Hi Lez,
Thanks for the reply, it's very much appreciated.
Still no luck, unfortunately. Perhaps I could take you through my attempts
to fix this?
Step 1: My starting point is my non-ssl configuration, in my ShiroWebModule
configureShiroWeb() method. This works perfectly, and I love how simple
Shiro is to use here:
protected void configureShiroWeb() {
bindConstant().annotatedWith(Names.named("shiro.globalSessionTimeout")).to(30000L);
bindRealm().to(MyAuthorizingRealm.class).asEagerSingleton();
addFilterChain("/favicon.ico", ANON);
addFilterChain("/css/*", ANON);
addFilterChain("/api/user*", ANON);
addFilterChain("/signup.html", ANON);
addFilterChain("/login.jsp", AUTHC);
addFilterChain("/**", AUTHC);
}
I hope all that's self-explanatory. This works as expected - when I go to
any page at http://www.myexample.com as an unauthorised user, I'm redirected
to /login.jsp. Then when I log in, I'm taken to the page I originally
requested.
Step 2: I added SSL to www.myexample.com, using a self-signed certificate.
The app is deployed to Heroku, and is set up with their SSL add-on. Now,
going to httpS://www.myexample.com/any-page redirects to
http://www.myexample.com/login.jsp, instead of httpS. I can then change the
browser url to load httpS://www.myexample.com/login.jsp, but when I log in
I'm redirected to the non-ssl http://www.myexample.com/any-page. (I can then
change to https and navigate the app as expected, and signed in correctly.)
Step 3: I attempted to force Shiro to use https, by adding it to the
login.jsp chain:
protected void configureShiroWeb() {
bindConstant().annotatedWith(Names.named("shiro.globalSessionTimeout")).to(30000L);
bindRealm().to(MyAuthorizingRealm.class).asEagerSingleton();
addFilterChain("/favicon.ico", ANON);
addFilterChain("/css/*", ANON);
addFilterChain("/api/user*", ANON);
addFilterChain("/signup.html", ANON);
addFilterChain("/login.jsp", SSL, AUTHC);
addFilterChain("/**", AUTHC);
}
This attempt gives an ERR_TOO_MANY_REDIRECTS error when I try to load any
page.
Step 4: Going from my interpretation of your comments in your reply, I tried
explicitly naming the AuthC login url:
protected void configureShiroWeb() {
bindConstant().annotatedWith(Names.named("shiro.globalSessionTimeout")).to(30000L);
bindConstant().annotatedWith(Names.named("shiro.authc.loginUrl")).to("/login.jsp");
bindRealm().to(MyAuthorizingRealm.class).asEagerSingleton();
addFilterChain("/favicon.ico", ANON);
addFilterChain("/css/*", ANON);
addFilterChain("/api/user*", ANON);
addFilterChain("/signup.html", ANON);
addFilterChain("/login.jsp", SSL, AUTHC);
addFilterChain("/**", AUTHC);
}
This attempt made no difference.
I'm starting to suspect that the issue may lie with Heroku, in that the
https connection is handled by the Cedar stack before being routed to my
app, and therefore I shouldn't be explicitly handling ssl inside the app. In
that case, I'm back to Step 2, and needing my login.jsp to play nicely with
it's environment.
Thanks for reading this far - if you have any thoughts or suggestions - or
explanations of where I'm going so cripplingly wrong! - I'd love to hear
them.
Thanks,
Andy
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/SSL-Login-https-redirects-to-http-tp7579103p7579140.html
Sent from the Shiro User mailing list archive at Nabble.com.
