Hi Christian, I'm pretty sure this isn't a Shiro issue - it appears that Jetty is not enabling its own internal SessionManager. In web applications, by default, Shiro does in fact delegate all session operations to the Servlet container. You'll need to find out why your Jetty isn't enabling HTTP Sessions by default.
Cheers, -- Les Hazlewood Founder, Katasoft Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com On Wed, Sep 29, 2010 at 1:19 AM, Christian Scharr <[email protected]> wrote: > Hi Les, > first a big THX, I successfully got it up and running by starting with the > sample from the subversion repository and progressively customizing it. > > Now I want to change the authentication mechanism from authcBasic to form > based authc. Therefore I changed the ini in the following way: > > "[main] > securityManager = org.apache.shiro.web.mgt.DefaultWebSecurityManager > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > secureRealm = de.hshsoft.custobee.security.SecureRealm > authc.loginUrl = /login/do > > [urls] > /acp/plugin = authc, rest > /contacts = authc, rest > /logout = authc, rest > /acp/user = authc, rest > /acp/user/new = authc, rest > /** = anon" > > Instead of redirecting me to the given loginUrl I got a 500 error-message > with the text "No SessionManager". > > The console-logging gives a hint in DEBUG-level: > "org.eclipse.jetty.util.log: REQUEST /contacts on > org.eclipse.jetty.server.nio.selectchannelconnecto...@190a0d6 > org.eclipse.jetty.util.log: > servlet=org.restlet.ext.servlet.ServerServlet-28678543 > org.eclipse.jetty.util.log: servlet holder= > org.eclipse.jetty.util.log: chain= > org.eclipse.jetty.util.log: call filter > org.apache.shiro.web.servlet.IniShiroFilter > org.apache.shiro.web.servlet.AdviceFilter: Filter execution resulted in an > unexpected Exception (not IOException or ServletException as the Filter API > recommends). Wrapping in ServletException and propagating." > > The corresponding stacktrace says: > "java.lang.IllegalStateException: No SessionManager > at org.eclipse.jetty.server.Request.getSession(Request.java:1097) > at > javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:227) > at > org.apache.shiro.web.servlet.ShiroHttpServletRequest.getSession(ShiroHttpServletRequest.java:142) > at > org.apache.shiro.web.servlet.ShiroHttpServletRequest.getSession(ShiroHttpServletRequest.java:164) > at > org.apache.shiro.web.session.mgt.ServletContainerSessionManager.createSession(ServletContainerSessionManager.java:109) > [...]" > > I have no clue why Shiro doesn't use the given default SessionManager or what > I should do to make things work... :-/ > > P.s. > On my opinion Shiro is a great security framework, but a little bit more > documentation how these things work and how to configure the whole framework > for different sceanrios would be really a big step forward to easier > implementation and bigger popularity. > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of Les Hazlewood >> Sent: Tuesday, September 28, 2010 7:16 PM >> To: [email protected] >> Subject: Re: custom authentication and authorization >> >> Hi Christian, >> >> Your config looks fine - it appears that it should be working. Could >> you please try a similar config with the Shiro sample web application >> (in the Shiro source distribution under samples/web) and see what >> happens? If it still fails, please post the config that you used with >> the sample app and I'll try it myself. >> >> Les >> >> On Mon, Sep 27, 2010 at 11:11 PM, Christian Scharr >> <[email protected]> wrote: >> > Hi, >> > after some experimental testing and evaluation I decided to use >> Apache Shiro in one of my projects. >> > So I tried to customize Shiros authentication/authorization behaviour >> by subclassing the org.apache.shiro.realm.AuthorizingRealm abstract >> class and putted it in my ini-config. >> > >> > Now my INI looks like: >> > "[main] >> > rest = org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter >> > secureRealm = de.hshsoft.custobee.security.SecureRealm >> > >> > [urls] >> > /acp/plugin = authcBasic, rest >> > /contacts = authcBasic, rest >> > /logout = authcBasic, rest >> > /acp/user = authcBasic, rest >> > /acp/user/new = authcBasic, rest >> > /** = anon" >> > >> > I've putted some logging messages into my Realm-class so I can see >> what's going on. >> > And here's the problem: >> > - after reading the ini, the realm class is instantiated [OK] >> > - trying to access one of the "protected" resources shows me the >> wished login-prompt [OK] >> > - sending the filled login-prompt never ever executes the >> doGetAuthenticationInfo() or doGetAuthorizationInfo() methods of my >> realm [FAILURE] >> > >> > I've no idea what's wrong with my code or my approach... :-( >> > Please give me a tip to the right direction to get this code running. >> > >> > Mit freundlichen Grüßen, >> > Greets, >> > >> > Christian Scharr >> > Dipl. Wirtschaftsinformatiker (BA) >> > MESO-Entwicklung >> > ---------- >> > HSH Soft- und Hardware Vertriebs GmbH >> > Rudolf-Diesel-Straße 2 >> > 16356 Ahrensfelde >> > Tel. (Zentrale): +49 (0)30/94 004 0 >> > Tel. (Hotline): +49 (0)30/94 004 444 >> > Fax: +49 (0)30/94 004 400 >> > eMail: [email protected] >> > --- >> > Amtsgericht Frankfurt (Oder): HRB 7352 FF >> > Geschäftsführer: Stephan Hauber >> > >> > >> > >
