Hi Brian, Thanks for the references, I'll bookmark them for review later. After some trial and errors, I've verified that these settings break Shiro's native session management (per my minimalist shiro.ini):
Session Cookie config: 03-Mar-2020 15:49:31.134 DEBUG [Catalina-utility-1] com.sointe.ajs.AjsInitializer.onStartup:115 - getComment: null 03-Mar-2020 15:49:31.135 DEBUG [Catalina-utility-1] com.sointe.ajs.AjsInitializer.onStartup:116 - getDomain: null 03-Mar-2020 15:49:31.135 DEBUG [Catalina-utility-1] com.sointe.ajs.AjsInitializer.onStartup:117 - getMaxAge: 2592000 03-Mar-2020 15:49:31.136 DEBUG [Catalina-utility-1] com.sointe.ajs.AjsInitializer.onStartup:118 - getName: null 03-Mar-2020 15:49:31.136 DEBUG [Catalina-utility-1] com.sointe.ajs.AjsInitializer.onStartup:119 - getPath: null 03-Mar-2020 15:49:31.137 DEBUG [Catalina-utility-1] com.sointe.ajs.AjsInitializer.onStartup:120 - isHttpOnly: true 03-Mar-2020 15:49:31.138 DEBUG [Catalina-utility-1] com.sointe.ajs.AjsInitializer.onStartup:121 - isSecure: true I've confirmed for both main project and the AJS project. 1. Since Shiro native session doesn't seem to issue a javax.servlet.http.Cookie per my last screen shot, why then does any changes from default would break Shiro even though my search for SessionCookieConfig in the github shows 0 results? 2. How then does Shiro knows which session belongs to which client? 3. In native mode, am I safe to assume it's done behind the scenes in memory if session storage is not configured? In any event, allowing me to focus more on session.setAttribute(key, value) or session.getAttribute(key) with a valid session. If I need to set a specific cookie to the client even when session expired, I presume I'd use: SimpleCookie cookie = new SimpleCookie(cookieName); // set appropriately cookie.saveTo(request, response); Since setting the SessionCookieConfig breaks Shiro's native session management, how could I configure the default properties for the majorities of the cookies? From https://shiro.apache.org/web.html#Web-%7B%7BDefaultWebSessionManager%7D%7D I deduced to: securityManager.sessionManager.cookie.maxAge securityManager.sessionManager.cookie.httpOnly securityManager.sessionManager.cookie.secure Thanks, Tommy On Tue, Mar 3, 2020 at 3:36 PM Brian Demers <[email protected]> wrote: > It depends on what you are doing, but in most cases, if you need the > session, you would just use the standard HttpSession. > > The framework should handle most of this logic for you, so you _shouldn't_ > need any code > > https://github.com/bdemers/shiro-via-gateway/tree/master/servlet-application/ > a servlet: > > https://github.com/bdemers/shiro-via-gateway/blob/master/servlet-application/src/main/java/com/okta/example/servlet/UserProfileServlet.java > > As for sessions, you can let the container manage them, or you can let > Shiro do it: > https://shiro.apache.org/session-management.html#session-storage > (but it's just setup/configuration and your application would work the > same way) > > You will need some type of realm to manage your users, otherwise, you > wouldn't be able to identify a user. > > My suggestion is to start with a simple app (add security early/first) and > then add/test features as you go. > - Anonymous user state persistence (HttpSession api or something similar) > - Login that user in (configure a Shiro realm) and make sure you can still > access the session > - profit ;) > > I'd also suggest using the `DefaultWebSessionManager` to manage your > sessions. > > > > > > > On Tue, Mar 3, 2020 at 5:53 PM Tommy Pham <[email protected]> wrote: > >> Hi Brian, >> >> All the classes, including filters, in place are intended for their >> purpose for the start of AJS project. Some of the methods are blank >> because I've yet to implement them since I'm unable to get a valid >> session. Yes, initially it's anon only to work out the non-blocking >> application flow. Eventually, all access in the AJS will requires >> authentication, including possible 2 factors, and authorization. The >> AbstractWeb.validateSessionShiro() is to get a valid Shiro session as >> called initially by security filter. That same method is called by the >> mapped servlet via a controller.execute() to use the session. If you run >> the app, the web UI will show the same session ID as being logged by the >> FilterSecurity.doFilter() so the FilterChain works as desired. However, >> subsequent page reloads will generate a different session ID every time :( >> While responding, I've added some additional debug logging for quicker >> comparison/troubleshooting: >> >> https://imgur.com/a/W23fupe >> >> It seems that a cookie was never set nor the Java HttpSession was started. >> >> - Does Shiro requires at least one type of realm (ini, JDBC, LDAP, or >> ActiveDirectory) to work? I have another project in mind down the road >> that requires session but no authentication / authorization since the >> information is non-sensitive. But that may change. >> - Since Shiro's Session is native, how does Shiro keep track of the >> session if a cookie is not set or does Shiro have a native cookie >> management also? >> - What if there are multiple applications at different contexts but >> all utilizes Shiro, how does Shiro handle the sessions for each context: >> ie /ajs/ and /myApp/ As it is now, my have main project at /myApp/ >> deployed and along with the /ajs/. Both using Shiro and both having the >> same session ID issue (ID is regenerated at every request). The latter >> AJS >> is per your request. I didn't intend to start on it until much later. >> >> As for the samples you've provided, I think they're all V based upon >> MVC. Neither includes: >> >> Subject subj = SecurityUtils.getSubject(); >> Session sess = subj.getSession(false); >> if (sess == null ) { >> sess = subj.getSession(true); >> // process for null session >> } >> // use session for specific user's request >> >> which is the issue I'm having integrating Shiro :( An old use case would >> be shoppers adding items to the basket for the session. After some >> thought, he/she decides to buy them which requires authentication. From >> that use case, I'm having issues with the first phase. Hence, I don't see >> any point trying to get an authentication realm (JDBC, >> ActiveDirecotory and/or LDAP) working which I'm more familiar with than >> coding for valid Java sessions unfortunately. >> >> Thanks, >> Tommy >> >> >> On Tue, Mar 3, 2020 at 1:05 PM Brian Demers <[email protected]> >> wrote: >> >>> It looks like there are a few layers of code left over from your real >>> application, logging, extra filter chain logic, etc. >>> And looks like it's configured for only anon access? >>> >>> My suggestion would be to start with something like this example: >>> https://github.com/apache/shiro/tree/master/samples/servlet-plugin >>> or this: https://github.com/apache/shiro/tree/master/samples/web >>> >>> Then add a custom servlet, filter, etc. (depending on your container, >>> you could do this via a web.xml, annotations, programmatically, etc) >>> >>> >>> >>> >>> >>> >>> >>> On Tue, Mar 3, 2020 at 3:39 PM Tommy Pham <[email protected]> wrote: >>> >>>> Hi Brian, >>>> >>>> Per your request: https://github.com/tommyhp2/ajs >>>> >>>> This is another project (web mail and control panel for Apache James >>>> Server) I've been wanting to work on. Since it's purpose is a lot simpler >>>> than my current main project, the back end mechanisms are simpler. The >>>> session ID issue still persists: >>>> >>>> Request -> access log Filter -> security Filter (block or get valid >>>> session) -> other filters -> mapped servlet (use session) >>>> >>>> The session ID is regenerated for subsequent page loads :( >>>> >>>> Thanks, >>>> Tommy >>>> >>>> >>>> >>>> On Tue, Mar 3, 2020 at 6:05 AM Brian Demers <[email protected]> >>>> wrote: >>>> >>>>> Can you put together a minimal example app the shows the problem You >>>>> are having and stick it on GitHub (or similar) >>>>> >>>>> -Brian >>>>> >>>>> On Mar 3, 2020, at 4:29 AM, Tommy Pham <[email protected]> wrote: >>>>> >>>>> >>>>> Hi Brian, >>>>> >>>>> I apologize for the confusion. Previously, I had to set the >>>>> SecurityManager via SecurityUtils because of the exception. Now I don't >>>>> need to. When I last sent the email, the Shiro session was working fine >>>>> w/o setting the SecurityManager and session ID doesn't change on >>>>> subsequent >>>>> page reload. After a system restarts, unfortunately, I now have session >>>>> ID >>>>> changing again w/o setting SecurityManager. As for Filter execution >>>>> order, >>>>> it's working how I'd like to per the logs even though the Shiro Filter is >>>>> loaded first in the FilterRegistration: >>>>> >>>>> https://pastebin.com/ZD5Sx1i3 >>>>> >>>>> My security filter started a valid session and my mapped servlet >>>>> eventually retrieve that session w/o creation as seen in the above logs. >>>>> However, subsequent page reloads now generates a different ID :(... I did >>>>> have a look at Shiro's FilterChain definitions: >>>>> >>>>> https://shiro.apache.org/web.html#Web-FilterChainDefinitions >>>>> >>>>> From the looks of it, it doesn't have the flexibility of mapping to >>>>> URLs and/or Servlets with different DispatcherTypes at load time like how >>>>> I'd be able to via FilterRegistration in a class >>>>> implementing ServletContainerInitializer.onStartup(). My custom filter >>>>> loader and filter chain allows that flexibility at load time while >>>>> guarantees the load order. Currently, all of my filters have only the >>>>> necessary code to verify application (non-blocking) flow as desired. None >>>>> of them have behind scenes mechanisms yet. >>>>> >>>>> Also, I'm setting some preferred default values to SessionCookieConfig >>>>> before loading the listeners. Would that interfere with Shiro's >>>>> session/cookie management? >>>>> >>>>> This is the load order in the ServletContainerInitializer.onStartup(): >>>>> >>>>> 1. Set SessionCookieConfig preferred default values >>>>> 2. Load listeners >>>>> 3. Map static files path (CSS, JS, images) to the default servlet >>>>> 4. Load the servlets >>>>> 5. Load the Shiro Filter first >>>>> 1. Load other filters >>>>> 6. Configure Thymeleaf >>>>> >>>>> Thanks, >>>>> Tommy >>>>> >>>>> >>>>> On Mon, Mar 2, 2020 at 5:52 PM Brian Demers <[email protected]> >>>>> wrote: >>>>> >>>>>> Let’s take a step Barack, what are you trying to do with the >>>>>> SecurityManager? >>>>>> Sorry but I still feel like this thread is bouncing between two >>>>>> option. (This could just be me though) Let’s just consider the “working” >>>>>> Shiro.ini for now. >>>>>> >>>>>> Is the ShiroFilter getting processed before your code? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -Brian >>>>>> >>>>>> On Mar 2, 2020, at 7:50 PM, Tommy Pham <[email protected]> wrote: >>>>>> >>>>>> >>>>>> Hi Alessio, >>>>>> >>>>>> I'm loading the Shiro Filter via FilterRegistration in a class >>>>>> implementing ServletContainerInitializer.onStartup(). Loading the >>>>>> filter(s) this way do not guaranteed ordering as loaded from my testing >>>>>> of >>>>>> various approaches (web.xml, annotations, and, preferably, >>>>>> programmatically). I have my own filter loader and filter chain >>>>>> that guarantees the order for my filters which are not visible in the >>>>>> FilterRegistration: >>>>>> >>>>>> ----------------------------- >>>>>> .onStartup:303 - -------- Filter Registrations >>>>>> ------------------------------ >>>>>> .lambda$onStartup$12:307 - Filter name: log4jServletFilter >>>>>> .lambda$onStartup$12:308 - Registered class: >>>>>> org.apache.logging.log4j.web.Log4jServletFilter >>>>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>>>> .lambda$onStartup$10:317 - /* >>>>>> .lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) >>>>>> Filter >>>>>> .lambda$onStartup$12:308 - Registered class: >>>>>> org.apache.tomcat.websocket.server.WsFilter >>>>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>>>> .lambda$onStartup$10:317 - /* >>>>>> .lambda$onStartup$12:307 - Filter name: AppFilterLoader >>>>>> .lambda$onStartup$12:308 - Registered class: >>>>>> com.domain.web.AppFilterLoader >>>>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>>>> .lambda$onStartup$10:317 - /* >>>>>> .lambda$onStartup$12:307 - Filter name: FilterDefaultJsp >>>>>> .lambda$onStartup$12:308 - Registered class: >>>>>> com.domain.web.FilterDefaultJsp >>>>>> .lambda$onStartup$12:311 - Servlet mapping(s): >>>>>> .lambda$onStartup$9:312 - default >>>>>> .lambda$onStartup$9:312 - jsp >>>>>> .lambda$onStartup$12:307 - Filter name: TestFilterSecure >>>>>> .lambda$onStartup$12:308 - Registered class: >>>>>> com.domain.web.TestFilterSecure >>>>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>>>> .lambda$onStartup$10:317 - /secure/* >>>>>> .lambda$onStartup$12:307 - Filter name: ShiroFilter >>>>>> .lambda$onStartup$12:308 - Registered class: >>>>>> org.apache.shiro.web.servlet.ShiroFilter >>>>>> .lambda$onStartup$12:316 - URL pattern mapping(s): >>>>>> .lambda$onStartup$10:317 - /* >>>>>> .onStartup:325 - >>>>>> ------------------------------------------------------------ >>>>>> ----------------------------------------------------------- >>>>>> I've tried loading the Shiro Filter my custom loader but it failed >>>>>> because of invalid FilterChain type. Oddly enough, if I have the >>>>>> Shiro Filter loaded first, it works fine. I need to further test why >>>>>> this >>>>>> is and if it's consistent across web container restarts. I was hoping to >>>>>> have Filters executing in this order: >>>>>> >>>>>> logging -> security (block request or start Shiro session) -> other >>>>>> filters -> mapped servlet. >>>>>> >>>>>> since I have don't the desire to waste system resource to start a >>>>>> session when the request is blocked. But as long as I can get Shiro >>>>>> working, I can work with it for now. >>>>>> >>>>>> Thanks, >>>>>> Tommy >>>>>> >>>>>> On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> To me, it looks like the Shiro Filter is not installed or your own >>>>>>> filter runs before it has a chance to associate Shiro objects with the >>>>>>> thread. >>>>>>> >>>>>>> On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[email protected]> wrote: >>>>>>> >>>>>>>> Hi Brian, >>>>>>>> >>>>>>>> I'm still having issues getting a valid session when specifying >>>>>>>> SecurityManager via SecurityUtils. If I omit that, I get exceptions. >>>>>>>> After some more troubleshooting, I've added some fake test accounts >>>>>>>> from >>>>>>>> the official tutorial and set TRACE log level to org.apache.shiro. >>>>>>>> Below >>>>>>>> is the log: >>>>>>>> >>>>>>>> 02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking >>>>>>>> any >>>>>>>> specified config locations. >>>>>>>> 02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI >>>>>>>> instance or config locations specified. Trying default config >>>>>>>> locations. >>>>>>>> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini.load:401 - Parsing [main] >>>>>>>> 02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini.load:401 - Parsing [users] >>>>>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>> key/value pair: root = secret, admin >>>>>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>> key/value pair: guest = guest, guest >>>>>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>> key/value pair: presidentskroob = 12345, president >>>>>>>> 02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>> key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz >>>>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>> key/value pair: lonestarr = vespa, goodguy, schwartz >>>>>>>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini.load:401 - Parsing [roles] >>>>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>> key/value pair: admin = * >>>>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>> key/value pair: schwartz = lightsaber:* >>>>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>> key/value pair: goodguy = winnebago:drive:eagle5 >>>>>>>> 02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini.load:401 - Parsing [urls] >>>>>>>> 02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered >>>>>>>> key/value pair: /** = anon >>>>>>>> 02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - >>>>>>>> Discovered >>>>>>>> non-empty INI configuration at location '/WEB-INF/shiro.ini'. Using >>>>>>>> for >>>>>>>> configuration. >>>>>>>> 02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating >>>>>>>> instance from Ini [sections=users,roles,urls] >>>>>>>> 02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or >>>>>>>> empty. Defaulting to the default section (name = "") >>>>>>>> 02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] >>>>>>>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 >>>>>>>> - >>>>>>>> Adding login url to applied paths. >>>>>>>> 02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - >>>>>>>> Discovered >>>>>>>> the [roles] section. Processing... >>>>>>>> 02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - >>>>>>>> Discovered >>>>>>>> the [users] section. Processing... >>>>>>>> 02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating >>>>>>>> instance from Ini [sections=users,roles,urls] >>>>>>>> 02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] >>>>>>>> org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 >>>>>>>> - >>>>>>>> Adding login url to applied paths. >>>>>>>> 02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] >>>>>>>> org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 >>>>>>>> - Before url processing. >>>>>>>> 02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 >>>>>>>> - >>>>>>>> Creating chain [/**] from String definition [anon] >>>>>>>> 02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 >>>>>>>> - Attempting to apply path [/**] to filter [anon] with config [null] >>>>>>>> 02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] >>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - >>>>>>>> Published >>>>>>>> WebEnvironment as ServletContext attribute with name >>>>>>>> [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY] >>>>>>>> 02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] >>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro >>>>>>>> environment initialized in 352 ms. >>>>>>>> 02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] >>>>>>>> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web >>>>>>>> application archive [D:\apache-tomcat\webapps\erm.war] has finished in >>>>>>>> [9,120] ms >>>>>>>> 02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] >>>>>>>> com.domain.security.FilterSecurity.doFilter:147 - >> >>>>>>>> ThreadContext.getResources(): true 0 >>>>>>>> 02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] >>>>>>>> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >>>>>>>> [http-nio-8080-exec-181] >>>>>>>> 02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] >>>>>>>> org.apache.shiro.util.ThreadContext.get:126 - get() - in thread >>>>>>>> [http-nio-8080-exec-181] >>>>>>>> >>>>>>>> It seems that the resources is empty when i don't set the >>>>>>>> SecurityManager in SecurityUtils. Thus, from what I could tell from >>>>>>>> the >>>>>>>> code, the SecurityUtils.getSecurityManager() would fail since the >>>>>>>> resources >>>>>>>> map is empty and the cascade failure of getting a session. I haven't >>>>>>>> been >>>>>>>> able to track down how the resources in ThreadContext is set yet :( >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Tommy >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> I'm not sure I'm following Tommy. You have a few different >>>>>>>>> messages, the one mentioning your shiro.ini >>>>>>>>> >>>>>>>>> > when the shiro.ini is indeed in /WEB-INF/ >>>>>>>>> >>>>>>>>> implies that you have fixed the original issue? by i'm guessing >>>>>>>>> you are still running into issues? >>>>>>>>> >>>>>>>>> >>>>>>>>> On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> I've added some debug logging to troubleshoot the session cookie: >>>>>>>>>> >>>>>>>>>> https://imgur.com/a/vaTZrxP >>>>>>>>>> >>>>>>>>>> And this is the Shiro's generated session ID: >>>>>>>>>> 1984c09f-ee77-461a-96f2-cb3d4cbac8eb >>>>>>>>>> >>>>>>>>>> On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> According this: >>>>>>>>>>> https://shiro.apache.org/web.html#Web-SessionCookieConfiguration >>>>>>>>>>> >>>>>>>>>>> Should I see a cookie for Shiro's session based upon my >>>>>>>>>>> minimalist configuration? I only see cookie for the JSESSIONID. >>>>>>>>>>> >>>>>>>>>>> On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> I've also tried: >>>>>>>>>>>> >>>>>>>>>>>> Factory<SecurityManager> factory = new >>>>>>>>>>>> IniSecurityManagerFactory("classpath:shiro.ini"); >>>>>>>>>>>> SecurityManager securityManager = factory.getInstance(); >>>>>>>>>>>> SecurityUtils.setSecurityManager(securityManager); >>>>>>>>>>>> >>>>>>>>>>>> and received this: >>>>>>>>>>>> >>>>>>>>>>>> org.apache.shiro.config.ConfigurationException: >>>>>>>>>>>> java.io.IOException: Resource [classpath:shiro.ini] could not be >>>>>>>>>>>> found. >>>>>>>>>>>> >>>>>>>>>>>> org.apache.shiro.config.Ini.loadFromPath(Ini.java:250) >>>>>>>>>>>> org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73) >>>>>>>>>>>> >>>>>>>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>>>>>>> >>>>>>>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153) >>>>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>>>> >>>>>>>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>>>> >>>>>>>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>>>>>>> >>>>>>>>>>>> when the shiro.ini is indeed in /WEB-INF/. The log shows that >>>>>>>>>>>> the listener initialized successfully: >>>>>>>>>>>> >>>>>>>>>>>> 01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] >>>>>>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - >>>>>>>>>>>> Starting >>>>>>>>>>>> Shiro environment initialization. >>>>>>>>>>>> 01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] >>>>>>>>>>>> org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - >>>>>>>>>>>> Shiro >>>>>>>>>>>> environment initialized in 282 ms. >>>>>>>>>>>> >>>>>>>>>>>> Does it matter if configuring both listener and filter in >>>>>>>>>>>> web.xml or via a class implementing >>>>>>>>>>>> ServletContainerInitializer.onStartup()? >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Tommy >>>>>>>>>>>> >>>>>>>>>>>> On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Yes. If I omit setting the SecurityManager in the code per the >>>>>>>>>>>>> official guide/documentation, I get this exception: >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.shiro.UnavailableSecurityManagerException: No >>>>>>>>>>>>> SecurityManager accessible to the calling code, either bound to >>>>>>>>>>>>> the >>>>>>>>>>>>> org.apache.shiro.util.ThreadContext or as a vm static singleton. >>>>>>>>>>>>> This is >>>>>>>>>>>>> an invalid application configuration. >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) >>>>>>>>>>>>> >>>>>>>>>>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225) >>>>>>>>>>>>> >>>>>>>>>>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149) >>>>>>>>>>>>> >>>>>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>>>>> >>>>>>>>>>>>> com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45) >>>>>>>>>>>>> >>>>>>>>>>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66) >>>>>>>>>>>>> >>>>>>>>>>>>> com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) >>>>>>>>>>>>> >>>>>>>>>>>>> On Sun, Mar 1, 2020 at 12:59 PM Brian Demers < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Are you creating a new security manager for each request? >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> I’m not sure how you are using this logic, but you should let >>>>>>>>>>>>>> Shiro do all of this for you (via the ShiroFilter). >>>>>>>>>>>>>> >>>>>>>>>>>>>> -Brian >>>>>>>>>>>>>> >>>>>>>>>>>>>> > On Mar 1, 2020, at 2:43 PM, tommyhp2 <[email protected]> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > Hi Brian, >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > Thanks for the prompt feedback. Here's the code I used to >>>>>>>>>>>>>> check for the >>>>>>>>>>>>>> > session: >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > https://pastebin.com/F5SMmLpq >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > The shiro.ini is very basic and minimal: >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > [main] >>>>>>>>>>>>>> > [users] >>>>>>>>>>>>>> > [roles] >>>>>>>>>>>>>> > [urls] >>>>>>>>>>>>>> > /** = anon >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > Most of the content (99%) in shiro.ini are comments and >>>>>>>>>>>>>> examples as notes >>>>>>>>>>>>>> > for future implementation of authentication and >>>>>>>>>>>>>> authorization. >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > -- >>>>>>>>>>>>>> > Sent from: http://shiro-user.582556.n2.nabble.com/ >>>>>>>>>>>>>> >>>>>>>>>>>>>
