Hi Brian, I'm still having issues getting a valid session when specifying SecurityManager via SecurityUtils. If I omit that, I get exceptions. After some more troubleshooting, I've added some fake test accounts from the official tutorial and set TRACE log level to org.apache.shiro. Below is the log:
02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any specified config locations. 02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI instance or config locations specified. Trying default config locations. 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [main] 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [users] 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: root = secret, admin 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: guest = guest, guest 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: presidentskroob = 12345, president 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: lonestarr = vespa, goodguy, schwartz 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [roles] 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: admin = * 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: schwartz = lightsaber:* 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: goodguy = winnebago:drive:eagle5 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [urls] 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: /** = anon 02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered non-empty INI configuration at location '/WEB-INF/shiro.ini'. Using for configuration. 02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls] 02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or empty. Defaulting to the default section (name = "") 02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths. 02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered the [roles] section. Processing... 02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered the [users] section. Processing... 02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls] 02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths. 02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 - Before url processing. 02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - Creating chain [/**] from String definition [anon] 02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 - Attempting to apply path [/**] to filter [anon] with config [null] 02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published WebEnvironment as ServletContext attribute with name [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY] 02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 352 ms. 02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [D:\apache-tomcat\webapps\erm.war] has finished in [9,120] ms 02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] com.domain.security.FilterSecurity.doFilter:147 - >> ThreadContext.getResources(): true 0 02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181] 02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181] It seems that the resources is empty when i don't set the SecurityManager in SecurityUtils. Thus, from what I could tell from the code, the SecurityUtils.getSecurityManager() would fail since the resources map is empty and the cascade failure of getting a session. I haven't been able to track down how the resources in ThreadContext is set yet :( Thanks, Tommy On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[email protected]> wrote: > I'm not sure I'm following Tommy. You have a few different messages, the > one mentioning your shiro.ini > > > when the shiro.ini is indeed in /WEB-INF/ > > implies that you have fixed the original issue? by i'm guessing you are > still running into issues? > > > On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[email protected]> wrote: > >> I've added some debug logging to troubleshoot the session cookie: >> >> https://imgur.com/a/vaTZrxP >> >> And this is the Shiro's generated session ID: >> 1984c09f-ee77-461a-96f2-cb3d4cbac8eb >> >> On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[email protected]> wrote: >> >>> According this: >>> https://shiro.apache.org/web.html#Web-SessionCookieConfiguration >>> >>> Should I see a cookie for Shiro's session based upon my minimalist >>> configuration? I only see cookie for the JSESSIONID. >>> >>> On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[email protected]> wrote: >>> >>>> I've also tried: >>>> >>>> Factory<SecurityManager> factory = new >>>> IniSecurityManagerFactory("classpath:shiro.ini"); >>>> SecurityManager securityManager = factory.getInstance(); >>>> SecurityUtils.setSecurityManager(securityManager); >>>> >>>> and received this: >>>> >>>> org.apache.shiro.config.ConfigurationException: java.io.IOException: >>>> Resource [classpath:shiro.ini] could not be found. >>>> >>>> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250) >>>> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233) >>>> >>>> org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73) >>>> >>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153) >>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>> >>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>> >>>> when the shiro.ini is indeed in /WEB-INF/. The log shows that the >>>> listener initialized successfully: >>>> >>>> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] >>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting >>>> Shiro environment initialization. >>>> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] >>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >>>> environment initialized in 282 ms. >>>> >>>> Does it matter if configuring both listener and filter in web.xml or >>>> via a class implementing ServletContainerInitializer.onStartup()? >>>> >>>> Thanks, >>>> Tommy >>>> >>>> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[email protected]> wrote: >>>> >>>>> Yes. If I omit setting the SecurityManager in the code per the >>>>> official guide/documentation, I get this exception: >>>>> >>>>> org.apache.shiro.UnavailableSecurityManagerException: No >>>>> SecurityManager accessible to the calling code, either bound to the >>>>> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is >>>>> an invalid application configuration. >>>>> >>>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>>>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) >>>>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) >>>>> >>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>> >>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149) >>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>> >>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>> >>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>> >>>>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[email protected]> >>>>> wrote: >>>>> >>>>>> Are you creating a new security manager for each request? >>>>>> >>>>>> >>>>>> I’m not sure how you are using this logic, but you should let Shiro >>>>>> do all of this for you (via the ShiroFilter). >>>>>> >>>>>> -Brian >>>>>> >>>>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2 <[email protected]> wrote: >>>>>> > >>>>>> > Hi Brian, >>>>>> > >>>>>> > Thanks for the prompt feedback. Here's the code I used to check >>>>>> for the >>>>>> > session: >>>>>> > >>>>>> > https://pastebin.com/F5SMmLpq >>>>>> > >>>>>> > The shiro.ini is very basic and minimal: >>>>>> > >>>>>> > [main] >>>>>> > [users] >>>>>> > [roles] >>>>>> > [urls] >>>>>> > /** = anon >>>>>> > >>>>>> > Most of the content (99%) in shiro.ini are comments and examples as >>>>>> notes >>>>>> > for future implementation of authentication and authorization. >>>>>> > >>>>>> > >>>>>> > >>>>>> > -- >>>>>> > Sent from: http://shiro-user.582556.n2.nabble.com/ >>>>>> >>>>>
