After doing some quick testing, this is what I've found: The FormAuthenticationFilter only attempts to perform a login if the parameters are passed to your login page. This login result is saved in your session and you are redirected to your originally requested page (Reports.jsp). However, you need your session id to retain your "logged in" state.
Here's what I was able to accomplish (the first login request isn't necessary, but I was attempting to follow the redirects as the server returned them): prompt$ curl -v http://localhost:8080/index.jsp * About to connect() to localhost port 8080 (#0) * Trying ::1... connected * Connected to localhost (::1) port 8080 (#0) > GET /index.jsp HTTP/1.1 > User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 302 Found < Set-Cookie: JSESSIONID=1xy6y3er07mu010rkjyu9hek23;Path=/ < Expires: Thu, 01-Jan-1970 00:00:00 GMT < Location: http://localhost:8080/login.jsp;jsessionid=1xy6y3er07mu010rkjyu9hek23 < Content-Length: 0 < Server: Jetty(8.0.0.M2) < * Connection #0 to host localhost left intact * Closing connection #0 prompt$ curl -v "http://localhost:8080/login.jsp;jsessionid=1xy6y3er07mu010rkjyu9hek23"; * About to connect() to localhost port 8080 (#0) * Trying ::1... connected * Connected to localhost (::1) port 8080 (#0) > GET /login.jsp;jsessionid=1xy6y3er07mu010rkjyu9hek23 HTTP/1.1 > User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 200 OK < Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 350 < Server: Jetty(8.0.0.M2) < <html> <body> <h2>Login</h2> <form method="post"> <label for="username">User name:</label> <input type="text" name="username"/> <br> <label for="password">Password:</label> <input type="password" name="password"/> <br> <input type="hidden" name="rememberMe" value="false"/> <input type="submit" name="Login"/> </form> </body> </html> * Connection #0 to host localhost left intact * Closing connection #0 prompt$ curl -v "http://localhost:8080/login.jsp;jsessionid=1xy6y3er07mu010rkjyu9hek23"; -d "username=user&password=password" * About to connect() to localhost port 8080 (#0) * Trying ::1... connected * Connected to localhost (::1) port 8080 (#0) > POST /login.jsp;jsessionid=1xy6y3er07mu010rkjyu9hek23 HTTP/1.1 > User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3 > Host: localhost:8080 > Accept: */* > Content-Length: 31 > Content-Type: application/x-www-form-urlencoded > < HTTP/1.1 302 Found < Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Mon, 20-Dec-2010 14:37:48 GMT < Location: http://localhost:8080/index.jsp;jsessionid=1xy6y3er07mu010rkjyu9hek23 < Content-Length: 0 < Server: Jetty(8.0.0.M2) < * Connection #0 to host localhost left intact * Closing connection #0 prompt$ curl -v "http://localhost:8080/index.jsp;jsessionid=1xy6y3er07mu010rkjyu9hek23"; * About to connect() to localhost port 8080 (#0) * Trying ::1... connected * Connected to localhost (::1) port 8080 (#0) > GET /index.jsp;jsessionid=1xy6y3er07mu010rkjyu9hek23 HTTP/1.1 > User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 200 OK < Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 52 < Server: Jetty(8.0.0.M2) < <html> <body> <h2>Hello World!</h2> </body> </html> * Connection #0 to host localhost left intact * Closing connection #0 On 12/20/10 8:49 PM, "jhericks" <[email protected]> wrote: > > I can find plenty of examples that show how to configure a URL to use the > authc filter, but I cannot find any examples of a simple login page that > would be appropriate. I am using Spring integration to Shiro, but I don't > think that has anything to do with my problem. > > From reading the documentation, I set up my filter factory like this: > <bean id="shiroFilter" > class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> > <property name="loginUrl" value="/login.jsp" /> > <property name="successUrl" value="/Reports.jsp" /> > <property name="securityManager" ref="securityManager" /> > <property name="filterChainDefinitionMap"> > <map> > <entry key="/ws/**" value="authc" /> > <entry key="/Reports.jsp" value="authc" /> > <entry key="/**" value="anon" /> > </map> > </property> > </bean> > > I'll spare you the entire xml file. I can tell that it's picking up the > right filter, because when I do this: > * curl -v localhost:8080/factorlab-web/Reports.jsp > I get this response: > < HTTP/1.1 302 Found > < Expires: Thu, 01 Jan 1970 00:00:00 GMT > < Set-Cookie: JSESSIONID=19gdgnmukynb3;Path=/factorlab-web > < Location: > http://localhost:8080/factorlab-web/login.jsp;jsessionid=19gdgnmukynb3 > < Content-Length: 0 > < Server: Jetty(6.1.21) > < > > So far, so good, right? However, if I submit the username and password, I > should get the content of Reports.jsp, right? I don't. If I do this: > * curl -v -d "username=demo&password=demo&rememberMe=false" > http://localhost:8080/factorlab-web/Reports.jsp > > I get the same response as before: > < HTTP/1.1 302 Found > < Expires: Thu, 01 Jan 1970 00:00:00 GMT > < Set-Cookie: JSESSIONID=qnidg37bqo9f;Path=/factorlab-web > < Location: > http://localhost:8080/factorlab-web/login.jsp;jsessionid=qnidg37bqo9f > < Content-Length: 0 > < Server: Jetty(6.1.21) > < > > Clearly I'm confused either about configuration or about how it's supposed > to work. First, can anyone tell me just what I should expect from the > second curl command, or why I don't see what I'm expecting? > > Second, is there a small sample with a login.jsp (or similar) where I could > see what happens when a user: > * Goes explicitly to the login page > * Is automatically directed to the login page (e.g. logging in takes you > back to the original attempted page). > * Submits bad username and password from the login page.
