Thanks you Jared for the answer. When I try to comment /login.html = anon, I get a browser error 310 ( net::ERR_TOO_MANY_REDIRECTS) for all my calls. Not sure why shiro seems to try to redirect me to the login page in an infinite loop.
As a test, I tried to comment out authc.loginUrl = login.html and rename login.html to login.jsp. I know this is weird, but this made it work. I am using shiro 1.1.0, it now really looks like a bug to me. Not sure if this is linked to GWT at all. Something like "authc special handling" for login page only works with default name or jsp extension. Anyone encountered the same issue? -- Best Regards, Julien 2011/10/31 Julien Muller <[email protected]> > Hello, > Thanks for the replies, for some reasons I did not receive any mail from > the list, but I can see answers in the web based archive. I guess this is > due to my (very) recent subscription. > > Here is my web.xml: > <filter> > <filter-name>ShiroFilter</filter-name> > <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class> > </filter> > <filter-mapping> > <filter-name>ShiroFilter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > shiro.ini: > [main] > securityManager.sessionMode = native > authc.loginUrl = login.html > > [users] > julien = password, role1, role2 > > [urls] > /login.html = anon > /* = authc > > Here is my login.html form: > <form action="" id="loginForm" method="post"> > Username: <input type="text" name="username"/> <br/> > Password: <input type="password" name="password"/><br/> > <input type="checkbox" name="rememberMe" value="false"/>Remember Me? > <br/> > <input type="submit" name="submit" value="Login" /> > </form> > > This is only an early test, in the futur I plan to move login.html to GWT > code and to manage RPC. > By now, I'd like to get this working the following way: > 1) User queries the application url > 2) User get redirected to the login page and provide credentials > 3) User is logged in and get redirected back to the application. > By now, I get stuck on the login page. > > Not sure why this does not work. At some point, I thought this might be > due to the embedded jetty server, but I get the same result once deployed > on tomcat. > > -- > > Best Regards, > Julien > > > 2011/10/31 Julien Muller <[email protected]> > > > > Hello, > > I am evaluating security solutions for a GWT application. > > I like the shiro approach since it seems simple and easy to plug to > ldap, but I am afraid I did not really find working examples or tutorial > about this context. > > I acknowledge you cannot use shiro classes from client side > (javascript), but do not think this should be a problem. > > My understanding about what I should do (simple version with local users > defined in shiro.ini): > > - Add IniShiroFilter to my web.xml > > - add shiro.ini with authc.loginUrl = login.html, users and urls. > > - Add a login.html page > > - I will handle rpc security afterwards passing credentials in my > payload and perform server side validation for each call. > > Up to know, I can tell my shiro.ini is taken into account, the > application can forward to login.html, but then nothing else is done. > > I have seen in this tutorial: > http://www.brucephillips.name/blog/print.cfm?id=7766522C-3048-7B4D-A96E8EA958A8E540 > > that a custom servlet is implemented for login. It seems to me it should > be handled automatically by shiro (or not?). > > Furthermore, shiro documentation let me believe that after login, the > user will be automatically redirected to his original request page, which > is definitely not the case during my tests. > > Any help or guidance would be appreciated. > > -- > > > > Best Regards, > > Julien > > > >
