We have a java application which is using Shiro 1.2.2 and was working fine
> on
> JDK1.6 and WebLogic 11g. Now we are
> 
> trying to deploy the same application using JDK1.8 and Weblogic12c. We see
> the following error on deployment.  Also please find the attached image for
> complete stack trace.
>
> java.lang.ClassNotFoundException:
> org.apache.shiro.web.env.EnvironmentLoaderListener
> at
>
> weblogic.utils.classloaders.GenericClassLoader.findLocalClass(GenericClassLoader.java:1029)
> at
>
> weblogic.utils.classloaders.GenericClassLoader.findClass(GenericClassLoader.java:990)
> at
>
> weblogic.utils.classloaders.ChangeAwareClassLoader.findClass(ChangeAwareClassLoader.java:101)
> at
>
> weblogic.utils.classloaders.GenericClassLoader.doFindClass(GenericClassLoader.java:611)
> at
>
> weblogic.utils.classloaders.GenericClassLoader.loadClass(GenericClassLoader.java:543)
>
>
> Here is the web.xml entry for Shiro
>
> 
>
>
> org.apache.shiro.web.env.EnvironmentLoaderListener
> 
>
>
> Appreciate your help.
>
>
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: Re[2]: How to clear thread after Subject.login()

[Brian Demers]

You have a couple of options, you could either do something like this:
https://github.com/apache/shiro/blob/0e5a4428bcaa0a4c03680f5faad5a4c897379497/core/src/test/java/org/apache/shiro/test/ExampleShiroIntegrationTest.java

Or you could do something like:

@Test
public void myTest() {
  Subject subject = buildYourTestSubject();

  subject.execute(new Runnable() {
assertThat(yourCode, worksCorrectly());
  }
}

You could also call ThreadContext.remove() if you didn't want to do either
of the above
https://github.com/apache/shiro/blob/0e5a4428bcaa0a4c03680f5faad5a4c897379497/core/src/main/java/org/apache/shiro/util/ThreadContext.java#L203


On Fri, Nov 20, 2020 at 11:19 AM Alex Orlov  wrote:

> Hi Brian
>
> I am talking about using Shiro in my test (or in any NON WEB environment).
>
> consider the following code:
>
> @Test
> public void testMe() {
> var subject = SecurityUtils.getSubject();
> subject.login(new SomeToken());
> //here subject is bound to thread (as I understand!!!)
> }
>
> I’ve read this
> Subject subject = new Subject.Builder()...
> ThreadState threadState = new SubjectThreadState(subject);
> threadState.bind();
> try {
> //execute work as the built Subject
> } finally {
> //ensure any state is cleaned so the thread won't be
> //corrupt in a reusable or pooled thread environment
> threadState.clear();
> }
>
> but this is not my situation, as when I do subject.login(...) I don’t
> manually bind
> subject to thread. And I want to understand how to unbind thread after
> subject.login().
> Or I understand something wrong?
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Пятница, 20 ноября 2020, 18:48 +03:00 от Brian Demers <
> brian.dem...@gmail.com>:
>
> What type of application are you building? For web applications Shiro can
> handle the Login (collecting of the username/password) and the thread
> binding for you, so you don't actually need to do that. (this all happens
> with the ShiroFilter, and associated chain)
>
> That said, if you do not want to use shiro-web, you could accomplish the
> same thing by sticking your code in a Runnable:
>
> https://github.com/apache/shiro/blob/b0091dfef63288f957389bce42f5a8e85329a1aa/web/src/main/java/org/apache/shiro/web/servlet/AbstractShiroFilter.java#L359-L368
>
> Take a look at the Subject / Thread Association doc:
> https://shiro.apache.org/subject.html#thread-association
>
> On Fri, Nov 20, 2020 at 8:50 AM Alex Orlov  > wrote:
>
> Hi all,
>
> I use the following code:
> var subject = SecurityUtils.getSubject();
> subject.login(new SomeToken());
>
> As I understand, after `subject.login(new SomeToken())` if subject
> successfully logs in, he
> is bound  to the current thread. Could anyone say how I can clear current
> thread, without subject.logout()?
> I just want the subject leaves in system until it is necessary again (for
> example until next request).
>
> I’ve read this article https://shiro.apache.org/subject.html  but didn’t
> find answer there. Please, help.
>
> --
> Best regards, Alex Orlov
>
>
>

Re: How to clear thread after Subject.login()

[Brian Demers]

What type of application are you building? For web applications Shiro can
handle the Login (collecting of the username/password) and the thread
binding for you, so you don't actually need to do that. (this all happens
with the ShiroFilter, and associated chain)

That said, if you do not want to use shiro-web, you could accomplish the
same thing by sticking your code in a Runnable:
https://github.com/apache/shiro/blob/b0091dfef63288f957389bce42f5a8e85329a1aa/web/src/main/java/org/apache/shiro/web/servlet/AbstractShiroFilter.java#L359-L368

Take a look at the Subject / Thread Association doc:
https://shiro.apache.org/subject.html#thread-association

On Fri, Nov 20, 2020 at 8:50 AM Alex Orlov  wrote:

> Hi all,
>
> I use the following code:
> var subject = SecurityUtils.getSubject();
> subject.login(new SomeToken());
>
> As I understand, after `subject.login(new SomeToken())` if subject
> successfully logs in, he
> is bound  to the current thread. Could anyone say how I can clear current
> thread, without subject.logout()?
> I just want the subject leaves in system until it is necessary again (for
> example until next request).
>
> I’ve read this article https://shiro.apache.org/subject.html  but didn’t
> find answer there. Please, help.
>
> --
> Best regards, Alex Orlov
>

Re: Shiro Realm and Session tread-safety?

[Brian Demers]

Yes, they are, but that concern is up to the implementation of the
cache/session impl. So if you have a custom implementation you will need to
ensure that code is also thread safe.


On Mon, Nov 9, 2020 at 4:46 PM Alex Orlov  wrote:

> Hi all,
>
> As I understand Shiro must be thread-safe. However, I couldn’t find any
> information about
> multithreading support, so, to be sure decided to ask several questions.
> Could anyone say, if
>
> 1) this code with sessions is thread-safe?
> for (Session session: sessionDao.getActiveSessions()){
>…..
> session.stop();
> }
>
> 2) Real#clearCachedAuthorizationInfo(PrincipalCollection principals)
> method is thread-safe?
>
> --
> Best regards, Alex Orlov
>

Re: Re[4]: How to get all logged in Subjects

[Brian Demers]

Hey Alex,

Sorry about giving you wrong info before, I forgot about that method.

1.) From the API point of view the SessionDAO is an implementation detail,
and getting access to those details would require some casting.

They are not part of the main API because not all SessionManagers would use
a DAO, it's possible they are stored some other way.

It's possible to set them in an INI file because that operates on bean
properties (getters/setters).

2.) Many of Shiro's implementations make heavy use of Inheritance.  The is
more obvious if you look at a Realm implementation

On Fri, Nov 6, 2020 at 5:24 AM Alex Orlov  wrote:

> I found this wonderful method :
>
> SessionDAO#Collection getActiveSessions()
>
> and want to use it. And I have two questions:
>
> 1) Why does API hide top level objects for which we have interfaces?
> For example, there is no API
> SecurityManager.getSessionManager().getSessionDAO()?
> It seems to be unusual for me. Besides it is possible to set them via ini:
>
>
> sessionManager = com.foo.my.SessionManagerImplementation
> securityManager.sessionManager = $sessionManage
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> securityManager.sessionManager = $sessionManager  # Configure a SessionDAO
> and then set it: securityManager.sessionManager.sessionDAO = $sessionDAO
>
> Maybe it is necessary to change API?
>
> 2) Why does SecurityManager extend SessionManager?
> As I understand SecurityManager has a SessionManager, but not is a
> SessionManager:
>
> public interface SecurityManager extends Authenticator, Authorizer,
> SessionManager
>
> Could anyone explain?
>
>
>

Re: Re[2]: How to get all logged in Subjects

[Brian Demers]

This isn't something Shiro covers directly, but it possible with a little
custom code

You could write a custom SessionDAO, or you could use an existing one, and
just access the data store to query what you need. For example, if you used
a DB, you could just query the DB. It should be similar with a something
like Hazelcast too.

On Thu, Nov 5, 2020 at 3:41 PM Alex Orlov  wrote:

> Do I understand you right — you are talking about implementing custom
> SessionDAO
> and adding it to session manager?
>
> sessionDAO = com.foo.my.SessionDAO
> securityManager.sessionManager.sessionDAO = $sessionDAO
>
> So, I always can a) get events when subject logs in (create) and logs out
> (delete) 2) find currently logged in Subjects?
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Четверг, 5 ноября 2020, 23:12 +03:00 от Benjamin Marwell <
> bmarw...@apache.org>:
>
> It depends.
>
> I use jwt tokens. No chance here to invalidate them, but they get
> invalidate pretty quickly anyway.
>
> But you can use any *distributed* session storage you like: a DBMS, a
> memory grid like hazelcast, or create your own local storage and sync them
> via jGroups, or even EJBs. It doesn't matter as long as all of the nodes
> use the same single or synchronously updated storage.
>
> You can then iterate over all sessions in one of the nodes or via a
> sidecar container/app and invalidate them.
>
> Just make sure you enter the session storage class in the shiro.ini.
>
> HTH
> Ben
>
> On Thu, 5 Nov 2020, 20:47 Andreas Reichel,  >
> wrote:
>
> Good evening Alex,
>
> in my understanding this is not possible: Shiro works on the client side
> and provides an abstraction of authenticating/authorizing a client against
> a server.
> But you look for a registry of sessions on the server side. That should
> not be Shiro's concern.
>
> Best regards
> Andreas
>
>
> On Thu, 2020-11-05 at 22:42 +0300, Alex Orlov wrote:
>
> Hi all,
>
> Could anyone say, how I can to get all logged in subjects. For example,
> Subjects
> have roles, roles have permissions. If in application a role were modified
> dynamically
> (for example in DB), I want to get all logged in subjects, iterate them,
> find those,
> who have this role, collect their principals and call in my realm method
> clearCachedAuthorizationInfo(PrincipalCollection principals).
>
>
> --
> Best regards, Alex Orlov
>
>
>
>
>

Re: [ANNOUNCE][CVE-2020-17510] Apache Shiro 1.7.0 released

[Brian Demers]

A quick update,

First, the Apache Shiro team wants to thank qianji @ OPPO ZIWU Cyber
Security Lab for reporting the issue responsibly [0]

Second, if you are NOT using Shiro’s Spring Boot Starter
(`shiro-spring-boot-web-starter`), you must configure add the
ShiroRequestMappingConfig auto configuration[1] to your application or
configure the equivalent manually[2].

[0] https://www.apache.org/security/
[1] https://shiro.apache.org/spring-framework.html#SpringFramework-WebConfig
[2]
https://github.com/apache/shiro/blob/shiro-root-1.7.0/support/spring/src/main/java/org/apache/shiro/spring/web/config/ShiroRequestMappingConfig.java#L28-L30

On Fri, Oct 30, 2020 at 1:58 PM  wrote:

> The Shiro team is pleased to announce the release of Apache Shiro version
> 1.7.0.
>
> This security release contains 7 fixes since the 1.6.0 release and is
> available for Download now [1].
>
> CVE-2020-17510:
> Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a
> specially crafted HTTP request may cause an authentication bypass.
>
> Release binaries (.jars) are also available through Maven Central and
> source bundles through Apache distribution mirrors.
>
> For more information on Shiro, please read the documentation [2].
>
> -The Apache Shiro Team
>
> [1] http://shiro.apache.org/download.html
> [2] http://shiro.apache.org/documentation.html
>
> --
> François
> fpa...@apache.org
>
>

Re: Re[4]: Principal in Shiro

[Brian Demers]

Sort of, the Subject would be the actor, the Subject has principals

On Wed, Nov 4, 2020 at 11:34 AM Alex Orlov  wrote:

> Thank you for such detailed explanation. In a result, just to check that
> my understanding is correct, can we say:
>
> Principal is a subset of Subject, so Principal is an actor. However, as
> Shiro supports different security types, Shiro uses Principal as an actor’s
> identifying attribute for generic approach.
>
> --
> Best regards, Alex Orlov
>
> Среда, 4 ноября 2020, 18:37 +03:00 от Brian Demers :
>
> The SO answer looks pretty good to me, but it's pretty high level.
> You also need to take into account how they are used in context and naming
> conventions (e.g. Java has `java.security.principal`)
>
> A principal could be any object, it's commonly a String, i.e. a username
> or email address.  These may or may not be the identifier for the
> principal.  It's common for usernames and email addresses to change as the
> result of a marriage or adoption, so another identifier might be used.
>
> Another common case of an AuthenticationToken is Bearer tokens,
> Shiro's Bearer token:
> https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authc/BearerToken.java.
> Is modeled as a string, but it is NOT a principal identifier, really it's
> ONLY a credential.
>
> A bearer token might be an opaque string, or it could be a security token
> (e.g. a JWT/PASETO/etc), when the token is validated, it _might_ not
> contain any identifier.
>
> Similar to a certificate-based authentication, you might just have the
> cert as an object and NOT a String.
>
> In practice... when we talk about human users they often have some sort of
> string identifier, because we naturally think username/password
> authentication.  This is NOT universal though.
>
>
> Sorry for the rambling answer, I'm not sure If I've answered your question
> or not.
> -Brian
>
>
> On Wed, Nov 4, 2020 at 8:31 AM Alex Orlov  > wrote:
>
> Let me explain the reason of this the question.
>
> From the SO asnwer (https://stackoverflow.com/a/5025140/5057736):
>
> *"Principal* - A subset of *subject* that is represented by an account,
> role or other unique identifier. When we get to the level of implementation
> details, principals are the unique keys we use in access control lists.
> They may represent human users, automation, applications, connections, etc.
> …
> Subject/Object inherits from the same terms as used in grammar. In a
> sentence the subject is the actor and the object is the thing acted on.*"*
>
> So, Principal is a subset of Subject → principal is an actor.
>
> However, in Shiro A *Principal* is any identifying attribute of an
> application user (Subject).
>
> So, I try to understand: 1) The SO answer is wrong. 2) Shiro is wrong 3) I
> understand everything wrong.
>
> if #2 then AuthenticationToken should be
>
> public interface AuthenticationToken extends Serializable {
> public Object getPrincipalId();//added "Id"
> public Object getCredentials();
> }
>
>
>
> --
> Best regards, Alex Orlov
>
>
> Среда, 4 ноября 2020, 15:01 +03:00 от Benjamin Marwell <
> bmarw...@apache.org
> >:
>
> Correct.
>
> To complete the picture:
>
> https://shiro.apache.org/terminology.html
>
> Also, the PrincipalCollection knows which realms the user is known in.
> This is why most methods return such a collection, not a single Principal.
>
> Most apps only have one realm, but they could have multiple realms. E.g.
> LDAP and a config file.
>
>
>
>
> On Wed, 4 Nov 2020, 12:30 Andreas Reichel,  <http://e.mail.ru/compose/?mailto=mailto%3aandreas@manticore%2dprojects.com>>
> wrote:
>
>
>
>
> On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote:
>
> So, could anyone explain what is Principal — is it a User or User.getId()?
>
>
>
> Good afternoon Alex.
>
> while I am just a Shiro user (but not a developer), my understanding is,
> that a Principal is anything you (or a service) can authenticate or
> authorize against.
> Any entity, you can send to a service and get a response ( "yes"
> authenticated) for, is a principal.
>
> The nature of this principal depends on the service itself.
> If the authentication service expects a Username, then this Username is a
> Principal. But if the service expects a Global Unique Token, then this
> Username would not qualify as a Principal (but the Token would).
>
> Cheers!
> Andreas
>
>

Re: Re[2]: Principal in Shiro

[Brian Demers]

The SO answer looks pretty good to me, but it's pretty high level.
You also need to take into account how they are used in context and naming
conventions (e.g. Java has `java.security.principal`)

A principal could be any object, it's commonly a String, i.e. a username or
email address.  These may or may not be the identifier for the principal.
It's common for usernames and email addresses to change as the result of a
marriage or adoption, so another identifier might be used.

Another common case of an AuthenticationToken is Bearer tokens,
Shiro's Bearer token:
https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authc/BearerToken.java.
Is modeled as a string, but it is NOT a principal identifier, really it's
ONLY a credential.

A bearer token might be an opaque string, or it could be a security token
(e.g. a JWT/PASETO/etc), when the token is validated, it _might_ not
contain any identifier.

Similar to a certificate-based authentication, you might just have the cert
as an object and NOT a String.

In practice... when we talk about human users they often have some sort of
string identifier, because we naturally think username/password
authentication.  This is NOT universal though.


Sorry for the rambling answer, I'm not sure If I've answered your question
or not.
-Brian


On Wed, Nov 4, 2020 at 8:31 AM Alex Orlov  wrote:

> Let me explain the reason of this the question.
>
> From the SO asnwer (https://stackoverflow.com/a/5025140/5057736):
>
> *"Principal* - A subset of *subject* that is represented by an account,
> role or other unique identifier. When we get to the level of implementation
> details, principals are the unique keys we use in access control lists.
> They may represent human users, automation, applications, connections, etc.
> …
> Subject/Object inherits from the same terms as used in grammar. In a
> sentence the subject is the actor and the object is the thing acted on.*"*
>
> So, Principal is a subset of Subject → principal is an actor.
>
> However, in Shiro A *Principal* is any identifying attribute of an
> application user (Subject).
>
> So, I try to understand: 1) The SO answer is wrong. 2) Shiro is wrong 3) I
> understand everything wrong.
>
> if #2 then AuthenticationToken should be
>
> public interface AuthenticationToken extends Serializable {
> public Object getPrincipalId();//added "Id"
> public Object getCredentials();
> }
>
>
>
> --
> Best regards, Alex Orlov
>
> Среда, 4 ноября 2020, 15:01 +03:00 от Benjamin Marwell <
> bmarw...@apache.org>:
>
> Correct.
>
> To complete the picture:
>
> https://shiro.apache.org/terminology.html
>
> Also, the PrincipalCollection knows which realms the user is known in.
> This is why most methods return such a collection, not a single Principal.
>
> Most apps only have one realm, but they could have multiple realms. E.g.
> LDAP and a config file.
>
>
>
>
> On Wed, 4 Nov 2020, 12:30 Andreas Reichel,  >
> wrote:
>
>
>
>
> On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote:
>
> So, could anyone explain what is Principal — is it a User or User.getId()?
>
>
>
> Good afternoon Alex.
>
> while I am just a Shiro user (but not a developer), my understanding is,
> that a Principal is anything you (or a service) can authenticate or
> authorize against.
> Any entity, you can send to a service and get a response ( "yes"
> authenticated) for, is a principal.
>
> The nature of this principal depends on the service itself.
> If the authentication service expects a Username, then this Username is a
> Principal. But if the service expects a Global Unique Token, then this
> Username would not qualify as a Principal (but the Token would).
>
> Cheers!
> Andreas
>
>

Re: Shiro 1.2.2

[Brian Demers]

Probably, but I'd strongly recommend updating Shiro. There have been a few
security fixes since that release.

On Thu, Oct 29, 2020 at 12:34 PM Indrajit57 
wrote:

> Hello,
>
>We are using Shiro V1.2.2 in our application. We are thinking of
> updating
> Java to 1.8. Will Shiro V1.2.2
>work with Java 8 ?
>
> Thanks in advance !
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: I have nothing in web.xml, but shiro still bootstraps itself and protects resources defined in shiro.ini. Is this expected behavior?

[Brian Demers]

Thanks!

On Tue, Sep 15, 2020 at 3:26 PM mbaron  wrote:

> I do have have "shiro-servlet-plugin" in my Maven dependencies, so this
> makes
> sense.  Thanks for the clarification.
>
> P.S. Recently I was looking for a Java security framework and stumbled upon
> Shiro.  I think it's brilliant.  It's so easy to setup and to use.  Does
> everything I want without getting in the way or being overly complicated.
> Kudos to those who created and maintain this project.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: I have nothing in web.xml, but shiro still bootstraps itself and protects resources defined in shiro.ini. Is this expected behavior?

[Brian Demers]

Yup, this is expected if you are using the `shiro-servlet-plugin`, This
module contains a web.xml fragment that is loaded automatically from your
classpath.
If you need more control you can use the `shiro-web` module directly and
configure your web.xml (or equivalent) configuration.

The `shiro-servlet-plugin` jar file just contains this file:
https://github.com/apache/shiro/blob/master/support/servlet-plugin/src/main/resources/META-INF/web-fragment.xml

Does that help?

On Tue, Sep 15, 2020 at 12:03 AM mbaron  wrote:

> I have nothing in web.xml, but shiro still bootstraps itself and protects
> resources defined in shiro.ini.  Is this expected behavior?
>
> If I add elements to web.xml along the lines of what is described here
> https://shiro.apache.org/web.html, I see no difference in how my web
> application is secured.
>
> This holds true on tomcat 9.0.30 and Google Cloud Platform App Engine.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

[ANNOUNCE][CVE-2020-13933] Apache Shiro 1.6.0 released

[Brian Demers]

The Shiro team is pleased to announce the release of Apache Shiro version
1.6.0.

This security release contains 5 fixes since the 1.5.3 release [1] and is
available for Download now [2].

CVE-2020-13933:
Apache Shiro before 1.6.0, when using Apache Shiro,
a specially crafted HTTP request may cause an authentication bypass.

Thanks to codeplutos @ antfin non-attack security lab for responsibly
reporting this issue and working with us as we addressed it.

A new feature named "Global Filters" has been introduced to help
mitigate this type of issue [3].

Release binaries (.jars) are also available through Maven Central and
source bundles through Apache distribution mirrors.

For more information on Shiro, please read the documentation[3].

-The Apache Shiro Team

[1]
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12348623=Text=12310950
[2] http://shiro.apache.org/download.html
[3] https://shiro.apache.org/web.html#Web-globalFilters
[4] http://shiro.apache.org/documentation.html

Re: why springmvc show exception:org.apache.shiro.spring.web.config.ShiroWebFilterConfiguration Unsatisfied dependency expressed through field 'filterMap';

[Brian Demers]

Hi,
Looks like its a bug, and our test case missed it.
I made a quick pull request to fix the issue if you want to try it out.
https://github.com/apache/shiro/pull/244

Keep us posted!

On Tue, Jul 7, 2020 at 8:01 PM 一直以来 <279377...@qq.com> wrote:

> hi brian demers:
>
> i open url :
>
> https://github.com/apache/shiro/tree/master/samples/spring-mvc
>
> download source.
>
> cmd run command:
>
>
>
> mvn jetty:run-war
>
> {{}}
>
> exception bottom:
>
> {{}}
>
> {{}}
>
> [INFO] Scanning elapsed time=7463ms
> [INFO] 1 Spring WebApplicationInitializers detected on classpath
> [INFO] DefaultSessionIdManager workerName=node0
> [INFO] No SessionScavenger set, using defaults
> [INFO] node0 Scavenging every 60ms
> [INFO] Initializing Spring root WebApplicationContext
> 2020-07-08 06:27:59,951 INFO
> [org.springframework.web.context.ContextLoader] - Root
> WebApplicationContext: initialization started
> 2020-07-08 06:28:00,299 INFO
> [org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker]
>  -
> Bean 'org.apache.shiro.spring.config.ShiroBeanConfiguration' of type
> [org.apache.shiro.spring.config.ShiroBeanConfiguration$$EnhancerBySpringCGLIB$$ccb08874]
>  is
> not eligible for getting processed by all BeanPostProcessors (for example:
> not eligible for auto-proxying)
> 2020-07-08 06:28:00,317 INFO
> [org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker]
>  -
> Bean 'org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration'
> of type
> [org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration$$EnhancerBySpringCGLIB$$caa4e047]
>  is
> not eligible for getting processed by all BeanPostProcessors (for example:
> not eligible for auto-proxying)
> 2020-07-08 06:28:00,334 INFO
> [org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker]
>  -
> Bean 'eventBus' of type [org.apache.shiro.event.support.DefaultEventBus] is
> not eligible for getting processed by all BeanPostProcessors (for example:
> not eligible for auto-proxying)
> 2020-07-08 06:28:00,348 INFO
> [org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker]
>  -
> Bean 'applicationConfig' of type
> [org.apache.shiro.samples.spring.config.ApplicationConfig$$EnhancerBySpringCGLIB$$1ce25990]
>  is
> not eligible for getting processed by all BeanPostProcessors (for example:
> not eligible for auto-proxying)
> 2020-07-08 06:28:00,703 INFO
> [org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker]
>  -
> Bean 'cacheManager' of type
> [org.apache.shiro.cache.ehcache.EhCacheManager] is not eligible for
> getting processed by all BeanPostProcessors (for example: not eligible for
> auto-proxying)
> 2020-07-08 06:28:00,748 INFO
> [org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker]
>  -
> Bean 'org.apache.shiro.spring.web.config.ShiroWebConfiguration' of type
> [org.apache.shiro.spring.web.config.ShiroWebConfiguration$$EnhancerBySpringCGLIB$$ff66ba30]
>  is
> not eligible for getting processed by all BeanPostProcessors (for example:
> not eligible for auto-proxying)
> 2020-07-08 06:28:00,758 INFO
> [org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker]
>  -
> Bean 'dataSource' of type
> [org.springframework.jdbc.datasource.DriverManagerDataSource] is not
> eligible for getting processed by all BeanPostProcessors (for example: not
> eligible for auto-proxying)
> 2020-07-08 06:28:00,774 INFO
> [org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker]
>  -
> Bean 'jdbcRealm' of type
> [org.apache.shiro.samples.spring.realm.SaltAwareJdbcRealm] is not
> eligible for getting processed by all BeanPostProcessors (for example: not
> eligible for auto-proxying)
> 2020-07-08 06:28:01,140 INFO
> [org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker]
>  -
> Bean 'sessionStorageEvaluator' of type
> [org.apache.shiro.web.mgt.DefaultWebSessionStorageEvaluator] is not
> eligible for getting processed by all BeanPostProcessors (for example: not
> eligible for auto-proxying)
> 2020-07-08 06:28:01,141 INFO
> [org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker]
>  -
> Bean 'subjectDAO' of type [org.apache.shiro.mgt.DefaultSubjectDAO] is not
> eligible for getting processed by all BeanPostProcessors (for example: not
> eligible for auto-proxying)
> 2020-07-08 06:28:01,143 INFO
> [org.spr

Re: why springmvc show exception:org.apache.shiro.spring.web.config.ShiroWebFilterConfiguration Unsatisfied dependency expressed through field 'filterMap';

[Brian Demers]

Can you include the full error message and stack trace?

What does your code look like?



On Tue, Jul 7, 2020 at 5:19 AM 一直以来 <279377...@qq.com> wrote:

> 2020-07-07 17:06:56,149 ERROR
> [org.springframework.web.context.ContextLoader] - Context initialization
> failed
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
> creating bean with name
> 'org.apache.shiro.spring.web.config.ShiroWebFilterConfiguration':
> Unsatisfied dependency expressed through field 'filterMap'; nested
> exception is
> org.springframework.beans.factory.NoSuchBeanDefinitionException: No
> qualifying bean of type 'java.util.Map javax.servlet.Filter>' available: expected at least 1 bean which qualifies
> as autowire candidate. Dependency annotations:
> {@org.springframework.beans.factory.annotation.Autowired(required=true)}
> at
> org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:643)
>
> why??thank you !
>

[Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness

[Brian Demers]

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic
controllers, a specially crafted request may cause an authentication bypass.

This issue was independently discovered by two different researchers:
* Ruilin Yang of Tencent Security Xuanwu Lab
* 淚笑 (leixiao)

Re: UnknownAccountException with LDAPRealm

[Brian Demers]

Okay, I see.

Shiro doesn't provide an API for this.  You would need to handle this
additional query separately.  You shouldn't need additional dependencies
though, you can use javax.naming.ldap API directly.

Does that help?
-Brian


On Wed, Jun 10, 2020 at 8:23 AM braus  wrote:

> Hi Brian,
>
> I just want to check if a username exists or not for registration purposes
> (not login). I only allow accounts registered from the LDAP realm to be
> used
> in my different realms.
> So my basic problem would be to see if there is a simple method of checking
> if a username exists within a LDAPRealm.
>
> I could query the LDAP with seperate frameworks and such, but I prefer to
> have minimal dependencies.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: UnknownAccountException with LDAPRealm

[Brian Demers]

Not all realm implementations are able to determine if an account exists or
not.  For example, most remote user stores would return the same result if
a user does not exist or the password was incorrect.
And you may not want to propagate that type of exception to your end-users
(to avoid leaking usernames). This is up to use, some folks make the
argument of increased usability is worth it.

LDAP is a bit complicated as well, depending on how your server is
configured.  Setups that query for a user before authenticating require a
"system" user to make the initial connection. Otherwise, you use the
username/password of the user login to make the connection.

Is there something specific you are trying to do?

On Tue, Jun 9, 2020 at 5:06 AM braus  wrote:

> Hi everyone,
>
> I've noticed that there is a specific exception for unknown accounts. This
> seems useful to me in a specific login flow that i've been working on.
> Unfortunately I haven't been able to trigger said exception with the
> DefaultLDAPRealm.
>
> Does anyone have insight on how to get this exception with the
> DefaultLDAPRealm?
>
>
> On a different note; I can't seem to check if a user exists through the
> DefaultLDAPRealm. Is there a way to check this? I could build a seperate
> LDAP module to check this but I would say that checking if a username
> exists
> would be Realm behaviour. But I could be wrong here.
>
> Kind regards,
>
> Sjoerd Brauer
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: Shiro does not work with Java 9 modules.

[Brian Demers]

One user reported being able to use the `shiro-all` jar with JPMS.

On Thu, Jun 4, 2020 at 6:52 AM sreenivas harshith 
wrote:

>
> Hi francois,
>
> Even with out module-info.java file older jars should work fine with Java
> 9 automatic Module resolution strategy to maintain compatibility with
> legacy code. Not sure why this is not working with shiro. Mean while when
> is Shiro 2.0  set  to release.?
>
> Regards,
> Sreenivas.
>
> On Thursday, June 4, 2020, 03:31:07 PM GMT+5:30, Francois Papon <
> francois.pa...@openobject.fr> wrote:
>
>
> Hi,
>
> We started an effort to modernize and refactor some part of Shiro with the
> 2.0 next major release.
>
> We can add this, I created a Jira:
>
> https://issues.apache.org/jira/browse/SHIRO-781
>
> Feel free to push a PR if you think you can help :)
>
> regards,
>
> Françoisfpa...@apache.org
>
> Le 04/06/2020 à 11:39, sreenivas harshith a écrit :
>
> Hi,
>
> I was trying to integrate shiro in gradle 6.4.1 which has java 9 module
> support and  include the below line in build.gradle
>
>  implementation group: 'org.apache.shiro', name: 'shiro-core', version:
> '1.5.3'
>
> Its taking automatic module name as
>
>  requires shiro.core;
>
> But when i compile  i get
>
> error: module not found: shiro.core
> requires shiro.core;
>   ^
> I'm able to compile and include other libs such as commonslang3 with
> automatic module name resolution such as below.
>
> requires org.apache.commons.lang3;
>
> Even the descrive module says the same module name as shown below
>
>
>  jar --file=.\shiro-core-1.5.3.jar --describe-module
>No module descriptor found. Derived
> automatic module.
>
> shiro.core@1.5.3 automatic
> requires java.base mandated
> contains org.apache.shiro
> contains org.apache.shiro.aop
> contains org.apache.shiro.authc
> contains org.apache.shiro.authc.credential
> contains org.apache.shiro.authc.pam
> contains org.apache.shiro.authz
> contains org.apache.shiro.authz.annotation
> contains org.apache.shiro.authz.aop
> contains org.apache.shiro.authz.permission
> contains org.apache.shiro.cache
> contains org.apache.shiro.codec
> contains org.apache.shiro.concurrent
> contains org.apache.shiro.config
> contains org.apache.shiro.config.event
> contains org.apache.shiro.crypto
> contains org.apache.shiro.crypto.hash
> contains org.apache.shiro.crypto.hash.format
> contains org.apache.shiro.dao
> contains org.apache.shiro.env
> contains org.apache.shiro.event
> contains org.apache.shiro.event.support
> contains org.apache.shiro.io
> contains org.apache.shiro.jndi
> contains org.apache.shiro.ldap
> contains org.apache.shiro.mgt
> contains org.apache.shiro.realm
> contains org.apache.shiro.realm.activedirectory
> contains org.apache.shiro.realm.jdbc
> contains org.apache.shiro.realm.jndi
> contains org.apache.shiro.realm.ldap
> contains org.apache.shiro.realm.text
> contains org.apache.shiro.session
> contains org.apache.shiro.session.mgt
> contains org.apache.shiro.session.mgt.eis
> contains org.apache.shiro.subject
> contains org.apache.shiro.subject.support
> contains org.apache.shiro.util
>
> Can we include shiro with java 9 and above as modules ?
>
> Regards,
> Sreenivas.
>
>

Re: Re[10]: onInit method on AuthenticatingRealm is called twice

[Brian Demers]

Thanks!

On Wed, May 13, 2020 at 8:53 AM Alex Sviridov  wrote:

> Here it is — https://issues.apache.org/jira/browse/SHIRO-778
>
> Best regards, Alex
>

Re: Re[9]: onInit method on AuthenticatingRealm is called twice

[Brian Demers]

tHandler.callContextInitialized(ServletContextHandler.java:533)
> at
> org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:816)
> at
> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:345)
> at
> org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1404)
> at
> org.eclipse.jetty.maven.plugin.JettyWebAppContext.startWebapp(JettyWebAppContext.java:323)
> at
> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1366)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:778)
> at
> org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:262)
> at
> org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:520)
> at
> org.eclipse.jetty.maven.plugin.JettyWebAppContext.doStart(JettyWebAppContext.java:398)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:161)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> at org.eclipse.jetty.server.Server.start(Server.java:411)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:106)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> at org.eclipse.jetty.server.Server.doStart(Server.java:378)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at
> org.eclipse.jetty.maven.plugin.AbstractJettyMojo.startJetty(AbstractJettyMojo.java:460)
> at
> org.eclipse.jetty.maven.plugin.AbstractJettyMojo.execute(AbstractJettyMojo.java:328)
> at
> org.eclipse.jetty.maven.plugin.JettyRunMojo.execute(JettyRunMojo.java:170)
> at
> org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:137)
> at
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:210)
> at
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:156)
> at
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:148)
> at
> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
> at
> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
> at
> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:56)
> at
> org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
> at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:305)
> at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:192)
> at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:105)
> at org.apache.maven.cli.MavenCli.execute(MavenCli.java:957)
> at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:289)
> at org.apache.maven.cli.MavenCli.main(MavenCli.java:193)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
> at
> org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
> at
> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
> at
> org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
> 17:45:04.238 [main] INFO  o.a.s.c.IniSecurityManagerFactory - Realms have
> been explicitly set on the SecurityMa

Re: [DISCUSS] - Move to 2.0.0

[Brian Demers]

Thanks Francois!

On Thu, May 7, 2020 at 5:51 AM Francois Papon 
wrote:

> FYI
>
> https://issues.apache.org/jira/browse/SHIRO-768
>
> regards,
>
> Françoisfpa...@apache.org
>
> Le 07/05/2020 à 11:44, Benjamin Marwell a écrit :
>
> +1
>
>
>
>
> On Thu, 7 May 2020, 04:13 Francois Papon, 
> wrote:
>
>> +1
>>
>> Françoisfpa...@apache.org
>>
>> Le 07/05/2020 à 00:28, Brian Demers a écrit :
>>
>> I'd love to see the `shiro-all` module go away as part of 2.0, anyone
>> have any objections?
>>
>> On Mon, May 4, 2020 at 4:32 AM sreenivas harshith 
>> wrote:
>>
>>> Some libs were broken from java 9 and above due to java 9 module system
>>> and JDK internal APIs restrictions. Just wanted to check if shiro supports
>>> Java 9 and above.
>>>
>>>
>>> On Mon, May 4, 2020 at 1:12 PM +0530, "Francois Papon" <
>>> francois.pa...@openobject.fr> wrote:
>>>
>>> I am using Shiro with a Jdk11 and I never had issues.
>>>>
>>>> We also have a Jenkins job for the build with JDK11 but the target
>>>> build for the source code still Java 8.
>>>>
>>>> regards,
>>>>
>>>> Françoisfpa...@apache.org
>>>>
>>>> Le 04/05/2020 à 09:30, Benjamin Marwell a écrit :
>>>>
>>>> I never had issues with it, but there is no module descriptor yet.
>>>> Thus, it depends on what you mean by "support java9".
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, 4 May 2020, 04:40 sreenivas harshith, 
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> Does shiro support java 9 and above ?
>>>>>
>>>>> Regards,
>>>>> Sreenivas.
>>>>>
>>>>>
>>>>>
>>>>> On Sun, May 3, 2020 at 4:27 PM +0530,  wrote:
>>>>>
>>>>> Hi all,
>>>>>>
>>>>>> The 1.5.3 is released now, so I created a branch 1.5.x for the
>>>>>> maintenance and move the master to the 2.0.0-SNAPSHOT.
>>>>>>
>>>>>> We will now review the 2.0.0 backlog on Jira and merge some ideas from
>>>>>> this thread.
>>>>>>
>>>>>> Feel free to create issues related to this next major version and make
>>>>>> proposals / PR:
>>>>>> https://issues.apache.org/jira/projects/SHIRO/versions/12315455
>>>>>>
>>>>>> Thanks for all your feedback!
>>>>>>
>>>>>> regards,
>>>>>>
>>>>>> Françoisfpa...@apache.org
>>>>>>
>>>>>> Le 08/04/2020 à 18:55, Steinar Bang a écrit :
>>>>>> >>>>>> Francois Papon :
>>>>>> >>> It's also time for anyone to bring some ideas about the next Shiro 
>>>>>> >>> features/improvements, feel free to share :)
>>>>>> > Speaking purely for myself, I would like to see this one fixed:
>>>>>> >  https://issues.apache.org/jira/browse/SHIRO-713
>>>>>>
>>>>>>

Re: Re[4]: onInit method on AuthenticatingRealm is called twice

[Brian Demers]

Alex

1-3) if you can put together a full example and stick it on GitHub we might
be able to point out if there is an issue.  I've seen cases where folks are
using the Servlet Filter and initializing Shiro manually which would cause
this problem.

4.) Ahh right, that is caused by the bundle plugin, we are working on that.

5.) correct, shiro-all is just an aggregate of the other module's classes,
The `all` module will likely be dropped in the next major version of Shiro.

That said, needing to use the shiro-all jar to workaround JPMS is valid (at
least until we get #4 resolved)

Thanks!
-Brian

On Wed, May 6, 2020 at 9:41 PM Alex Sviridov  wrote:

> Hi Brian,
>
> 1-3) I tried with Servket Filter and without it anyway onInit method is
> called twice. It seems to be bug.
>
> 4) As I see you have same packages for different modules, for example
> shiro/core/src/main/java/org/apache/shiro/config
> shiro/config/core/src/main/java/org/apache/shiro/config
> Besides I found this issue —
> https://issues.apache.org/jira/browse/SHIRO-679
>
> 5) I understood that you don’t have sources and javadoc for shiro-all.
> Maybe there is sense to add them?
> If people can’t use your modules, please, make their lives easier.
>
> Best regards, Alex
>
>
> Четверг, 7 мая 2020, 1:25 +03:00 от Brian Demers :
>
> Hi Alex,
>
>
> 1-3.)
> Do you also have the Shiro Servlet Filter configured?
>
> 4.) We don't currently generate module-info metadata, but if there is
> something that isn't working for you please start another thread :)
>
> 5.) We don't have sources & Javadoc jars for `shiro-all` we only produce
> them for the individual modules.
>
>
> On Wed, May 6, 2020 at 4:23 AM Alex Sviridov  > wrote:
>
> Hi Brian,
>
> Thank you for quick answer.
>
> 1) This is my shiro.ini
>
> [main]
> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> securityManager.cacheManager = $cacheManager
> realm = com.foo.TestRealm
> securityManager.realms = $realm
>
> 2) This is my init code:
>
> Environment env = new BasicIniEnvironment(url.toString());
> final SecurityManager securityManager =
> env.getSecurityManager();
> SecurityUtils.setSecurityManager(securityManager);
>
> 3) This is my TestRealm
>
> public class TestRealm extends AuthenticatingRealm {
>
> private static final Logger logger =
> LoggerFactory.getLogger(TestRealm.class);
> @Override
> protected void onInit() {
> logger.info("On INIT");
> try {
> throw new Exception();
> } catch (Exception ex) {
> logger.error("Error", ex);
> }
> setCredentialsMatcher((AuthenticationToken at, AuthenticationInfo
> ai) -> {
> logger.info(" [{}], [{}]",
> at, ai);
> return false;
> });
>
> }
>
>
> @Override
> protected AuthenticationInfo
> doGetAuthenticationInfo(AuthenticationToken token) throws
> AuthenticationException {
> UsernamePasswordToken upToken = (UsernamePasswordToken) token;
> logger.info("REALM username [{}], password [{}]",
> upToken.getUsername(), upToken.getPassword());
>  return new SimpleAuthenticationInfo(new UserEntity(), null ,
> getName());
> }
>
> }
>
>
> 4) I tried to use shiro-core + shiro-web, but it seems to be impossible to
> use
> shiro modules in jpms environment, so, I had to take shiro-all.
>
> 5) By the way, I couldn’t find javadoc and sources for shiro-al in maven
> repo
> https://repo1.maven.org/maven2/org/apache/shiro/shiro-all/1.5.3/
>
> Best regards, Alex
>
>
> Среда, 6 мая 2020, 4:09 +03:00 от Brian Demers  >:
>
> It depends, we would need to see the full stack trace, it's unclear what
> is setting up your environment.  How are you configuring Shiro?
>
> Also, I'd recommend against using the `shiro-all` and instead use
> `shiro-web`
>
> On Tue, May 5, 2020 at 7:01 PM Alex Sviridov  <http://e.mail.ru/compose/?mailto=mailto%3aooo_satu...@mail.ru>> wrote:
>
> Hi all,
>
> I am just learning Shiro, but I noticed that onInit method on  on
> AuthenticatingRealm
> is called twice. I have one TestRealm and this is stacktrace:
>
> First call:
>
> at com.foo.TestRealm.onInit(TestRealm.java:37) [classes/:?]
> at
> org.apache.shiro.realm.AuthenticatingRealm.init(AuthenticatingRealm.java:398)
> [shiro-all-1.5.3.jar:?]
> at org.apache.shiro.util.LifecycleUtils.init(LifecycleUtils.java:45)
> [shiro-all-1.5.3.jar:?]
> at org.apache.shiro.util.LifecycleUtils.init(

Re: [DISCUSS] - Move to 2.0.0

[Brian Demers]

I'd love to see the `shiro-all` module go away as part of 2.0, anyone have
any objections?

On Mon, May 4, 2020 at 4:32 AM sreenivas harshith 
wrote:

> Some libs were broken from java 9 and above due to java 9 module system
> and JDK internal APIs restrictions. Just wanted to check if shiro supports
> Java 9 and above.
>
>
> On Mon, May 4, 2020 at 1:12 PM +0530, "Francois Papon" <
> francois.pa...@openobject.fr> wrote:
>
> I am using Shiro with a Jdk11 and I never had issues.
>>
>> We also have a Jenkins job for the build with JDK11 but the target build
>> for the source code still Java 8.
>>
>> regards,
>>
>> Françoisfpa...@apache.org
>>
>> Le 04/05/2020 à 09:30, Benjamin Marwell a écrit :
>>
>> I never had issues with it, but there is no module descriptor yet. Thus,
>> it depends on what you mean by "support java9".
>>
>>
>>
>>
>> On Mon, 4 May 2020, 04:40 sreenivas harshith, 
>> wrote:
>>
>>> Hi all,
>>>
>>> Does shiro support java 9 and above ?
>>>
>>> Regards,
>>> Sreenivas.
>>>
>>>
>>>
>>> On Sun, May 3, 2020 at 4:27 PM +0530,  wrote:
>>>
>>> Hi all,

 The 1.5.3 is released now, so I created a branch 1.5.x for the
 maintenance and move the master to the 2.0.0-SNAPSHOT.

 We will now review the 2.0.0 backlog on Jira and merge some ideas from
 this thread.

 Feel free to create issues related to this next major version and make
 proposals / PR:
 https://issues.apache.org/jira/projects/SHIRO/versions/12315455

 Thanks for all your feedback!

 regards,

 Françoisfpa...@apache.org

 Le 08/04/2020 à 18:55, Steinar Bang a écrit :
 >> Francois Papon :
 >>> It's also time for anyone to bring some ideas about the next Shiro 
 >>> features/improvements, feel free to share :)
 > Speaking purely for myself, I would like to see this one fixed:
 >  https://issues.apache.org/jira/browse/SHIRO-713

Re: Re[2]: onInit method on AuthenticatingRealm is called twice

[Brian Demers]

Hi Alex,


1-3.)
Do you also have the Shiro Servlet Filter configured?

4.) We don't currently generate module-info metadata, but if there is
something that isn't working for you please start another thread :)

5.) We don't have sources & Javadoc jars for `shiro-all` we only produce
them for the individual modules.


On Wed, May 6, 2020 at 4:23 AM Alex Sviridov  wrote:

> Hi Brian,
>
> Thank you for quick answer.
>
> 1) This is my shiro.ini
>
> [main]
> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> securityManager.cacheManager = $cacheManager
> realm = com.foo.TestRealm
> securityManager.realms = $realm
>
> 2) This is my init code:
>
> Environment env = new BasicIniEnvironment(url.toString());
> final SecurityManager securityManager =
> env.getSecurityManager();
> SecurityUtils.setSecurityManager(securityManager);
>
> 3) This is my TestRealm
>
> public class TestRealm extends AuthenticatingRealm {
>
> private static final Logger logger =
> LoggerFactory.getLogger(TestRealm.class);
> @Override
> protected void onInit() {
> logger.info("On INIT");
> try {
> throw new Exception();
> } catch (Exception ex) {
> logger.error("Error", ex);
> }
> setCredentialsMatcher((AuthenticationToken at, AuthenticationInfo
> ai) -> {
> logger.info(" [{}], [{}]",
> at, ai);
> return false;
> });
>
> }
>
>
> @Override
> protected AuthenticationInfo
> doGetAuthenticationInfo(AuthenticationToken token) throws
> AuthenticationException {
> UsernamePasswordToken upToken = (UsernamePasswordToken) token;
> logger.info("REALM username [{}], password [{}]",
> upToken.getUsername(), upToken.getPassword());
>  return new SimpleAuthenticationInfo(new UserEntity(), null ,
> getName());
> }
>
> }
>
>
> 4) I tried to use shiro-core + shiro-web, but it seems to be impossible to
> use
> shiro modules in jpms environment, so, I had to take shiro-all.
>
> 5) By the way, I couldn’t find javadoc and sources for shiro-al in maven
> repo
> https://repo1.maven.org/maven2/org/apache/shiro/shiro-all/1.5.3/
>
> Best regards, Alex
>
>
> Среда, 6 мая 2020, 4:09 +03:00 от Brian Demers :
>
> It depends, we would need to see the full stack trace, it's unclear what
> is setting up your environment.  How are you configuring Shiro?
>
> Also, I'd recommend against using the `shiro-all` and instead use
> `shiro-web`
>
> On Tue, May 5, 2020 at 7:01 PM Alex Sviridov  > wrote:
>
> Hi all,
>
> I am just learning Shiro, but I noticed that onInit method on  on
> AuthenticatingRealm
> is called twice. I have one TestRealm and this is stacktrace:
>
> First call:
>
> at com.foo.TestRealm.onInit(TestRealm.java:37) [classes/:?]
> at
> org.apache.shiro.realm.AuthenticatingRealm.init(AuthenticatingRealm.java:398)
> [shiro-all-1.5.3.jar:?]
> at org.apache.shiro.util.LifecycleUtils.init(LifecycleUtils.java:45)
> [shiro-all-1.5.3.jar:?]
> at org.apache.shiro.util.LifecycleUtils.init(LifecycleUtils.java:40)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.ReflectionBuilder$BeanConfigurationProcessor.execute(ReflectionBuilder.java:829)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.ReflectionBuilder.buildObjects(ReflectionBuilder.java:288)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.buildInstances(IniSecurityManagerFactory.java:181)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:139)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:107)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:98)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:47)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniFactorySupport.createInstance(IniFactorySupport.java:150)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.util.AbstractFactory.getInstance(AbstractFactory.java:47)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.env.BasicIniEnvironment.(BasicIniEnvironment.java:37)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.env.BasicIniEnvironment.(Bas

Re: onInit method on AuthenticatingRealm is called twice

[Brian Demers]

It depends, we would need to see the full stack trace, it's unclear what is
setting up your environment.  How are you configuring Shiro?

Also, I'd recommend against using the `shiro-all` and instead use
`shiro-web`

On Tue, May 5, 2020 at 7:01 PM Alex Sviridov  wrote:

> Hi all,
>
> I am just learning Shiro, but I noticed that onInit method on  on
> AuthenticatingRealm
> is called twice. I have one TestRealm and this is stacktrace:
>
> First call:
>
> at com.foo.TestRealm.onInit(TestRealm.java:37) [classes/:?]
> at
> org.apache.shiro.realm.AuthenticatingRealm.init(AuthenticatingRealm.java:398)
> [shiro-all-1.5.3.jar:?]
> at org.apache.shiro.util.LifecycleUtils.init(LifecycleUtils.java:45)
> [shiro-all-1.5.3.jar:?]
> at org.apache.shiro.util.LifecycleUtils.init(LifecycleUtils.java:40)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.ReflectionBuilder$BeanConfigurationProcessor.execute(ReflectionBuilder.java:829)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.ReflectionBuilder.buildObjects(ReflectionBuilder.java:288)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.buildInstances(IniSecurityManagerFactory.java:181)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:139)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:107)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:98)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:47)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniFactorySupport.createInstance(IniFactorySupport.java:150)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.util.AbstractFactory.getInstance(AbstractFactory.java:47)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.env.BasicIniEnvironment.(BasicIniEnvironment.java:37)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.env.BasicIniEnvironment.(BasicIniEnvironment.java:41)
> [shiro-all-1.5.3.jar:?]
>
>
> Second call:
>
> at com.foo.TestRealm.onInit(TestRealm.java:37) [classes/:?]
> at
> org.apache.shiro.realm.AuthenticatingRealm.init(AuthenticatingRealm.java:398)
> [shiro-all-1.5.3.jar:?]
> at org.apache.shiro.util.LifecycleUtils.init(LifecycleUtils.java:45)
> [shiro-all-1.5.3.jar:?]
> at org.apache.shiro.util.LifecycleUtils.init(LifecycleUtils.java:40)
> [shiro-all-1.5.3.jar:?]
> at org.apache.shiro.util.LifecycleUtils.init(LifecycleUtils.java:61)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.ReflectionBuilder.buildObjects(ReflectionBuilder.java:292)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.buildInstances(IniSecurityManagerFactory.java:181)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:139)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:107)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:98)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:47)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.config.IniFactorySupport.createInstance(IniFactorySupport.java:150)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.util.AbstractFactory.getInstance(AbstractFactory.java:47)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.env.BasicIniEnvironment.(BasicIniEnvironment.java:37)
> [shiro-all-1.5.3.jar:?]
> at
> org.apache.shiro.env.BasicIniEnvironment.(BasicIniEnvironment.java:41)
> [shiro-all-1.5.3.jar:?]
>
> Could anyone say if it is a bug or it was done intentionally?
>
> --
> Best regards, Alex Sviridov
>

Re: [DISCUSS] - Move to 2.0.0

[Brian Demers]

Benjamin,

No worries we are on the same page :)

I absolutely agree with the cache issue between authc and authz.  I've had
to work around that a couple times.



On Mon, Apr 6, 2020 at 10:42 AM Benjamin Marwell  wrote:

> Agreed, no oauth server - I was just talking about validating bearer
> tokens anyway. Didn't mention this, though. Sorry.
>
> Am Mo., 6. Apr. 2020 um 16:40 Uhr schrieb Brian Demers <
> brian.dem...@gmail.com>:
>
>> Personally I don't think Shiro should implement an Authorization Server,
>> I think there is room for another project to implement on using Shiro (and
>> Shiro would likely benefit from this). This is actually a major
>> undertaking.  The Spring Security folks tried to drop support for this
>> recently:
>> https://spring.io/blog/2019/11/14/spring-security-oauth-2-0-roadmap-update 
>> IIRC,
>> they are still supporting this use case though.
>>
>> I have a bias opinion on this topic, so someone else please chime in. In
>> most cases, you probably wouldn't want to run your own
>> authorization server, but instead, use a different one KeyCloak if you want
>> to run it yourself, Okta, Microsoft, Google, etc if you don't.
>>
>> I could be in the minority here, what do others think?
>>
>>
>>
>> On Mon, Apr 6, 2020 at 4:21 AM Richard Adams 
>> wrote:
>>
>>> A framework or implementation of standard authorisation server endpoints
>>> such as /oauth/token for
>>> standard grant types such as refresh_token, password, authorisation_code
>>> etc. e.g described here https://aaronparecki.com/oauth-2-simplified/
>>> <https://aaronparecki.com/oauth-2-simplified/#authorization>
>>> Could be a servlet filter, but if so should  delegate to a handler which
>>>  can be used in other places e.g. Spring Interceptors, Controllers,
>>> standalone applications etc. The Shiro approach of a standard
>>>  out-of-the-box implementation with lots of configurable /overridable
>>> functionality would work well here, along with reference classes for the
>>> various types of token.
>>> E.g. anyone returning JSON of an OAuth token probably has a class
>>> similar to this, simple enough but why reinvent the wheel every time.
>>>
>>>
>>>
>>> /**
>>>  * Represents the JSON response returned when refreshing / adding a new
>>> OAuth token
>>>  */
>>> @Data
>>> *public* *class* NewOAuthTokenResponse {
>>>
>>> @JsonProperty("access_token")
>>> *private* String accessToken;
>>>
>>> @JsonProperty("refresh_token")
>>> *private* String refreshToken;
>>>
>>> @JsonIgnore
>>> *private* Instant expiryTime;
>>> *private* String scope;
>>>
>>> @JsonProperty("token_type")
>>> *private* *static* String *TOKEN_TYPE* = "bearer";
>>>
>>> @JsonProperty("expires_in")
>>> *public* Long expiresIn() {
>>> *return* Duration. *between*(Instant. *now*(),
>>> expiryTime).getSeconds();
>>> }
>>>
>>> }
>>>
>>>
>>> On 05 April 2020 at 14:11 Brian Demers  wrote:
>>>
>>> OAuth support has been on the top of my list for a while too! We added a
>>> bearer token filter in 1.5, but that is only part of the way there for just
>>> one flow.
>>>
>>> Anything specific you are looking for? Resource Server? A standard
>>> redirect (auth code flow)? OIDC support? etc
>>>
>>> -Brian
>>>
>>> On Apr 5, 2020, at 7:59 AM, Rob Young  wrote:
>>>
>>> Our org uses pac4j for doing oauth and I'd love to drop it, it's one too
>>> many security libraries.  It would be fantastic if shiro could provide this
>>> natively.
>>>
>>> On Sun, Apr 5, 2020 at 7:47 AM Richard Adams < rich...@researchspace.com>
>>> wrote:
>>>
>>> I don't know if this is out of scope, or has been talked about already,
>>> but providing some boiler-plate, best-practice standard OAuth2 flows would
>>> be good, either for a client getting tokens, or an authorisation server
>>> generating tokens. We've been implementing this sort of thing quite a bit
>>> ourselves lately, we are no experts but there surely is a need  not to
>>> reinvent the wheel every time
>>>
>>> On 05 April 2020 at 12:32 Brian Demers < brian.dem...@gmail.com> wrote:
>>>
>>> This one?
>>>
>>>
>>> https://github.com/apache/shi

Re: [DISCUSS] - Move to 2.0.0

[Brian Demers]

Armadno,

I'm saying you could get access to a set of common data for a given user,
which is fine for many apps, but it doesn't replace an
application-specific user store for other use cases (for example complex
user preferences).

Shiro could make it easier to associate arbitrary attributes (or a user
type) to help with these use cases.  Maybe something like
`Subject.getAttribute("givenName")`

Thoughts?

On Mon, Apr 6, 2020 at 7:17 AM armandoxxx  wrote:

> I'm not sure that I completly understand this ..
>
> but all user details can be put into Subject in realm and everything can be
> taken out later on from that subject (this is what we do) ...
> Would like to understand more about this if you could explain it. Thank you
> !
>
> Regards
>
> Armadno
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: [DISCUSS] - Move to 2.0.0

[Brian Demers]

Personally I don't think Shiro should implement an Authorization Server,  I
think there is room for another project to implement on using Shiro (and
Shiro would likely benefit from this). This is actually a major
undertaking.  The Spring Security folks tried to drop support for this
recently:
https://spring.io/blog/2019/11/14/spring-security-oauth-2-0-roadmap-update
IIRC,
they are still supporting this use case though.

I have a bias opinion on this topic, so someone else please chime in. In
most cases, you probably wouldn't want to run your own
authorization server, but instead, use a different one KeyCloak if you want
to run it yourself, Okta, Microsoft, Google, etc if you don't.

I could be in the minority here, what do others think?



On Mon, Apr 6, 2020 at 4:21 AM Richard Adams 
wrote:

> A framework or implementation of standard authorisation server endpoints
> such as /oauth/token for
> standard grant types such as refresh_token, password, authorisation_code
> etc. e.g described here https://aaronparecki.com/oauth-2-simplified/
> <https://aaronparecki.com/oauth-2-simplified/#authorization>
> Could be a servlet filter, but if so should  delegate to a handler which
>  can be used in other places e.g. Spring Interceptors, Controllers,
> standalone applications etc. The Shiro approach of a standard
>  out-of-the-box implementation with lots of configurable /overridable
> functionality would work well here, along with reference classes for the
> various types of token.
> E.g. anyone returning JSON of an OAuth token probably has a class similar
> to this, simple enough but why reinvent the wheel every time.
>
>
>
> /**
>  * Represents the JSON response returned when refreshing / adding a new
> OAuth token
>  */
> @Data
> *public* *class* NewOAuthTokenResponse {
>
> @JsonProperty("access_token")
> *private* String accessToken;
>
> @JsonProperty("refresh_token")
> *private* String refreshToken;
>
> @JsonIgnore
> *private* Instant expiryTime;
> *private* String scope;
>
> @JsonProperty("token_type")
> *private* *static* String *TOKEN_TYPE* = "bearer";
>
> @JsonProperty("expires_in")
> *public* Long expiresIn() {
> *return* Duration. *between*(Instant. *now*(), expiryTime).getSeconds();
> }
>
> }
>
>
> On 05 April 2020 at 14:11 Brian Demers  wrote:
>
> OAuth support has been on the top of my list for a while too! We added a
> bearer token filter in 1.5, but that is only part of the way there for just
> one flow.
>
> Anything specific you are looking for? Resource Server? A standard
> redirect (auth code flow)? OIDC support? etc
>
> -Brian
>
> On Apr 5, 2020, at 7:59 AM, Rob Young  wrote:
>
> Our org uses pac4j for doing oauth and I'd love to drop it, it's one too
> many security libraries.  It would be fantastic if shiro could provide this
> natively.
>
> On Sun, Apr 5, 2020 at 7:47 AM Richard Adams < rich...@researchspace.com>
> wrote:
>
> I don't know if this is out of scope, or has been talked about already,
> but providing some boiler-plate, best-practice standard OAuth2 flows would
> be good, either for a client getting tokens, or an authorisation server
> generating tokens. We've been implementing this sort of thing quite a bit
> ourselves lately, we are no experts but there surely is a need  not to
> reinvent the wheel every time
>
> On 05 April 2020 at 12:32 Brian Demers < brian.dem...@gmail.com> wrote:
>
> This one?
>
> https://github.com/apache/shiro-site/blob/master/version-2-brainstorming.md
>
> -Brian
>
> On Apr 4, 2020, at 8:28 PM, Les Hazlewood < lhazlew...@apache.org> wrote:
>
> I wrote a whole wiki page on 2.0 design changes, but I can't find it now
> 樂
>
> On Sat, Apr 4, 2020, 5:17 PM Brian Demers < brian.dem...@gmail.com>
> wrote:
>
> +1
>
> Off the top of my head we have (I'm sure there is more, but ):
>
> * Package name / artifact structure cleanup (breaking change, but minor
> impact)
> * Remove CAS modules
> * Replace deprecated code (or move to an implementation/private package,
> for anything still needed)
> * Support javax.annotation.security annotations (or whatever they are now
> under Eclipse).  These annotations work a little different from the Shiro
> ones.
>
> * Update to Jakarta dependencies (or figure out a way to work with both,
> abstracting the HTTP logic), bigger lift (or maybe two different 'web'
> packages?)
>
> The Jakarta ones have me a little worried though, I think many of the
> current Shiro users would have a hard time making the switch anytime soon.
> Which could kill the adoption of a 2.0.
> We could (and probably should) abstract the web specifics out in ord

Re: [DISCUSS] - Move to 2.0.0

[Brian Demers]

Agreed Sreenivas,

Do you have a list of specific features you are looking for so we can try
to prioritize them?

On Mon, Apr 6, 2020 at 3:56 AM sreenivas harshith 
wrote:

> Hi,
>
> Provide native Integrations of pac4j with shiro, jwt , oauth, feature
> parity with other security frameworks like spring , spring security and
> others in the .net c# world.
>
>
>
>
>
> On Mon, Apr 6, 2020 at 12:23 PM +0530, "Benjamin Marwell" <
> bmarw...@gmail.com> wrote:
>
> I want to throw in JSON web tokens (JWT).
>>
>> It is a mess to work with them right now.
>>
>> JWT can also be very complicated. They can only hold Authentication data,
>> or they can hold roles, or even permission (if it is not getting too long).
>> I settled to create another realm. If the JWT contains EVERYTHING, the
>> other realms must be skipped (that's the whole point). If it does only
>> contain authc, there must be a possibility to search either the other
>> realms or a special authz-only-realm. The latter is not possible atm
>> because AuthorizingRealms extend AuthenticatingRealm.
>>
>> It is not hard to create a JWT Authc realm, though. As the Token class is
>> different, login will just skip the JWT realm.
>>
>> … and there is so much more to it!
>>
>>
>> Am Mo., 6. Apr. 2020 um 07:27 Uhr schrieb Jean-Baptiste Onofre <
>> j...@nanthrax.net>:
>>
>>> Yeah, it seems to be the same indeed.
>>>
>>> Regards
>>> JB
>>>
>>> > Le 5 avr. 2020 à 13:38, Francois Papon 
>>> a écrit :
>>> >
>>> > I found this one:
>>> >
>>> >
>>> https://cwiki.apache.org/confluence/display/SHIRO/Version+2+Brainstorming
>>> >
>>> > It seems to be the same :)
>>> >
>>> > regards,
>>> >
>>> > François
>>> > fpa...@apache.org
>>> >
>>> > Le 05/04/2020 à 13:32, Brian Demers a écrit :
>>> >> This one?
>>> >>
>>> >>
>>> https://github.com/apache/shiro-site/blob/master/version-2-brainstorming.md
>>> >>
>>> >> -Brian
>>> >>
>>> >>> On Apr 4, 2020, at 8:28 PM, Les Hazlewood 
>>> wrote:
>>> >>>
>>> >>> 
>>> >>> I wrote a whole wiki page on 2.0 design changes, but I can't find it
>>> now 樂
>>> >>>
>>> >>>> On Sat, Apr 4, 2020, 5:17 PM Brian Demers 
>>> wrote:
>>> >>>> +1
>>> >>>>
>>> >>>> Off the top of my head we have (I'm sure there is more, but ):
>>> >>>>
>>> >>>> * Package name / artifact structure cleanup (breaking change, but
>>> minor impact)
>>> >>>> * Remove CAS modules
>>> >>>> * Replace deprecated code (or move to an implementation/private
>>> package, for anything still needed)
>>> >>>> * Support javax.annotation.security annotations (or whatever they
>>> are now under Eclipse).  These annotations work a little different from the
>>> Shiro ones.
>>> >>>> * Update to Jakarta dependencies (or figure out a way to work with
>>> both, abstracting the HTTP logic), bigger lift (or maybe two different
>>> 'web' packages?)
>>> >>>>
>>> >>>> The Jakarta ones have me a little worried though, I think many of
>>> the current Shiro users would have a hard time making the switch anytime
>>> soon.  Which could kill the adoption of a 2.0.
>>> >>>> We could (and probably should) abstract the web specifics out in
>>> order to support the _current_ API, Jakarta EE, and other non-servlet
>>> stacks (reactive).
>>> >>>> That said, it's a likely a bunch of work (and again, I'm guessing
>>> most of the user base would use the current API), so this _could_ be a 3.0
>>> item.
>>> >>>>
>>> >>>> Thoughts?
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>> On Sat, Apr 4, 2020 at 8:29 AM Francois Papon <
>>> francois.pa...@openobject.fr> wrote:
>>> >>>>> Hi,
>>> >>>>>
>>> >>>>> I would like to start a thread about the next major release: 2.0.0.
>>> >>>>> I think we should move forward on it and only fix bug on the 1.x
>>> branches.
>>> >>>>>
>>> >>>>> There is always some issues related to the version in Jira:
>>> >>>>>
>>> >>>>> https://issues.apache.org/jira/projects/SHIRO/versions/12315455
>>> >>>>>
>>> >>>>> We can move also the issues list from the 1.6.0 to the 2.0.0:
>>> >>>>>
>>> >>>>> https://issues.apache.org/jira/projects/SHIRO/versions/12346916
>>> >>>>>
>>> >>>>> I noticed an existing branch about api changes on github:
>>> >>>>>
>>> >>>>> https://github.com/apache/shiro/tree/2.0-api-design-changes
>>> >>>>>
>>> >>>>> I propose to update master to 2.0.0-SNAPHOT and create a 1.5.x
>>> branch (from tag shiro-root-1.5.2) for maintenance.
>>> >>>>>
>>> >>>>> Because of some api break, package refactor, deprecated modules or
>>> components, we also should start a migration guide in the website.
>>> >>>>>
>>> >>>>> It's also time for anyone to bring some ideas about the next Shiro
>>> features/improvements, feel free to share :)
>>> >>>>>
>>> >>>>> We could start a formal vote to validate the plan.
>>> >>>>>
>>> >>>>> Feedback are welcome!
>>> >>>>>
>>> >>>>> regards,
>>> >>>>> --
>>> >>>>> François
>>> >>>>> fpa...@apache.org
>>>
>>>

Re: [DISCUSS] - Move to 2.0.0

[Brian Demers]

There are a couple of different items in one

1.) using JWTs to hold authentication data.
How are you minting the original token? are you getting it from a request
header (i.e. bearer token)

Thoughts (possibly unrelated) Shiro probably should support some sort of
JWT bearer token out of the box similar to support OAuth IdPs that use JWT
for access tokens.  (the tricky thing is there is no spec around this so
each vendor could be doing something slightly different)

2.) Authorizing vs Authenticating realms
While this is possible today it probably isn't as easy or as obvious as it
could be.
As you mentioned the AuthZ realm extends the AuthC realm.  Right now you
can probably do this by creating a custom auth strategy +
ModularRealmAuthorizor.
Maybe adding an AuthZ strategy to the ModularRealmAuthorizor would help
here? (and providing default implementations so this could be configured
with minimal effort)

3.) JWT Authc realm.
I'm really hesitant on making Shiro mint JWTs (except maybe in the case of
the RemembeMeManager).  As you mentioned there is a lot around JWTs that
need to be considered:
https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens

But if you are talking about OAuth2 Resource Server use cases (where Shiro
would be validating an JWT), I do think that should be on the table.


You also bring up the point about getting everything out of the
authentication token (authz info as well), this is possible today, but
again it is less obvious how to do it, and this is NOT an uncommon use case.
This is related to another comment about getting at other attributes from a
user.  Maybe a Shiro Subject/PrincipalCollection should hold a set of
attributes?

```
Subject.getAttribute("givenName") == "Brian
```

(something similar could be used when building a set of roles:

```
principalCollection.get("groups")
```

Thoughts?


On Mon, Apr 6, 2020 at 2:53 AM Benjamin Marwell  wrote:

> I want to throw in JSON web tokens (JWT).
>
> It is a mess to work with them right now.
>
> JWT can also be very complicated. They can only hold Authentication data,
> or they can hold roles, or even permission (if it is not getting too long).
> I settled to create another realm. If the JWT contains EVERYTHING, the
> other realms must be skipped (that's the whole point). If it does only
> contain authc, there must be a possibility to search either the other
> realms or a special authz-only-realm. The latter is not possible atm
> because AuthorizingRealms extend AuthenticatingRealm.
>
> It is not hard to create a JWT Authc realm, though. As the Token class is
> different, login will just skip the JWT realm.
>
> … and there is so much more to it!
>
>
> Am Mo., 6. Apr. 2020 um 07:27 Uhr schrieb Jean-Baptiste Onofre <
> j...@nanthrax.net>:
>
>> Yeah, it seems to be the same indeed.
>>
>> Regards
>> JB
>>
>> > Le 5 avr. 2020 à 13:38, Francois Papon 
>> a écrit :
>> >
>> > I found this one:
>> >
>> >
>> https://cwiki.apache.org/confluence/display/SHIRO/Version+2+Brainstorming
>> >
>> > It seems to be the same :)
>> >
>> > regards,
>> >
>> > François
>> > fpa...@apache.org
>> >
>> > Le 05/04/2020 à 13:32, Brian Demers a écrit :
>> >> This one?
>> >>
>> >>
>> https://github.com/apache/shiro-site/blob/master/version-2-brainstorming.md
>> >>
>> >> -Brian
>> >>
>> >>> On Apr 4, 2020, at 8:28 PM, Les Hazlewood 
>> wrote:
>> >>>
>> >>> 
>> >>> I wrote a whole wiki page on 2.0 design changes, but I can't find it
>> now 樂
>> >>>
>> >>>> On Sat, Apr 4, 2020, 5:17 PM Brian Demers 
>> wrote:
>> >>>> +1
>> >>>>
>> >>>> Off the top of my head we have (I'm sure there is more, but ):
>> >>>>
>> >>>> * Package name / artifact structure cleanup (breaking change, but
>> minor impact)
>> >>>> * Remove CAS modules
>> >>>> * Replace deprecated code (or move to an implementation/private
>> package, for anything still needed)
>> >>>> * Support javax.annotation.security annotations (or whatever they
>> are now under Eclipse).  These annotations work a little different from the
>> Shiro ones.
>> >>>> * Update to Jakarta dependencies (or figure out a way to work with
>> both, abstracting the HTTP logic), bigger lift (or maybe two different
>> 'web' packages?)
>> >>>>
>> >>>> The Jakarta ones have me a little worried though, I think many of
>> the current Sh

Re: [DISCUSS] - Move to 2.0.0

[Brian Demers]

Great point, often a realm would have access to this information from the
same query when authenticating.
Shiro wouldn't be able to replace a general user details store, but we
should think about making it easier to expose it out of the box (without
implementing a custom realm and principal type)

On Sun, Apr 5, 2020 at 1:52 PM Bart van Leeuwen 
wrote:

> Hi all,
>
> this might be a RTFM related remark or me missing the concepts,
> One of the issues I've always been struggling with is the use of in LDAP
> terms 'Common Names'
> I'm able to use LDAP to authenticate and authorize a user, but I can't get
> a common name to use in UI's or data recording.
>
> Which results in accessing LDAP myself to get these details which almost
> defies the use of Shiro
>
> Otherwise I love the library!
>
> Met Vriendelijke Groet / With Kind Regards
> Bart van Leeuwen
>
>
> twitter: @semanticfire
> tel. +31(0)6-53182997
> Netage B.V.
> http://netage.nl
> Esdoornstraat 3
> 3461ER Linschoten
> The Netherlands
>
>
>
>
> From:Francois Papon 
> To:d...@shiro.apache.org
> Cc:user@shiro.apache.org
> Date:04-04-2020 14:29
> Subject:[DISCUSS] - Move to 2.0.0
> --
>
>
>
> Hi,
>
> I would like to start a thread about the next major release: 2.0.0.
> I think we should move forward on it and only fix bug on the 1.x branches.
>
> There is always some issues related to the version in Jira:
>
> *https://issues.apache.org/jira/projects/SHIRO/versions/12315455*
> 
>
> We can move also the issues list from the 1.6.0 to the 2.0.0:
>
> *https://issues.apache.org/jira/projects/SHIRO/versions/12346916*
> 
>
> I noticed an existing branch about api changes on github:
>
> *https://github.com/apache/shiro/tree/2.0-api-design-changes*
> 
>
> I propose to update master to 2.0.0-SNAPHOT and create a 1.5.x branch
> (from tag shiro-root-1.5.2) for maintenance.
>
> Because of some api break, package refactor, deprecated modules or
> components, we also should start a migration guide in the website.
>
> It's also time for anyone to bring some ideas about the next Shiro
> features/improvements, feel free to share :)
>
> We could start a formal vote to validate the plan.
>
> Feedback are welcome!
>
> regards,
>
> --
> François
> *fpa...@apache.org* 
>
>

Re: [DISCUSS] - Move to 2.0.0

[Brian Demers]

OAuth support has been on the top of my list for a while too! We added a bearer 
token filter in 1.5, but that is only part of the way there for just one flow.

Anything specific you are looking for? Resource Server? A standard redirect 
(auth code flow)? OIDC support? etc

-Brian

> On Apr 5, 2020, at 7:59 AM, Rob Young  wrote:
> 
> 
> Our org uses pac4j for doing oauth and I'd love to drop it, it's one too many 
> security libraries.  It would be fantastic if shiro could provide this 
> natively.
> 
>> On Sun, Apr 5, 2020 at 7:47 AM Richard Adams  
>> wrote:
>> I don't know if this is out of scope, or has been talked about already, but 
>> providing some boiler-plate, best-practice standard OAuth2 flows would be 
>> good, either for a client getting tokens, or an authorisation server 
>> generating tokens. We've been implementing this sort of thing quite a bit 
>> ourselves lately, we are no experts but there surely is a need  not to 
>> reinvent the wheel every time
>>> On 05 April 2020 at 12:32 Brian Demers  wrote: 
>>> 
>>> This one? 
>>> 
>>> https://github.com/apache/shiro-site/blob/master/version-2-brainstorming.md
>>> 
>>> -Brian
>>> 
>>>> On Apr 4, 2020, at 8:28 PM, Les Hazlewood  wrote: 
>>>> 
>>>> I wrote a whole wiki page on 2.0 design changes, but I can't find it now 樂
>>>> 
>>>> On Sat, Apr 4, 2020, 5:17 PM Brian Demers < brian.dem...@gmail.com> wrote: 
>>>> +1 
>>>> 
>>>> Off the top of my head we have (I'm sure there is more, but ): 
>>>> 
>>>> * Package name / artifact structure cleanup (breaking change, but minor 
>>>> impact)
>>>> * Remove CAS modules
>>>> * Replace deprecated code (or move to an implementation/private package, 
>>>> for anything still needed)
>>>> * Support javax.annotation.security annotations (or whatever they are now 
>>>> under Eclipse).  These annotations work a little different from the Shiro 
>>>> ones.
>>>> 
>>>> * Update to Jakarta dependencies (or figure out a way to work with both, 
>>>> abstracting the HTTP logic), bigger lift (or maybe two different 'web' 
>>>> packages?) 
>>>> 
>>>> The Jakarta ones have me a little worried though, I think many of the 
>>>> current Shiro users would have a hard time making the switch anytime soon. 
>>>>  Which could kill the adoption of a 2.0.
>>>> We could (and probably should) abstract the web specifics out in order to 
>>>> support the _current_ API, Jakarta EE, and other non-servlet stacks 
>>>> (reactive).
>>>> That said, it's a likely a bunch of work (and again, I'm guessing most of 
>>>> the user base would use the current API), so this _could_ be a 3.0 item.
>>>> 
>>>> Thoughts?
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On Sat, Apr 4, 2020 at 8:29 AM Francois Papon < 
>>>> francois.pa...@openobject.fr> wrote: 
>>>> Hi,
>>>> 
>>>> I would like to start a thread about the next major release: 2.0.0.
>>>> I think we should move forward on it and only fix bug on the 1.x branches.
>>>> 
>>>> There is always some issues related to the version in Jira:
>>>> 
>>>> https://issues.apache.org/jira/projects/SHIRO/versions/12315455
>>>> 
>>>> We can move also the issues list from the 1.6.0 to the 2.0.0:
>>>> 
>>>> https://issues.apache.org/jira/projects/SHIRO/versions/12346916
>>>> 
>>>> I noticed an existing branch about api changes on github:
>>>> 
>>>> https://github.com/apache/shiro/tree/2.0-api-design-changes
>>>> 
>>>> I propose to update master to 2.0.0-SNAPHOT and create a 1.5.x branch 
>>>> (from tag shiro-root-1.5.2) for maintenance.
>>>> 
>>>> Because of some api break, package refactor, deprecated modules or 
>>>> components, we also should start a migration guide in the website.
>>>> 
>>>> It's also time for anyone to bring some ideas about the next Shiro 
>>>> features/improvements, feel free to share :)
>>>> 
>>>> We could start a formal vote to validate the plan.
>>>> 
>>>> Feedback are welcome!
>>>> 
>>>> regards,
>>>> -- 
>>>> François
>>>> fpa...@apache.org
>> 
>>  
> 
> 
> -- 
> Rob Young
> robertjohnyo...@gmail.com
> 

Re: [DISCUSS] - Move to 2.0.0

[Brian Demers]

This one? 

https://github.com/apache/shiro-site/blob/master/version-2-brainstorming.md

-Brian

> On Apr 4, 2020, at 8:28 PM, Les Hazlewood  wrote:
> 
> 
> I wrote a whole wiki page on 2.0 design changes, but I can't find it now 樂
> 
>> On Sat, Apr 4, 2020, 5:17 PM Brian Demers  wrote:
>> +1
>> 
>> Off the top of my head we have (I'm sure there is more, but ):
>> 
>> * Package name / artifact structure cleanup (breaking change, but minor 
>> impact)
>> * Remove CAS modules
>> * Replace deprecated code (or move to an implementation/private package, for 
>> anything still needed)
>> * Support javax.annotation.security annotations (or whatever they are now 
>> under Eclipse).  These annotations work a little different from the Shiro 
>> ones.
>> * Update to Jakarta dependencies (or figure out a way to work with both, 
>> abstracting the HTTP logic), bigger lift (or maybe two different 'web' 
>> packages?)
>> 
>> The Jakarta ones have me a little worried though, I think many of the 
>> current Shiro users would have a hard time making the switch anytime soon.  
>> Which could kill the adoption of a 2.0.
>> We could (and probably should) abstract the web specifics out in order to 
>> support the _current_ API, Jakarta EE, and other non-servlet stacks 
>> (reactive).
>> That said, it's a likely a bunch of work (and again, I'm guessing most of 
>> the user base would use the current API), so this _could_ be a 3.0 item.
>> 
>> Thoughts?
>> 
>> 
>> 
>> 
>> 
>> 
>>> On Sat, Apr 4, 2020 at 8:29 AM Francois Papon 
>>>  wrote:
>>> Hi,
>>> 
>>> I would like to start a thread about the next major release: 2.0.0.
>>> I think we should move forward on it and only fix bug on the 1.x branches.
>>> 
>>> There is always some issues related to the version in Jira:
>>> 
>>> https://issues.apache.org/jira/projects/SHIRO/versions/12315455
>>> 
>>> We can move also the issues list from the 1.6.0 to the 2.0.0:
>>> 
>>> https://issues.apache.org/jira/projects/SHIRO/versions/12346916
>>> 
>>> I noticed an existing branch about api changes on github:
>>> 
>>> https://github.com/apache/shiro/tree/2.0-api-design-changes
>>> 
>>> I propose to update master to 2.0.0-SNAPHOT and create a 1.5.x branch (from 
>>> tag shiro-root-1.5.2) for maintenance.
>>> 
>>> Because of some api break, package refactor, deprecated modules or 
>>> components, we also should start a migration guide in the website.
>>> 
>>> It's also time for anyone to bring some ideas about the next Shiro 
>>> features/improvements, feel free to share :)
>>> 
>>> We could start a formal vote to validate the plan.
>>> 
>>> Feedback are welcome!
>>> 
>>> regards,
>>> -- 
>>> François
>>> fpa...@apache.org

Re: [DISCUSS] - Move to 2.0.0

[Brian Demers]

+1

Off the top of my head we have (I'm sure there is more, but ):

* Package name / artifact structure cleanup (breaking change, but minor
impact)
* Remove CAS modules
* Replace deprecated code (or move to an implementation/private package,
for anything still needed)
* Support javax.annotation.security annotations (or whatever they are now
under Eclipse).  These annotations work a little different from the Shiro
ones.
* Update to Jakarta dependencies (or figure out a way to work with both,
abstracting the HTTP logic), bigger lift (or maybe two different 'web'
packages?)

The Jakarta ones have me a little worried though, I think many of the
current Shiro users would have a hard time making the switch anytime soon.
Which could kill the adoption of a 2.0.
We could (and probably should) abstract the web specifics out in order to
support the _current_ API, Jakarta EE, and other non-servlet stacks
(reactive).
That said, it's a likely a bunch of work (and again, I'm guessing most of
the user base would use the current API), so this _could_ be a 3.0 item.

Thoughts?






On Sat, Apr 4, 2020 at 8:29 AM Francois Papon 
wrote:

> Hi,
>
> I would like to start a thread about the next major release: 2.0.0.
> I think we should move forward on it and only fix bug on the 1.x branches.
>
> There is always some issues related to the version in Jira:
> https://issues.apache.org/jira/projects/SHIRO/versions/12315455
>
> We can move also the issues list from the 1.6.0 to the 2.0.0:
> https://issues.apache.org/jira/projects/SHIRO/versions/12346916
>
> I noticed an existing branch about api changes on github:
> https://github.com/apache/shiro/tree/2.0-api-design-changes
>
> I propose to update master to 2.0.0-SNAPHOT and create a 1.5.x branch (from 
> tag shiro-root-1.5.2) for maintenance.
>
> Because of some api break, package refactor, deprecated modules or 
> components, we also should start a migration guide in the website.
>
> It's also time for anyone to bring some ideas about the next Shiro 
> features/improvements, feel free to share :)
>
> We could start a formal vote to validate the plan.
>
> Feedback are welcome!
>
> regards,
>
> --
> Françoisfpa...@apache.org
>
>

Re: ModularRealmAuthorizer isPermitted implementation with multiple permissions to check

[Brian Demers]

>
> If the public API permits it, it would be better to first go
> realm-by-realm, then go for each permission which is not yet set to
> true.
>

Agreed!

>
> Btw, the shiro code could use some comments. I wasn't aware that a
> boolean[] is automatically OR'ed.
>
> Do we have an issue for this? => https://issues.apache.org/jira/
>
> Not that I know of, do you or Riccardo want to create one?

Re: ModularRealmAuthorizer isPermitted implementation with multiple permissions to check

[Brian Demers]

+1

It does look like there is some optimization we could do here.  Even when
there is multiple realms, we could check only the "failed" permissions on
each subsequent realm.
Same for `isPermittedAll` and any of the role or permission checks that
take an array/collection.

Thoughts?




On Tue, Mar 31, 2020 at 4:49 AM Modanese, Riccardo <
riccardo.modan...@eurotech.com> wrote:

> I agree with your analysis.
>
> The goal is if there is a way to avoid multiple calls to the
> doGetAuthorizationInfo (at least with our use case).
> So changing the loop can avoid too many calls since, regardless of the
> permissions checked, there is just one call per realm. On the other hand,
> if there are few realms, as you said, the risk is to execute checks also if
> the result is already determined.
>
> Then, assuming to have one realm, do you think our solution could be right?
>
> > Il giorno 30 mar 2020, alle ore 12:35, Benjamin Marwell <
> bmarw...@gmail.com> ha scritto:
> >
> > I think you "just" changed the loop:
> >
> > The current ModularRealmAuthorizer checks:
> >
> > boolean permission[]
> > For every permission
> >   for every realm
> >  permission[i] = isPermitted
> >
> > But your loop does:
> >
> > boolean permission[]
> > For every realm
> >   for every permission
> > permission[i] = isPermitted
> > if (permission = true); break
> >
> > i.e. changing the loop enables to shortcircuit.
> >
> > Additionally: In every case, we could skip those which are already
> > permitted (i.e. set to true):
> >
> > for every permission
> >  if (permission[i] = true); continue
> >
> > Did I get this right?
> >
> > Am Mo., 30. März 2020 um 08:52 Uhr schrieb Modanese, Riccardo
> > :
> >>
> >> Hi all,
> >>
> >>   I have a question about the ModularRealmAuthorizer implementation
> (Shiro version 1.3.2).
> >> There are 2 methods to check multiple permissions:
> >>  public boolean[] isPermitted(PrincipalCollection principals, String...
> permissions)
> >>  public boolean[] isPermitted(PrincipalCollection principals,
> List permissions)
> >>
> >> Both of these implementations does a loop to call the isPermitted
> method with a single permission.
> >> So the AuthorizingRealm method doGetAuthorizationInfo is called at each
> iteration. (we aren’t using cache)
> >>
> >> Since the AuthorizingRealm has a specific implementation for the
> isPermitted method with multiple permissions we tried to use it customizing
> the ModularRealmAuthorizer.
> >> In Kapua project we wrote a custom ModularRealmAuthorizer
> implementation (see [1]) to reduce the doGetAuthorizationInfo calls count
> (with the "at least one realm” as result aggregation strategy).
> >>
> >> In the ModularRealmAuthorizer did you implement the isPermitted method
> with the for loop to use the realm aggregation strategy configuration for
> the realms results?
> >> If not, is it possible to change the implementation to make it more
> performant (avoiding multiple doGetAuthorizationInfo)?
> >>
> >> Thank you
> >>
> >> Riccardo
> >>
> >> [1]
> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/security/EnhModularRealmAuthorizer.java#L47
>
>

Re: [ANNOUNCE][CVE-2020-1957] Apache Shiro 1.5.2 released

[Brian Demers]

Correction,

The first line should have read:
> The Shiro team is pleased to announce the release of Apache Shiro version
1.5.2.

Sorry for the cut/paste error
- Brian

On Mon, Mar 23, 2020 at 2:13 PM Brian Demers  wrote:

> The Shiro team is pleased to announce the release of Apache Shiro version
> 1.4.2.
>
> This security release contains 3 fixes since the 1.5.1 release and is
> available for Download now [1].
>
> CVE-2020-1957:
> Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic
>  controllers,
> a specially crafted request may cause an authentication bypass.
>
> Release binaries (.jars) are also available through Maven Central and
> source bundles through Apache distribution mirrors.
>
> For more information on Shiro, please read the documentation [2].
>
> -The Apache Shiro Team
>
> [1] http://shiro.apache.org/download.html
> [2] http://shiro.apache.org/documentation.html
>
>

Re: [ANNOUNCE][CVE-2020-1957] Apache Shiro 1.5.2 released

[Brian Demers]

Correction,

The first line should have read:
> The Shiro team is pleased to announce the release of Apache Shiro version
1.5.2.

Sorry for the cut/paste error
- Brian

On Mon, Mar 23, 2020 at 2:13 PM Brian Demers  wrote:

> The Shiro team is pleased to announce the release of Apache Shiro version
> 1.4.2.
>
> This security release contains 3 fixes since the 1.5.1 release and is
> available for Download now [1].
>
> CVE-2020-1957:
> Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic
>  controllers,
> a specially crafted request may cause an authentication bypass.
>
> Release binaries (.jars) are also available through Maven Central and
> source bundles through Apache distribution mirrors.
>
> For more information on Shiro, please read the documentation [2].
>
> -The Apache Shiro Team
>
> [1] http://shiro.apache.org/download.html
> [2] http://shiro.apache.org/documentation.html
>
>

[ANNOUNCE][CVE-2020-1957] Apache Shiro 1.5.2 released

[Brian Demers]

The Shiro team is pleased to announce the release of Apache Shiro version
1.4.2.

This security release contains 3 fixes since the 1.5.1 release and is
available for Download now [1].

CVE-2020-1957:
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic
controllers,
a specially crafted request may cause an authentication bypass.

Release binaries (.jars) are also available through Maven Central and
source bundles through Apache distribution mirrors.

For more information on Shiro, please read the documentation [2].

-The Apache Shiro Team

[1] http://shiro.apache.org/download.html
[2] http://shiro.apache.org/documentation.html

Re: Shiro Session Management

[Brian Demers]

When using the container's session management Shiro doesn't control how the
session is managed you would need to configure this in your container
(Tomcat)

On Tue, Mar 3, 2020 at 7:52 PM Tommy Pham  wrote:

> Hi Brian,
>
> Thanks for the references, I'll bookmark them for review later.  After
> some trial and errors, I've verified that these settings break Shiro's
> native session management (per my minimalist shiro.ini):
>
> Session Cookie config:
> 03-Mar-2020 15:49:31.134 DEBUG [Catalina-utility-1]
> com.sointe.ajs.AjsInitializer.onStartup:115 -   getComment: null
> 03-Mar-2020 15:49:31.135 DEBUG [Catalina-utility-1]
> com.sointe.ajs.AjsInitializer.onStartup:116 -   getDomain: null
> 03-Mar-2020 15:49:31.135 DEBUG [Catalina-utility-1]
> com.sointe.ajs.AjsInitializer.onStartup:117 -   getMaxAge: 2592000
> 03-Mar-2020 15:49:31.136 DEBUG [Catalina-utility-1]
> com.sointe.ajs.AjsInitializer.onStartup:118 -   getName: null
> 03-Mar-2020 15:49:31.136 DEBUG [Catalina-utility-1]
> com.sointe.ajs.AjsInitializer.onStartup:119 -   getPath: null
> 03-Mar-2020 15:49:31.137 DEBUG [Catalina-utility-1]
> com.sointe.ajs.AjsInitializer.onStartup:120 -   isHttpOnly: true
> 03-Mar-2020 15:49:31.138 DEBUG [Catalina-utility-1]
> com.sointe.ajs.AjsInitializer.onStartup:121 -   isSecure: true
>
> I've confirmed for both main project and the AJS project.
>
>1. Since Shiro native session doesn't seem to issue a
>javax.servlet.http.Cookie per my last screen shot,  why then does any
>changes from default would break Shiro even though my search for
>SessionCookieConfig in the github shows 0 results?
>2. How then does Shiro knows which session belongs to which client?
>3. In native mode, am I safe to assume it's done behind the scenes in
>memory if session storage is not configured? In any event, allowing me to
>focus more on session.setAttribute(key, value) or session.getAttribute(key)
>with a valid session.
>
> If I need to set a specific cookie to the client even when session
> expired, I presume I'd use:
>
> SimpleCookie cookie = new SimpleCookie(cookieName);
> // set appropriately
> cookie.saveTo(request, response);
>
> Since setting the SessionCookieConfig breaks Shiro's native session
> management, how could I configure the default properties for the majorities
> of the cookies?  From
>
> https://shiro.apache.org/web.html#Web-%7B%7BDefaultWebSessionManager%7D%7D
>
>
> I deduced to:
>
> securityManager.sessionManager.cookie.maxAge
> securityManager.sessionManager.cookie.httpOnly
> securityManager.sessionManager.cookie.secure
>
> Thanks,
> Tommy
>
>
> On Tue, Mar 3, 2020 at 3:36 PM Brian Demers 
> wrote:
>
>> It depends on what you are doing, but in most cases, if you need the
>> session, you would just use the standard HttpSession.
>>
>> The framework should handle most of this logic for you, so you
>> _shouldn't_ need any code
>>
>> https://github.com/bdemers/shiro-via-gateway/tree/master/servlet-application/
>> a servlet:
>>
>> https://github.com/bdemers/shiro-via-gateway/blob/master/servlet-application/src/main/java/com/okta/example/servlet/UserProfileServlet.java
>>
>> As for sessions, you can let the container manage them, or you can let
>> Shiro do it:
>> https://shiro.apache.org/session-management.html#session-storage
>> (but it's just setup/configuration and your application would work the
>> same way)
>>
>> You will need some type of realm to manage your users, otherwise, you
>> wouldn't be able to identify a user.
>>
>> My suggestion is to start with a simple app (add security early/first)
>> and then add/test features as you go.
>> - Anonymous user state persistence (HttpSession api or something similar)
>> - Login that user in (configure a Shiro realm) and make sure you can
>> still access the session
>> - profit ;)
>>
>> I'd also suggest using the `DefaultWebSessionManager` to manage your
>> sessions.
>>
>>
>>
>>
>>
>>
>> On Tue, Mar 3, 2020 at 5:53 PM Tommy Pham  wrote:
>>
>>> Hi Brian,
>>>
>>> All the classes, including filters, in place are intended for their
>>> purpose for the start of AJS project.  Some of the methods are blank
>>> because I've yet to implement them since I'm unable to get a valid
>>> session.  Yes, initially it's anon only to work out the non-blocking
>>> application flow.  Eventually, all access in the AJS will requires
>>> authentication, including possible 2 factors, and authorization.  The
>>> AbstractWeb.validateSessionShiro() is to get 

Re: No session creation throws DisabledSessionException when servlet dispatcher forwards to jsp page

[Brian Demers]

Do you have a stack trace?  Is your servlet accessing the session?  Do you
have a snippet of how your servlet is doing the forwarding?

On Wed, Mar 4, 2020 at 5:13 AM armandoxxx  wrote:

> I have even tried configuration for jsp page ... not luck
>
>
>
> Any help appreciated
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: Shiro Session Management

[Brian Demers]

It depends on what you are doing, but in most cases, if you need the
session, you would just use the standard HttpSession.

The framework should handle most of this logic for you, so you _shouldn't_
need any code
https://github.com/bdemers/shiro-via-gateway/tree/master/servlet-application/
a servlet:
https://github.com/bdemers/shiro-via-gateway/blob/master/servlet-application/src/main/java/com/okta/example/servlet/UserProfileServlet.java

As for sessions, you can let the container manage them, or you can let
Shiro do it:
https://shiro.apache.org/session-management.html#session-storage
(but it's just setup/configuration and your application would work the same
way)

You will need some type of realm to manage your users, otherwise, you
wouldn't be able to identify a user.

My suggestion is to start with a simple app (add security early/first) and
then add/test features as you go.
- Anonymous user state persistence (HttpSession api or something similar)
- Login that user in (configure a Shiro realm) and make sure you can still
access the session
- profit ;)

I'd also suggest using the `DefaultWebSessionManager` to manage your
sessions.






On Tue, Mar 3, 2020 at 5:53 PM Tommy Pham  wrote:

> Hi Brian,
>
> All the classes, including filters, in place are intended for their
> purpose for the start of AJS project.  Some of the methods are blank
> because I've yet to implement them since I'm unable to get a valid
> session.  Yes, initially it's anon only to work out the non-blocking
> application flow.  Eventually, all access in the AJS will requires
> authentication, including possible 2 factors, and authorization.  The
> AbstractWeb.validateSessionShiro() is to get a valid Shiro session as
> called initially by security filter.  That same method is called by the
> mapped servlet via a controller.execute() to use the session.  If you run
> the app, the web UI will show the same session ID as being logged by the
> FilterSecurity.doFilter() so the FilterChain works as desired.  However,
> subsequent page reloads will generate a different session ID every time :(
> While responding, I've added some additional debug logging for quicker
> comparison/troubleshooting:
>
> https://imgur.com/a/W23fupe
>
> It seems that a cookie was never set nor the Java HttpSession was started.
>
>- Does Shiro requires at least one type of realm (ini, JDBC, LDAP, or
>ActiveDirectory) to work?  I have another project in mind down the road
>that requires session but no authentication / authorization since the
>information is non-sensitive.  But that may change.
>- Since Shiro's Session is native, how does Shiro keep track of the
>session if a cookie is not set or does Shiro have a native cookie
>management also?
>- What if there are multiple applications at different contexts but
>all utilizes Shiro, how does Shiro handle the sessions for each context:
>ie /ajs/ and /myApp/  As it is now, my have main project at /myApp/
>deployed and along with the /ajs/.  Both using Shiro and both having the
>same session ID issue (ID is regenerated at every request).  The latter AJS
>is per your request.  I didn't intend to start on it until much later.
>
> As for the samples you've provided, I think they're all V based upon MVC.
> Neither includes:
>
> Subject subj = SecurityUtils.getSubject();
> Session sess = subj.getSession(false);
> if (sess == null ) {
>sess = subj.getSession(true);
>// process for null session
> }
> // use session for specific user's request
>
> which is the issue I'm having integrating Shiro :(  An old use case would
> be shoppers adding items to the basket for the session.  After some
> thought, he/she decides to buy them which requires authentication.  From
> that use case, I'm having issues with the first phase.  Hence, I don't see
> any point trying to get an authentication realm (JDBC,
> ActiveDirecotory and/or LDAP) working which I'm more familiar with than
> coding for valid Java sessions unfortunately.
>
> Thanks,
> Tommy
>
>
> On Tue, Mar 3, 2020 at 1:05 PM Brian Demers 
> wrote:
>
>> It looks like there are a few layers of code left over from your real
>> application, logging, extra filter chain logic, etc.
>> And looks like it's configured for only anon access?
>>
>> My suggestion would be to start with something like this example:
>> https://github.com/apache/shiro/tree/master/samples/servlet-plugin
>> or this: https://github.com/apache/shiro/tree/master/samples/web
>>
>> Then add a custom servlet, filter, etc. (depending on your container, you
>> could do this via a web.xml, annotations, programmatically, etc)
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Mar 3, 2020 at 3:39 PM T

Re: Shiro Session Management

[Brian Demers]

It looks like there are a few layers of code left over from your real
application, logging, extra filter chain logic, etc.
And looks like it's configured for only anon access?

My suggestion would be to start with something like this example:
https://github.com/apache/shiro/tree/master/samples/servlet-plugin
or this: https://github.com/apache/shiro/tree/master/samples/web

Then add a custom servlet, filter, etc. (depending on your container, you
could do this via a web.xml, annotations, programmatically, etc)







On Tue, Mar 3, 2020 at 3:39 PM Tommy Pham  wrote:

> Hi Brian,
>
> Per your request: https://github.com/tommyhp2/ajs
>
> This is another project (web mail and control panel for Apache James
> Server) I've been wanting to work on.  Since it's purpose is a lot simpler
> than my current main project, the back end mechanisms are simpler.  The
> session ID issue still persists:
>
> Request -> access log Filter -> security Filter (block or get valid
> session) -> other filters -> mapped servlet (use session)
>
> The session ID is regenerated for subsequent page loads :(
>
> Thanks,
> Tommy
>
>
>
> On Tue, Mar 3, 2020 at 6:05 AM Brian Demers 
> wrote:
>
>> Can you put together a minimal example app the shows the problem You are
>> having and stick it on GitHub (or similar)
>>
>> -Brian
>>
>> On Mar 3, 2020, at 4:29 AM, Tommy Pham  wrote:
>>
>> 
>> Hi Brian,
>>
>> I apologize for the confusion.  Previously, I had to set the
>> SecurityManager via SecurityUtils because of the exception.  Now I don't
>> need to.  When I last sent the email, the Shiro session was working fine
>> w/o setting the SecurityManager and session ID doesn't change on subsequent
>> page reload.  After a system restarts, unfortunately, I now have session ID
>> changing again w/o setting SecurityManager.  As for Filter execution order,
>> it's working how I'd like to per the logs even though the Shiro Filter is
>> loaded first in the FilterRegistration:
>>
>> https://pastebin.com/ZD5Sx1i3
>>
>> My security filter started a valid session and my mapped servlet
>> eventually retrieve that session w/o creation as seen in the above logs.
>> However, subsequent page reloads now generates a different ID :(...  I did
>> have a look at Shiro's FilterChain definitions:
>>
>> https://shiro.apache.org/web.html#Web-FilterChainDefinitions
>>
>> From the looks of it, it doesn't have the flexibility of mapping to URLs
>> and/or Servlets with different DispatcherTypes at load time like how I'd be
>> able to via FilterRegistration in a class
>> implementing ServletContainerInitializer.onStartup().  My custom filter
>> loader and filter chain allows that flexibility at load time while
>> guarantees the load order.  Currently, all of my filters have only the
>> necessary code to verify application (non-blocking) flow as desired.  None
>> of them have behind scenes mechanisms yet.
>>
>> Also, I'm setting some preferred default values to SessionCookieConfig
>> before loading the listeners.  Would that interfere with Shiro's
>> session/cookie management?
>>
>> This is the load order in the ServletContainerInitializer.onStartup():
>>
>>    1. Set SessionCookieConfig preferred default values
>>2. Load listeners
>>3. Map static files path (CSS, JS, images) to the default servlet
>>4. Load the servlets
>>5. Load the Shiro Filter first
>>   1. Load other filters
>>6. Configure Thymeleaf
>>
>> Thanks,
>> Tommy
>>
>>
>> On Mon, Mar 2, 2020 at 5:52 PM Brian Demers 
>> wrote:
>>
>>> Let’s take a step Barack, what are you trying to do with the
>>> SecurityManager?
>>> Sorry but I still feel like this thread is bouncing between two option.
>>> (This could just be me though) Let’s just consider the “working” Shiro.ini
>>> for now.
>>>
>>> Is the ShiroFilter getting processed before your code?
>>>
>>>
>>>
>>>
>>> -Brian
>>>
>>> On Mar 2, 2020, at 7:50 PM, Tommy Pham  wrote:
>>>
>>> 
>>> Hi Alessio,
>>>
>>> I'm loading the Shiro Filter via FilterRegistration in a class
>>> implementing ServletContainerInitializer.onStartup().  Loading the
>>> filter(s) this way do not guaranteed ordering as loaded from my testing of
>>> various approaches (web.xml, annotations, and, preferably,
>>> programmatically).  I have my own filter loader and filter chain that
>>> guarantees the order for my filters which are not 

Re: Shiro Session Management

[Brian Demers]

Can you put together a minimal example app the shows the problem You are having 
and stick it on GitHub (or similar)

-Brian

> On Mar 3, 2020, at 4:29 AM, Tommy Pham  wrote:
> 
> 
> Hi Brian,
> 
> I apologize for the confusion.  Previously, I had to set the SecurityManager 
> via SecurityUtils because of the exception.  Now I don't need to.  When I 
> last sent the email, the Shiro session was working fine w/o setting the 
> SecurityManager and session ID doesn't change on subsequent page reload.  
> After a system restarts, unfortunately, I now have session ID changing again 
> w/o setting SecurityManager.  As for Filter execution order, it's working how 
> I'd like to per the logs even though the Shiro Filter is loaded first in the 
> FilterRegistration:
> 
> https://pastebin.com/ZD5Sx1i3 
> 
> My security filter started a valid session and my mapped servlet eventually 
> retrieve that session w/o creation as seen in the above logs.  However, 
> subsequent page reloads now generates a different ID :(...  I did have a look 
> at Shiro's FilterChain definitions:
> 
> https://shiro.apache.org/web.html#Web-FilterChainDefinitions
> 
> From the looks of it, it doesn't have the flexibility of mapping to URLs 
> and/or Servlets with different DispatcherTypes at load time like how I'd be 
> able to via FilterRegistration in a class implementing 
> ServletContainerInitializer.onStartup().  My custom filter loader and filter 
> chain allows that flexibility at load time while guarantees the load order.  
> Currently, all of my filters have only the necessary code to verify 
> application (non-blocking) flow as desired.  None of them have behind scenes 
> mechanisms yet.
> 
> Also, I'm setting some preferred default values to SessionCookieConfig before 
> loading the listeners.  Would that interfere with Shiro's session/cookie 
> management?
> 
> This is the load order in the ServletContainerInitializer.onStartup():
> Set SessionCookieConfig preferred default values
> Load listeners
> Map static files path (CSS, JS, images) to the default servlet
> Load the servlets
> Load the Shiro Filter first
> Load other filters
> Configure Thymeleaf
> Thanks,
> Tommy
> 
> 
>> On Mon, Mar 2, 2020 at 5:52 PM Brian Demers  wrote:
>> Let’s take a step Barack, what are you trying to do with the SecurityManager?
>> Sorry but I still feel like this thread is bouncing between two option. 
>> (This could just be me though) Let’s just consider the “working” Shiro.ini 
>> for now. 
>> 
>> Is the ShiroFilter getting processed before your code?
>> 
>> 
>> 
>> 
>> -Brian
>> 
>>>> On Mar 2, 2020, at 7:50 PM, Tommy Pham  wrote:
>>>> 
>>> 
>>> Hi Alessio,
>>> 
>>> I'm loading the Shiro Filter via FilterRegistration in a class implementing 
>>> ServletContainerInitializer.onStartup().  Loading the filter(s) this way do 
>>> not guaranteed ordering as loaded from my testing of various approaches 
>>> (web.xml, annotations, and, preferably, programmatically).  I have my own 
>>> filter loader and filter chain that guarantees the order for my filters 
>>> which are not visible in the FilterRegistration:
>>> 
>>> -
>>> .onStartup:303 -  Filter Registrations 
>>> --
>>> .lambda$onStartup$12:307 - Filter name: log4jServletFilter
>>> .lambda$onStartup$12:308 - Registered class: 
>>> org.apache.logging.log4j.web.Log4jServletFilter
>>> .lambda$onStartup$12:316 - URL pattern mapping(s):
>>> .lambda$onStartup$10:317 - /*
>>> .lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) Filter
>>> .lambda$onStartup$12:308 - Registered class: 
>>> org.apache.tomcat.websocket.server.WsFilter
>>> .lambda$onStartup$12:316 - URL pattern mapping(s):
>>> .lambda$onStartup$10:317 - /*
>>> .lambda$onStartup$12:307 - Filter name: AppFilterLoader
>>> .lambda$onStartup$12:308 - Registered class: 
>>> com.domain.web.AppFilterLoader
>>> .lambda$onStartup$12:316 - URL pattern mapping(s):
>>> .lambda$onStartup$10:317 - /*
>>> .lambda$onStartup$12:307 - Filter name: FilterDefaultJsp
>>> .lambda$onStartup$12:308 - Registered class: 
>>> com.domain.web.FilterDefaultJsp
>>> .lambda$onStartup$12:311 - Servlet mapping(s):
>>> .lambda$onStartup$9:312 -  default
>>> .lambda$onStartup$9:312 -   

Re: Shiro Session Management

[Brian Demers]

apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered 
>>> key/value pair: root = secret, admin
>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] 
>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered 
>>> key/value pair: guest = guest, guest
>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] 
>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered 
>>> key/value pair: presidentskroob = 12345, president
>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] 
>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered 
>>> key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz
>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] 
>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered 
>>> key/value pair: lonestarr = vespa, goodguy, schwartz
>>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] 
>>> org.apache.shiro.config.Ini.load:401 - Parsing [roles]
>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] 
>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered 
>>> key/value pair: admin = *
>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] 
>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered 
>>> key/value pair: schwartz = lightsaber:*
>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] 
>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered 
>>> key/value pair: goodguy = winnebago:drive:eagle5
>>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] 
>>> org.apache.shiro.config.Ini.load:401 - Parsing [urls]
>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] 
>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered 
>>> key/value pair: /** = anon
>>> 02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] 
>>> org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered 
>>> non-empty INI configuration at location '/WEB-INF/shiro.ini'.  Using for 
>>> configuration.
>>> 02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] 
>>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating 
>>> instance from Ini [sections=users,roles,urls]
>>> 02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] 
>>> org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or 
>>> empty.  Defaulting to the default section (name = "")
>>> 02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] 
>>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - 
>>> Adding login url to applied paths.
>>> 02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] 
>>> org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered 
>>> the [roles] section.  Processing...
>>> 02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] 
>>> org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered 
>>> the [users] section.  Processing...
>>> 02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] 
>>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating 
>>> instance from Ini [sections=users,roles,urls]
>>> 02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] 
>>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - 
>>> Adding login url to applied paths.
>>> 02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] 
>>> org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 
>>> - Before url processing.
>>> 02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] 
>>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - 
>>> Creating chain [/**] from String definition [anon]
>>> 02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] 
>>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278
>>>  - Attempting to apply path [/**] to filter [anon] with config [null]
>>> 02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] 
>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published 
>>> WebEnvironment as ServletContext attribute with name 
>>> [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY]
>>> 02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] 
>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro 
>>> environment initialized in 352 ms.
>>> 02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] 
>>> org.apache.catalina.start

Re: Shiro Session Management

[Brian Demers]

I'm not sure I'm following Tommy.  You have a few different messages, the
one mentioning your shiro.ini

> when the shiro.ini is indeed in /WEB-INF/

implies that you have fixed the original issue?  by i'm guessing you are
still running into issues?


On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham  wrote:

> I've added some debug logging to troubleshoot the session cookie:
>
> https://imgur.com/a/vaTZrxP
>
> And this is the Shiro's generated session ID:
> 1984c09f-ee77-461a-96f2-cb3d4cbac8eb
>
> On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham  wrote:
>
>> According this:
>> https://shiro.apache.org/web.html#Web-SessionCookieConfiguration
>>
>> Should I see a cookie for Shiro's session based upon my minimalist
>> configuration?  I only see cookie for the JSESSIONID.
>>
>> On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham  wrote:
>>
>>> I've also tried:
>>>
>>> Factory factory = new
>>> IniSecurityManagerFactory("classpath:shiro.ini");
>>> SecurityManager securityManager = factory.getInstance();
>>> SecurityUtils.setSecurityManager(securityManager);
>>>
>>> and received this:
>>>
>>> org.apache.shiro.config.ConfigurationException: java.io.IOException:
>>> Resource [classpath:shiro.ini] could not be found.
>>>
>>> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
>>> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
>>> 
>>> org.apache.shiro.config.IniSecurityManagerFactory.(IniSecurityManagerFactory.java:73)
>>> 
>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
>>> 
>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
>>>
>>> when the shiro.ini is indeed in /WEB-INF/.  The log shows that the
>>> listener initialized successfully:
>>>
>>> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1]
>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting
>>> Shiro environment initialization.
>>> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1]
>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro
>>> environment initialized in 282 ms.
>>>
>>> Does it matter if configuring both listener and filter in web.xml or via
>>> a class implementing ServletContainerInitializer.onStartup()?
>>>
>>> Thanks,
>>> Tommy
>>>
>>> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham  wrote:
>>>
>>>> Yes. If I omit setting the SecurityManager in the code per the official
>>>> guide/documentation, I get this exception:
>>>>
>>>> org.apache.shiro.UnavailableSecurityManagerException: No
>>>> SecurityManager accessible to the calling code, either bound to the
>>>> org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is
>>>> an invalid application configuration.
>>>>
>>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
>>>> org.apache.shiro.subject.Subject$Builder.(Subject.java:626)
>>>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
>>>>
>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
>>>>
>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
>>>>
>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
>>>>
>>>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers 
>>>> wrote:
>>>>
>>>>> Are you creating a new security manager for each request?
>>>>>
>>>>>
>>>>> I’m not sure how you are using this logic, but you should let Shiro do
>>>>> all of this for you (via the ShiroFilter).
>>>>>
>>>>> -Brian
>>>>>
>>>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2  wrote:
>>>>> >
>>>>> > Hi Brian,
>>>>> >
>>>>> > Thanks for the prompt feedback.  Here's the code I used to check for
>>>>> the
>>>>> > session:
>>>>> >
>>>>> > https://pastebin.com/F5SMmLpq
>>>>> >
>>>>> > The shiro.ini is very basic and minimal:
>>>>> >
>>>>> > [main]
>>>>> > [users]
>>>>> > [roles]
>>>>> > [urls]
>>>>> > /** = anon
>>>>> >
>>>>> > Most of the content (99%) in shiro.ini are comments and examples as
>>>>> notes
>>>>> > for future implementation of authentication and authorization.
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > Sent from: http://shiro-user.582556.n2.nabble.com/
>>>>>
>>>>

Re: Shiro Session Management

[Brian Demers]

Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of 
this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2  wrote:
> 
> Hi Brian,
> 
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
> 
> https://pastebin.com/F5SMmLpq
> 
> The shiro.ini is very basic and minimal:
> 
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
> 
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
> 
> 
> 
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/

Re: Shiro Session Management

[Brian Demers]

Looks like the code was filtered out of the message? Can you try again or link 
to a gist?

-Brian

> On Mar 1, 2020, at 12:27 PM, tommyhp2  wrote:
> 
> Hello everyone,
> 
> I have a simple setup of Shiro.  I have both Listener and Filter setup per 
> manual   .  My
> shiro.ini is very basic since I'm testing the session management only:
> 
> 
> 
> But every time I reload the page, the Shiro's session ID changes.  This my
> code to check:
> 
> 
> 
> Thanks,
> Tommy
> 
> 
> 
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/