Hi David! Can you try making sure session rewriting is disabled:
securityManager.sessionManager.sessionIdUrlRewritingEnabled https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29 This could also be happing from your servlet container (but my guess is the above will fix your issue). Let us know! On Thu, Apr 8, 2021 at 10:39 AM David Stutzman <[email protected]> wrote: > I went back and took another look at this and turned on trace logging > and figured out the InvalidRequestFilter is tripping, specifically on a > semicolon in the URL. That filter was added in 1.6.0 hence that's the > first version we see the issue. > > So now the part I'm not sure about is how/why the URL is being modified > after logout. If I click the login button the URL in the browser is: > https://localhost:8443/app/login.xhtml;jsessionid=<snip> and, as > advertised by the IRF, I get a 400 response code. > > The logout process is done through a servlet with the following > implementation: > protected void processRequest(HttpServletRequest request, > HttpServletResponse response) throws ServletException, IOException { > SecurityUtils.getSubject().logout(); > request.getSession().invalidate(); > response.sendRedirect(request.getServletContext().getContextPath()); > } > > And it is on the index page that things start to break. There's a > single image that doesn't load due to the request url having the > jssessionid appended and that gets a 400 response and if I click the > "Log In" button and it goes to that url (with the appended jsessionid), > I get the main error that results in a blank page with just "Invalid > request". > > So am I doing something wrong in my logout logic or is this a Shiro issue? > > Thanks! > > On 12/17/2020 9:55 AM, Francois Papon wrote: > > Ok thanks, we will take a look. > > > > regards, > > > > François > > [email protected] >
