Let’s take a step Barack, what are you trying to do with the SecurityManager? Sorry but I still feel like this thread is bouncing between two option. (This could just be me though) Let’s just consider the “working” Shiro.ini for now.
Is the ShiroFilter getting processed before your code? -Brian > On Mar 2, 2020, at 7:50 PM, Tommy Pham <[email protected]> wrote: > > > Hi Alessio, > > I'm loading the Shiro Filter via FilterRegistration in a class implementing > ServletContainerInitializer.onStartup(). Loading the filter(s) this way do > not guaranteed ordering as loaded from my testing of various approaches > (web.xml, annotations, and, preferably, programmatically). I have my own > filter loader and filter chain that guarantees the order for my filters which > are not visible in the FilterRegistration: > > ----------------------------- > .onStartup:303 - -------- Filter Registrations ------------------------------ > .lambda$onStartup$12:307 - Filter name: log4jServletFilter > .lambda$onStartup$12:308 - Registered class: > org.apache.logging.log4j.web.Log4jServletFilter > .lambda$onStartup$12:316 - URL pattern mapping(s): > .lambda$onStartup$10:317 - /* > .lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) Filter > .lambda$onStartup$12:308 - Registered class: > org.apache.tomcat.websocket.server.WsFilter > .lambda$onStartup$12:316 - URL pattern mapping(s): > .lambda$onStartup$10:317 - /* > .lambda$onStartup$12:307 - Filter name: AppFilterLoader > .lambda$onStartup$12:308 - Registered class: > com.domain.web.AppFilterLoader > .lambda$onStartup$12:316 - URL pattern mapping(s): > .lambda$onStartup$10:317 - /* > .lambda$onStartup$12:307 - Filter name: FilterDefaultJsp > .lambda$onStartup$12:308 - Registered class: > com.domain.web.FilterDefaultJsp > .lambda$onStartup$12:311 - Servlet mapping(s): > .lambda$onStartup$9:312 - default > .lambda$onStartup$9:312 - jsp > .lambda$onStartup$12:307 - Filter name: TestFilterSecure > .lambda$onStartup$12:308 - Registered class: > com.domain.web.TestFilterSecure > .lambda$onStartup$12:316 - URL pattern mapping(s): > .lambda$onStartup$10:317 - /secure/* > .lambda$onStartup$12:307 - Filter name: ShiroFilter > .lambda$onStartup$12:308 - Registered class: > org.apache.shiro.web.servlet.ShiroFilter > .lambda$onStartup$12:316 - URL pattern mapping(s): > .lambda$onStartup$10:317 - /* > .onStartup:325 - ------------------------------------------------------------ > ----------------------------------------------------------- > I've tried loading the Shiro Filter my custom loader but it failed because > of invalid FilterChain type. Oddly enough, if I have the Shiro Filter loaded > first, it works fine. I need to further test why this is and if it's > consistent across web container restarts. I was hoping to have Filters > executing in this order: > > logging -> security (block request or start Shiro session) -> other filters > -> mapped servlet. > > since I have don't the desire to waste system resource to start a session > when the request is blocked. But as long as I can get Shiro working, I can > work with it for now. > > Thanks, > Tommy > >> On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla <[email protected]> >> wrote: >> To me, it looks like the Shiro Filter is not installed or your own filter >> runs before it has a chance to associate Shiro objects with the thread. >> >>> On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[email protected]> wrote: >>> Hi Brian, >>> >>> I'm still having issues getting a valid session when specifying >>> SecurityManager via SecurityUtils. If I omit that, I get exceptions. >>> After some more troubleshooting, I've added some fake test accounts from >>> the official tutorial and set TRACE log level to org.apache.shiro. Below >>> is the log: >>> >>> 02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] >>> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any >>> specified config locations. >>> 02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] >>> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI >>> instance or config locations specified. Trying default config locations. >>> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >>> org.apache.shiro.config.Ini.load:401 - Parsing [main] >>> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >>> org.apache.shiro.config.Ini.load:401 - Parsing [users] >>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>> key/value pair: root = secret, admin >>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>> key/value pair: guest = guest, guest >>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>> key/value pair: presidentskroob = 12345, president >>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>> key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz >>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>> key/value pair: lonestarr = vespa, goodguy, schwartz >>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >>> org.apache.shiro.config.Ini.load:401 - Parsing [roles] >>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>> key/value pair: admin = * >>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>> key/value pair: schwartz = lightsaber:* >>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>> key/value pair: goodguy = winnebago:drive:eagle5 >>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >>> org.apache.shiro.config.Ini.load:401 - Parsing [urls] >>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>> key/value pair: /** = anon >>> 02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] >>> org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered >>> non-empty INI configuration at location '/WEB-INF/shiro.ini'. Using for >>> configuration. >>> 02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] >>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating >>> instance from Ini [sections=users,roles,urls] >>> 02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] >>> org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or >>> empty. Defaulting to the default section (name = "") >>> 02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] >>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - >>> Adding login url to applied paths. >>> 02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] >>> org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered >>> the [roles] section. Processing... >>> 02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] >>> org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered >>> the [users] section. Processing... >>> 02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] >>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating >>> instance from Ini [sections=users,roles,urls] >>> 02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] >>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - >>> Adding login url to applied paths. >>> 02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] >>> org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 >>> - Before url processing. >>> 02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] >>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - >>> Creating chain [/**] from String definition [anon] >>> 02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] >>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 >>> - Attempting to apply path [/**] to filter [anon] with config [null] >>> 02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] >>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published >>> WebEnvironment as ServletContext attribute with name >>> [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY] >>> 02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] >>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >>> environment initialized in 352 ms. >>> 02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] >>> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web >>> application archive [D:\apache-tomcat\webapps\erm.war] has finished in >>> [9,120] ms >>> 02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] >>> com.domain.security.FilterSecurity.doFilter:147 - >> >>> ThreadContext.getResources(): true 0 >>> 02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] >>> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >>> [http-nio-8080-exec-181] >>> 02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] >>> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >>> [http-nio-8080-exec-181] >>> >>> It seems that the resources is empty when i don't set the SecurityManager >>> in SecurityUtils. Thus, from what I could tell from the code, the >>> SecurityUtils.getSecurityManager() would fail since the resources map is >>> empty and the cascade failure of getting a session. I haven't been able to >>> track down how the resources in ThreadContext is set yet :( >>> >>> Thanks, >>> Tommy >>> >>> >>>> On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[email protected]> wrote: >>>> I'm not sure I'm following Tommy. You have a few different messages, the >>>> one mentioning your shiro.ini >>>> >>>> > when the shiro.ini is indeed in /WEB-INF/ >>>> >>>> implies that you have fixed the original issue? by i'm guessing you are >>>> still running into issues? >>>> >>>> >>>>> On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[email protected]> wrote: >>>>> I've added some debug logging to troubleshoot the session cookie: >>>>> >>>>> https://imgur.com/a/vaTZrxP >>>>> >>>>> And this is the Shiro's generated session ID: >>>>> 1984c09f-ee77-461a-96f2-cb3d4cbac8eb >>>>> >>>>>> On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[email protected]> wrote: >>>>>> According this: >>>>>> https://shiro.apache.org/web.html#Web-SessionCookieConfiguration >>>>>> >>>>>> Should I see a cookie for Shiro's session based upon my minimalist >>>>>> configuration? I only see cookie for the JSESSIONID. >>>>>> >>>>>>> On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[email protected]> wrote: >>>>>>> I've also tried: >>>>>>> >>>>>>> Factory<SecurityManager> factory = new >>>>>>> IniSecurityManagerFactory("classpath:shiro.ini"); >>>>>>> SecurityManager securityManager = factory.getInstance(); >>>>>>> SecurityUtils.setSecurityManager(securityManager); >>>>>>> >>>>>>> and received this: >>>>>>> >>>>>>> org.apache.shiro.config.ConfigurationException: java.io.IOException: >>>>>>> Resource [classpath:shiro.ini] could not be found. >>>>>>> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250) >>>>>>> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233) >>>>>>> >>>>>>> org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73) >>>>>>> >>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>> >>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153) >>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>> >>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>> >>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>> >>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>> when the shiro.ini is indeed in /WEB-INF/. The log shows that the >>>>>>> listener initialized successfully: >>>>>>> >>>>>>> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] >>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - >>>>>>> Starting Shiro environment initialization. >>>>>>> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] >>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >>>>>>> environment initialized in 282 ms. >>>>>>> >>>>>>> Does it matter if configuring both listener and filter in web.xml or >>>>>>> via a class implementing ServletContainerInitializer.onStartup()? >>>>>>> >>>>>>> Thanks, >>>>>>> Tommy >>>>>>> >>>>>>>> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[email protected]> wrote: >>>>>>>> Yes. If I omit setting the SecurityManager in the code per the >>>>>>>> official guide/documentation, I get this exception: >>>>>>>> >>>>>>>> org.apache.shiro.UnavailableSecurityManagerException: No >>>>>>>> SecurityManager accessible to the calling code, either bound to the >>>>>>>> org.apache.shiro.util.ThreadContext or as a vm static singleton. This >>>>>>>> is an invalid application configuration. >>>>>>>> >>>>>>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>>>>>>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) >>>>>>>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) >>>>>>>> >>>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>>> >>>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149) >>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>> >>>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>>> >>>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>>> >>>>>>>>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[email protected]> >>>>>>>>> wrote: >>>>>>>>> Are you creating a new security manager for each request? >>>>>>>>> >>>>>>>>> >>>>>>>>> I’m not sure how you are using this logic, but you should let Shiro >>>>>>>>> do all of this for you (via the ShiroFilter). >>>>>>>>> >>>>>>>>> -Brian >>>>>>>>> >>>>>>>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2 <[email protected]> wrote: >>>>>>>>> > >>>>>>>>> > Hi Brian, >>>>>>>>> > >>>>>>>>> > Thanks for the prompt feedback. Here's the code I used to check >>>>>>>>> > for the >>>>>>>>> > session: >>>>>>>>> > >>>>>>>>> > https://pastebin.com/F5SMmLpq >>>>>>>>> > >>>>>>>>> > The shiro.ini is very basic and minimal: >>>>>>>>> > >>>>>>>>> > [main] >>>>>>>>> > [users] >>>>>>>>> > [roles] >>>>>>>>> > [urls] >>>>>>>>> > /** = anon >>>>>>>>> > >>>>>>>>> > Most of the content (99%) in shiro.ini are comments and examples as >>>>>>>>> > notes >>>>>>>>> > for future implementation of authentication and authorization. >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > -- >>>>>>>>> > Sent from: http://shiro-user.582556.n2.nabble.com/
