I ran into a similar issue when I initially set up Shiro in my web
application. Every request was having a different session and I could not
track the logged-in user.
I added the following code to my generic before handler:
before(( request, response ) -> {
org.apache.shiro.mgt.SecurityManager sm = SecurityUtils.getSecurityManager
();
final Subject currentUser = new WebSubject.Builder( sm, request.raw(),
response.raw() ).buildSubject();
ThreadContext.bind(currentUser);
}
I am using SparkJava (http://sparkjava.com/) and this has worked well for
me.
I hope this helps you.
--
Anas Mughal
On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[email protected]> wrote:
> I'm not sure I'm following Tommy. You have a few different messages, the
> one mentioning your shiro.ini
>
> > when the shiro.ini is indeed in /WEB-INF/
>
> implies that you have fixed the original issue? by i'm guessing you are
> still running into issues?
>
>
> On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[email protected]> wrote:
>
>> I've added some debug logging to troubleshoot the session cookie:
>>
>> https://imgur.com/a/vaTZrxP
>>
>> And this is the Shiro's generated session ID:
>> 1984c09f-ee77-461a-96f2-cb3d4cbac8eb
>>
>> On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[email protected]> wrote:
>>
>>> According this:
>>> https://shiro.apache.org/web.html#Web-SessionCookieConfiguration
>>>
>>> Should I see a cookie for Shiro's session based upon my minimalist
>>> configuration? I only see cookie for the JSESSIONID.
>>>
>>> On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[email protected]> wrote:
>>>
>>>> I've also tried:
>>>>
>>>> Factory<SecurityManager> factory = new
>>>> IniSecurityManagerFactory("classpath:shiro.ini");
>>>> SecurityManager securityManager = factory.getInstance();
>>>> SecurityUtils.setSecurityManager(securityManager);
>>>>
>>>> and received this:
>>>>
>>>> org.apache.shiro.config.ConfigurationException: java.io.IOException:
>>>> Resource [classpath:shiro.ini] could not be found.
>>>>
>>>> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
>>>> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
>>>>
>>>> org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
>>>>
>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
>>>>
>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
>>>>
>>>> when the shiro.ini is indeed in /WEB-INF/. The log shows that the
>>>> listener initialized successfully:
>>>>
>>>> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1]
>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting
>>>> Shiro environment initialization.
>>>> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1]
>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro
>>>> environment initialized in 282 ms.
>>>>
>>>> Does it matter if configuring both listener and filter in web.xml or
>>>> via a class implementing ServletContainerInitializer.onStartup()?
>>>>
>>>> Thanks,
>>>> Tommy
>>>>
>>>> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[email protected]> wrote:
>>>>
>>>>> Yes. If I omit setting the SecurityManager in the code per the
>>>>> official guide/documentation, I get this exception:
>>>>>
>>>>> org.apache.shiro.UnavailableSecurityManagerException: No
>>>>> SecurityManager accessible to the calling code, either bound to the
>>>>> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is
>>>>> an invalid application configuration.
>>>>>
>>>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
>>>>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
>>>>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
>>>>>
>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
>>>>>
>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
>>>>>
>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
>>>>>
>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
>>>>>
>>>>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Are you creating a new security manager for each request?
>>>>>>
>>>>>>
>>>>>> I’m not sure how you are using this logic, but you should let Shiro
>>>>>> do all of this for you (via the ShiroFilter).
>>>>>>
>>>>>> -Brian
>>>>>>
>>>>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2 <[email protected]> wrote:
>>>>>> >
>>>>>> > Hi Brian,
>>>>>> >
>>>>>> > Thanks for the prompt feedback. Here's the code I used to check
>>>>>> for the
>>>>>> > session:
>>>>>> >
>>>>>> > https://pastebin.com/F5SMmLpq
>>>>>> >
>>>>>> > The shiro.ini is very basic and minimal:
>>>>>> >
>>>>>> > [main]
>>>>>> > [users]
>>>>>> > [roles]
>>>>>> > [urls]
>>>>>> > /** = anon
>>>>>> >
>>>>>> > Most of the content (99%) in shiro.ini are comments and examples as
>>>>>> notes
>>>>>> > for future implementation of authentication and authorization.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > --
>>>>>> > Sent from: http://shiro-user.582556.n2.nabble.com/
>>>>>>
>>>>>
--
Anas Mughal
