Shiro Session Management

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Shiro Session Management

tommyhp2
Hello everyone,

I have a simple setup of Shiro.  I have both Listener and Filter setup per
manual <http://shiro.apache.org/web.html#Web-%7B%7Bweb.xml%7D%7D>  .  My
shiro.ini is very basic since I'm testing the session management only:



But every time I reload the page, the Shiro's session ID changes.  This my
code to check:



Thanks,
Tommy



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

Brian Demers
Looks like the code was filtered out of the message? Can you try again or link to a gist?

-Brian

> On Mar 1, 2020, at 12:27 PM, tommyhp2 <[hidden email]> wrote:
>
> Hello everyone,
>
> I have a simple setup of Shiro.  I have both Listener and Filter setup per
> manual <http://shiro.apache.org/web.html#Web-%7B%7Bweb.xml%7D%7D>  .  My
> shiro.ini is very basic since I'm testing the session management only:
>
>
>
> But every time I reload the page, the Shiro's session ID changes.  This my
> code to check:
>
>
>
> Thanks,
> Tommy
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

tommyhp2
Hi Brian,

Thanks for the prompt feedback.  Here's the code I used to check for the
session:

https://pastebin.com/F5SMmLpq

The shiro.ini is very basic and minimal:

[main]
[users]
[roles]
[urls]
/** = anon

Most of the content (99%) in shiro.ini are comments and examples as notes
for future implementation of authentication and authorization.



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

Brian Demers
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

tommyhp2
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

tommyhp2
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

tommyhp2
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

tommyhp2
I've added some debug logging to troubleshoot the session cookie:

https://imgur.com/a/vaTZrxP  

And this is the Shiro's generated session ID:  1984c09f-ee77-461a-96f2-cb3d4cbac8eb

On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[hidden email]> wrote:
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

Brian Demers
I'm not sure I'm following Tommy.  You have a few different messages, the one mentioning your shiro.ini

when the shiro.ini is indeed in /WEB-INF/

implies that you have fixed the original issue?  by i'm guessing you are still running into issues?


On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[hidden email]> wrote:
I've added some debug logging to troubleshoot the session cookie:

https://imgur.com/a/vaTZrxP  

And this is the Shiro's generated session ID:  1984c09f-ee77-461a-96f2-cb3d4cbac8eb

On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[hidden email]> wrote:
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

anasmughal

I ran into a similar issue when I initially set up Shiro in my web application. Every request was having a different session and I could not track the logged-in user. 

I added the following code to my generic before handler:


before(( request, response ) -> {

org.apache.shiro.mgt.SecurityManager sm = SecurityUtils.getSecurityManager();

final Subject currentUser = new WebSubject.Builder( sm, request.raw(), response.raw() ).buildSubject();

ThreadContext.bind(currentUser);

}



I am using SparkJava (http://sparkjava.com/) and this has worked well for me.

I hope this helps you.

--
Anas Mughal






On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[hidden email]> wrote:
I'm not sure I'm following Tommy.  You have a few different messages, the one mentioning your shiro.ini

when the shiro.ini is indeed in /WEB-INF/

implies that you have fixed the original issue?  by i'm guessing you are still running into issues?


On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[hidden email]> wrote:
I've added some debug logging to troubleshoot the session cookie:

https://imgur.com/a/vaTZrxP  

And this is the Shiro's generated session ID:  1984c09f-ee77-461a-96f2-cb3d4cbac8eb

On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[hidden email]> wrote:
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/


--
Anas Mughal




Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

tommyhp2
In reply to this post by Brian Demers
Hi Brian,

I'm still having issues getting a valid session when specifying SecurityManager via SecurityUtils.  If I omit that, I get exceptions.   After some more troubleshooting, I've added some fake test accounts from the official tutorial and set TRACE log level to org.apache.shiro.  Below is the log:

02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any specified config locations.
02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI instance or config locations specified.  Trying default config locations.
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [main]
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [users]
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: root = secret, admin
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: guest = guest, guest
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: presidentskroob = 12345, president
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: lonestarr = vespa, goodguy, schwartz
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [roles]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: admin = *
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: schwartz = lightsaber:*
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: goodguy = winnebago:drive:eagle5
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [urls]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: /** = anon
02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered non-empty INI configuration at location '/WEB-INF/shiro.ini'.  Using for configuration.
02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or empty.  Defaulting to the default section (name = "")
02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered the [roles] section.  Processing...
02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered the [users] section.  Processing...
02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 - Before url processing.
02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - Creating chain [/**] from String definition [anon]
02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 - Attempting to apply path [/**] to filter [anon] with config [null]
02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published WebEnvironment as ServletContext attribute with name [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY]
02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 352 ms.
02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [D:\apache-tomcat\webapps\erm.war] has finished in [9,120] ms
02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] com.domain.security.FilterSecurity.doFilter:147 - >> ThreadContext.getResources(): true 0
02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]
02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]


It seems that the resources is empty when i don't set the SecurityManager in SecurityUtils.  Thus, from what I could tell from the code, the SecurityUtils.getSecurityManager() would fail since the resources map is empty and the cascade failure of getting a session.  I haven't been able to track down how the resources in ThreadContext is set yet :(

Thanks,
Tommy


On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[hidden email]> wrote:
I'm not sure I'm following Tommy.  You have a few different messages, the one mentioning your shiro.ini

when the shiro.ini is indeed in /WEB-INF/

implies that you have fixed the original issue?  by i'm guessing you are still running into issues?


On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[hidden email]> wrote:
I've added some debug logging to troubleshoot the session cookie:

https://imgur.com/a/vaTZrxP  

And this is the Shiro's generated session ID:  1984c09f-ee77-461a-96f2-cb3d4cbac8eb

On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[hidden email]> wrote:
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

tommyhp2
In reply to this post by anasmughal
Hi Anas,

Thanks for the feedback.  Did you set a SecurityManager via SecurityUtils?  If you didn't, then I don't the code, you've provided would work for me. From my own troubleshooting, The SecurityUtils.getSecurityManager() failed when I don't set it before hand.

Thanks,
Tommy

On Mon, Mar 2, 2020 at 8:39 AM Anas Mughal <[hidden email]> wrote:

I ran into a similar issue when I initially set up Shiro in my web application. Every request was having a different session and I could not track the logged-in user. 

I added the following code to my generic before handler:


before(( request, response ) -> {

org.apache.shiro.mgt.SecurityManager sm = SecurityUtils.getSecurityManager();

final Subject currentUser = new WebSubject.Builder( sm, request.raw(), response.raw() ).buildSubject();

ThreadContext.bind(currentUser);

}



I am using SparkJava (http://sparkjava.com/) and this has worked well for me.

I hope this helps you.

--
Anas Mughal






On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[hidden email]> wrote:
I'm not sure I'm following Tommy.  You have a few different messages, the one mentioning your shiro.ini

when the shiro.ini is indeed in /WEB-INF/

implies that you have fixed the original issue?  by i'm guessing you are still running into issues?


On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[hidden email]> wrote:
I've added some debug logging to troubleshoot the session cookie:

https://imgur.com/a/vaTZrxP  

And this is the Shiro's generated session ID:  1984c09f-ee77-461a-96f2-cb3d4cbac8eb

On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[hidden email]> wrote:
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/


--
Anas Mughal




Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

anasmughal
No, I am not setting it beforehand in my code. I just checked. (Sorry, I did this so long along. I barely remember the details.)

I believe it is being set using my shiro.ini file. 



[main]

sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher

DBRealm = com.example.webapp.security.shiro.database.ShiroDatabaseRealm

FacebookRealm = com.example.webapp.security.shiro.facebook.ShiroFacebookRealm
FBCredentialMatcher = com.example.webapp.security.shiro.facebook.FacebookCredentialsMatcher
FacebookRealm.credentialsMatcher = $FBCredentialMatcher

securityManager.realms = $DBRealm, $FacebookRealm






On Mon, Mar 2, 2020 at 2:43 PM Tommy Pham <[hidden email]> wrote:
Hi Anas,

Thanks for the feedback.  Did you set a SecurityManager via SecurityUtils?  If you didn't, then I don't the code, you've provided would work for me. From my own troubleshooting, The SecurityUtils.getSecurityManager() failed when I don't set it before hand.

Thanks,
Tommy

On Mon, Mar 2, 2020 at 8:39 AM Anas Mughal <[hidden email]> wrote:

I ran into a similar issue when I initially set up Shiro in my web application. Every request was having a different session and I could not track the logged-in user. 

I added the following code to my generic before handler:


before(( request, response ) -> {

org.apache.shiro.mgt.SecurityManager sm = SecurityUtils.getSecurityManager();

final Subject currentUser = new WebSubject.Builder( sm, request.raw(), response.raw() ).buildSubject();

ThreadContext.bind(currentUser);

}



I am using SparkJava (http://sparkjava.com/) and this has worked well for me.

I hope this helps you.

--
Anas Mughal






On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[hidden email]> wrote:
I'm not sure I'm following Tommy.  You have a few different messages, the one mentioning your shiro.ini

when the shiro.ini is indeed in /WEB-INF/

implies that you have fixed the original issue?  by i'm guessing you are still running into issues?


On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[hidden email]> wrote:
I've added some debug logging to troubleshoot the session cookie:

https://imgur.com/a/vaTZrxP  

And this is the Shiro's generated session ID:  1984c09f-ee77-461a-96f2-cb3d4cbac8eb

On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[hidden email]> wrote:
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/


--
Anas Mughal






--
Anas Mughal




Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

Alessio Stalla-2
In reply to this post by tommyhp2
To me, it looks like the Shiro Filter is not installed or your own filter runs before it has a chance to associate Shiro objects with the thread.

On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[hidden email]> wrote:
Hi Brian,

I'm still having issues getting a valid session when specifying SecurityManager via SecurityUtils.  If I omit that, I get exceptions.   After some more troubleshooting, I've added some fake test accounts from the official tutorial and set TRACE log level to org.apache.shiro.  Below is the log:

02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any specified config locations.
02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI instance or config locations specified.  Trying default config locations.
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [main]
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [users]
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: root = secret, admin
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: guest = guest, guest
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: presidentskroob = 12345, president
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: lonestarr = vespa, goodguy, schwartz
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [roles]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: admin = *
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: schwartz = lightsaber:*
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: goodguy = winnebago:drive:eagle5
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [urls]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: /** = anon
02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered non-empty INI configuration at location '/WEB-INF/shiro.ini'.  Using for configuration.
02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or empty.  Defaulting to the default section (name = "")
02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered the [roles] section.  Processing...
02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered the [users] section.  Processing...
02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 - Before url processing.
02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - Creating chain [/**] from String definition [anon]
02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 - Attempting to apply path [/**] to filter [anon] with config [null]
02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published WebEnvironment as ServletContext attribute with name [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY]
02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 352 ms.
02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [D:\apache-tomcat\webapps\erm.war] has finished in [9,120] ms
02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] com.domain.security.FilterSecurity.doFilter:147 - >> ThreadContext.getResources(): true 0
02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]
02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]


It seems that the resources is empty when i don't set the SecurityManager in SecurityUtils.  Thus, from what I could tell from the code, the SecurityUtils.getSecurityManager() would fail since the resources map is empty and the cascade failure of getting a session.  I haven't been able to track down how the resources in ThreadContext is set yet :(

Thanks,
Tommy


On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[hidden email]> wrote:
I'm not sure I'm following Tommy.  You have a few different messages, the one mentioning your shiro.ini

when the shiro.ini is indeed in /WEB-INF/

implies that you have fixed the original issue?  by i'm guessing you are still running into issues?


On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[hidden email]> wrote:
I've added some debug logging to troubleshoot the session cookie:

https://imgur.com/a/vaTZrxP  

And this is the Shiro's generated session ID:  1984c09f-ee77-461a-96f2-cb3d4cbac8eb

On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[hidden email]> wrote:
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

tommyhp2
Hi Alessio,

I'm loading the Shiro Filter via FilterRegistration in a class implementing ServletContainerInitializer.onStartup().  Loading the filter(s) this way do not guaranteed ordering as loaded from my testing of various approaches (web.xml, annotations, and, preferably, programmatically).  I have my own filter loader and filter chain that guarantees the order for my filters which are not visible in the FilterRegistration:

-----------------------------
.onStartup:303 - -------- Filter Registrations ------------------------------
.lambda$onStartup$12:307 - Filter name: log4jServletFilter
.lambda$onStartup$12:308 -     Registered class: org.apache.logging.log4j.web.Log4jServletFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) Filter
.lambda$onStartup$12:308 -     Registered class: org.apache.tomcat.websocket.server.WsFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: AppFilterLoader
.lambda$onStartup$12:308 -     Registered class: com.domain.web.AppFilterLoader
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: FilterDefaultJsp
.lambda$onStartup$12:308 -     Registered class: com.domain.web.FilterDefaultJsp
.lambda$onStartup$12:311 -     Servlet mapping(s):
.lambda$onStartup$9:312 -              default
.lambda$onStartup$9:312 -              jsp
.lambda$onStartup$12:307 - Filter name: TestFilterSecure
.lambda$onStartup$12:308 -     Registered class: com.domain.web.TestFilterSecure
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /secure/*
.lambda$onStartup$12:307 - Filter name: ShiroFilter
.lambda$onStartup$12:308 -     Registered class: org.apache.shiro.web.servlet.ShiroFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.onStartup:325 - ------------------------------------------------------------
-----------------------------------------------------------

  I've tried loading the Shiro Filter my custom loader but it failed because of invalid FilterChain type.  Oddly enough, if I have the Shiro Filter loaded first, it works fine.  I need to further test why this is and if it's consistent across web container restarts.  I was hoping to have Filters executing in this order:

logging -> security (block request or start Shiro session) -> other filters -> mapped servlet.

since I have don't the desire to waste system resource to start a session when the request is blocked.  But as long as I can get Shiro working, I can work with it for now.

Thanks,
Tommy

On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla <[hidden email]> wrote:
To me, it looks like the Shiro Filter is not installed or your own filter runs before it has a chance to associate Shiro objects with the thread.

On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[hidden email]> wrote:
Hi Brian,

I'm still having issues getting a valid session when specifying SecurityManager via SecurityUtils.  If I omit that, I get exceptions.   After some more troubleshooting, I've added some fake test accounts from the official tutorial and set TRACE log level to org.apache.shiro.  Below is the log:

02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any specified config locations.
02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI instance or config locations specified.  Trying default config locations.
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [main]
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [users]
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: root = secret, admin
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: guest = guest, guest
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: presidentskroob = 12345, president
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: lonestarr = vespa, goodguy, schwartz
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [roles]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: admin = *
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: schwartz = lightsaber:*
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: goodguy = winnebago:drive:eagle5
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [urls]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: /** = anon
02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered non-empty INI configuration at location '/WEB-INF/shiro.ini'.  Using for configuration.
02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or empty.  Defaulting to the default section (name = "")
02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered the [roles] section.  Processing...
02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered the [users] section.  Processing...
02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 - Before url processing.
02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - Creating chain [/**] from String definition [anon]
02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 - Attempting to apply path [/**] to filter [anon] with config [null]
02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published WebEnvironment as ServletContext attribute with name [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY]
02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 352 ms.
02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [D:\apache-tomcat\webapps\erm.war] has finished in [9,120] ms
02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] com.domain.security.FilterSecurity.doFilter:147 - >> ThreadContext.getResources(): true 0
02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]
02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]


It seems that the resources is empty when i don't set the SecurityManager in SecurityUtils.  Thus, from what I could tell from the code, the SecurityUtils.getSecurityManager() would fail since the resources map is empty and the cascade failure of getting a session.  I haven't been able to track down how the resources in ThreadContext is set yet :(

Thanks,
Tommy


On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[hidden email]> wrote:
I'm not sure I'm following Tommy.  You have a few different messages, the one mentioning your shiro.ini

when the shiro.ini is indeed in /WEB-INF/

implies that you have fixed the original issue?  by i'm guessing you are still running into issues?


On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[hidden email]> wrote:
I've added some debug logging to troubleshoot the session cookie:

https://imgur.com/a/vaTZrxP  

And this is the Shiro's generated session ID:  1984c09f-ee77-461a-96f2-cb3d4cbac8eb

On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[hidden email]> wrote:
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

Brian Demers
Let’s take a step Barack, what are you trying to do with the SecurityManager?
Sorry but I still feel like this thread is bouncing between two option. (This could just be me though) Let’s just consider the “working” Shiro.ini for now. 

Is the ShiroFilter getting processed before your code?




-Brian

On Mar 2, 2020, at 7:50 PM, Tommy Pham <[hidden email]> wrote:


Hi Alessio,

I'm loading the Shiro Filter via FilterRegistration in a class implementing ServletContainerInitializer.onStartup().  Loading the filter(s) this way do not guaranteed ordering as loaded from my testing of various approaches (web.xml, annotations, and, preferably, programmatically).  I have my own filter loader and filter chain that guarantees the order for my filters which are not visible in the FilterRegistration:

-----------------------------
.onStartup:303 - -------- Filter Registrations ------------------------------
.lambda$onStartup$12:307 - Filter name: log4jServletFilter
.lambda$onStartup$12:308 -     Registered class: org.apache.logging.log4j.web.Log4jServletFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) Filter
.lambda$onStartup$12:308 -     Registered class: org.apache.tomcat.websocket.server.WsFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: AppFilterLoader
.lambda$onStartup$12:308 -     Registered class: com.domain.web.AppFilterLoader
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: FilterDefaultJsp
.lambda$onStartup$12:308 -     Registered class: com.domain.web.FilterDefaultJsp
.lambda$onStartup$12:311 -     Servlet mapping(s):
.lambda$onStartup$9:312 -              default
.lambda$onStartup$9:312 -              jsp
.lambda$onStartup$12:307 - Filter name: TestFilterSecure
.lambda$onStartup$12:308 -     Registered class: com.domain.web.TestFilterSecure
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /secure/*
.lambda$onStartup$12:307 - Filter name: ShiroFilter
.lambda$onStartup$12:308 -     Registered class: org.apache.shiro.web.servlet.ShiroFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.onStartup:325 - ------------------------------------------------------------
-----------------------------------------------------------

  I've tried loading the Shiro Filter my custom loader but it failed because of invalid FilterChain type.  Oddly enough, if I have the Shiro Filter loaded first, it works fine.  I need to further test why this is and if it's consistent across web container restarts.  I was hoping to have Filters executing in this order:

logging -> security (block request or start Shiro session) -> other filters -> mapped servlet.

since I have don't the desire to waste system resource to start a session when the request is blocked.  But as long as I can get Shiro working, I can work with it for now.

Thanks,
Tommy

On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla <[hidden email]> wrote:
To me, it looks like the Shiro Filter is not installed or your own filter runs before it has a chance to associate Shiro objects with the thread.

On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[hidden email]> wrote:
Hi Brian,

I'm still having issues getting a valid session when specifying SecurityManager via SecurityUtils.  If I omit that, I get exceptions.   After some more troubleshooting, I've added some fake test accounts from the official tutorial and set TRACE log level to org.apache.shiro.  Below is the log:

02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any specified config locations.
02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI instance or config locations specified.  Trying default config locations.
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [main]
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [users]
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: root = secret, admin
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: guest = guest, guest
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: presidentskroob = 12345, president
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: lonestarr = vespa, goodguy, schwartz
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [roles]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: admin = *
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: schwartz = lightsaber:*
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: goodguy = winnebago:drive:eagle5
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [urls]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: /** = anon
02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered non-empty INI configuration at location '/WEB-INF/shiro.ini'.  Using for configuration.
02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or empty.  Defaulting to the default section (name = "")
02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered the [roles] section.  Processing...
02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered the [users] section.  Processing...
02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 - Before url processing.
02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - Creating chain [/**] from String definition [anon]
02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 - Attempting to apply path [/**] to filter [anon] with config [null]
02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published WebEnvironment as ServletContext attribute with name [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY]
02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 352 ms.
02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [D:\apache-tomcat\webapps\erm.war] has finished in [9,120] ms
02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] com.domain.security.FilterSecurity.doFilter:147 - >> ThreadContext.getResources(): true 0
02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]
02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]


It seems that the resources is empty when i don't set the SecurityManager in SecurityUtils.  Thus, from what I could tell from the code, the SecurityUtils.getSecurityManager() would fail since the resources map is empty and the cascade failure of getting a session.  I haven't been able to track down how the resources in ThreadContext is set yet :(

Thanks,
Tommy


On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[hidden email]> wrote:
I'm not sure I'm following Tommy.  You have a few different messages, the one mentioning your shiro.ini

when the shiro.ini is indeed in /WEB-INF/

implies that you have fixed the original issue?  by i'm guessing you are still running into issues?


On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[hidden email]> wrote:
I've added some debug logging to troubleshoot the session cookie:

https://imgur.com/a/vaTZrxP  

And this is the Shiro's generated session ID:  1984c09f-ee77-461a-96f2-cb3d4cbac8eb

On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[hidden email]> wrote:
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

fpapon
In reply to this post by tommyhp2
Hi,
Yes, it's better to have the ShiroFilter as the first Filter in the chain.

regards,
François
[hidden email]
Le 03/03/2020 à 01:49, Tommy Pham a écrit :
Hi Alessio,

I'm loading the Shiro Filter via FilterRegistration in a class implementing ServletContainerInitializer.onStartup().  Loading the filter(s) this way do not guaranteed ordering as loaded from my testing of various approaches (web.xml, annotations, and, preferably, programmatically).  I have my own filter loader and filter chain that guarantees the order for my filters which are not visible in the FilterRegistration:

-----------------------------
.onStartup:303 - -------- Filter Registrations ------------------------------
.lambda$onStartup$12:307 - Filter name: log4jServletFilter
.lambda$onStartup$12:308 -     Registered class: org.apache.logging.log4j.web.Log4jServletFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) Filter
.lambda$onStartup$12:308 -     Registered class: org.apache.tomcat.websocket.server.WsFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: AppFilterLoader
.lambda$onStartup$12:308 -     Registered class: com.domain.web.AppFilterLoader
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: FilterDefaultJsp
.lambda$onStartup$12:308 -     Registered class: com.domain.web.FilterDefaultJsp
.lambda$onStartup$12:311 -     Servlet mapping(s):
.lambda$onStartup$9:312 -              default
.lambda$onStartup$9:312 -              jsp
.lambda$onStartup$12:307 - Filter name: TestFilterSecure
.lambda$onStartup$12:308 -     Registered class: com.domain.web.TestFilterSecure
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /secure/*
.lambda$onStartup$12:307 - Filter name: ShiroFilter
.lambda$onStartup$12:308 -     Registered class: org.apache.shiro.web.servlet.ShiroFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.onStartup:325 - ------------------------------------------------------------
-----------------------------------------------------------

  I've tried loading the Shiro Filter my custom loader but it failed because of invalid FilterChain type.  Oddly enough, if I have the Shiro Filter loaded first, it works fine.  I need to further test why this is and if it's consistent across web container restarts.  I was hoping to have Filters executing in this order:

logging -> security (block request or start Shiro session) -> other filters -> mapped servlet.

since I have don't the desire to waste system resource to start a session when the request is blocked.  But as long as I can get Shiro working, I can work with it for now.

Thanks,
Tommy

On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla <[hidden email]> wrote:
To me, it looks like the Shiro Filter is not installed or your own filter runs before it has a chance to associate Shiro objects with the thread.

On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[hidden email]> wrote:
Hi Brian,

I'm still having issues getting a valid session when specifying SecurityManager via SecurityUtils.  If I omit that, I get exceptions.   After some more troubleshooting, I've added some fake test accounts from the official tutorial and set TRACE log level to org.apache.shiro.  Below is the log:

02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any specified config locations.
02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI instance or config locations specified.  Trying default config locations.
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [main]
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [users]
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: root = secret, admin
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: guest = guest, guest
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: presidentskroob = 12345, president
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: lonestarr = vespa, goodguy, schwartz
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [roles]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: admin = *
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: schwartz = lightsaber:*
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: goodguy = winnebago:drive:eagle5
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [urls]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: /** = anon
02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered non-empty INI configuration at location '/WEB-INF/shiro.ini'.  Using for configuration.
02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or empty.  Defaulting to the default section (name = "")
02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered the [roles] section.  Processing...
02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered the [users] section.  Processing...
02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 - Before url processing.
02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - Creating chain [/**] from String definition [anon]
02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 - Attempting to apply path [/**] to filter [anon] with config [null]
02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published WebEnvironment as ServletContext attribute with name [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY]
02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 352 ms.
02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [D:\apache-tomcat\webapps\erm.war] has finished in [9,120] ms
02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] com.domain.security.FilterSecurity.doFilter:147 - >> ThreadContext.getResources(): true 0
02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]
02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]


It seems that the resources is empty when i don't set the SecurityManager in SecurityUtils.  Thus, from what I could tell from the code, the SecurityUtils.getSecurityManager() would fail since the resources map is empty and the cascade failure of getting a session.  I haven't been able to track down how the resources in ThreadContext is set yet :(

Thanks,
Tommy


On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[hidden email]> wrote:
I'm not sure I'm following Tommy.  You have a few different messages, the one mentioning your shiro.ini

when the shiro.ini is indeed in /WEB-INF/

implies that you have fixed the original issue?  by i'm guessing you are still running into issues?


On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[hidden email]> wrote:
I've added some debug logging to troubleshoot the session cookie:

https://imgur.com/a/vaTZrxP  

And this is the Shiro's generated session ID:  1984c09f-ee77-461a-96f2-cb3d4cbac8eb

On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[hidden email]> wrote:
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

tommyhp2
In reply to this post by Brian Demers
Hi Brian,

I apologize for the confusion.  Previously, I had to set the SecurityManager via SecurityUtils because of the exception.  Now I don't need to.  When I last sent the email, the Shiro session was working fine w/o setting the SecurityManager and session ID doesn't change on subsequent page reload.  After a system restarts, unfortunately, I now have session ID changing again w/o setting SecurityManager.  As for Filter execution order, it's working how I'd like to per the logs even though the Shiro Filter is loaded first in the FilterRegistration:


My security filter started a valid session and my mapped servlet eventually retrieve that session w/o creation as seen in the above logs.  However, subsequent page reloads now generates a different ID :(...  I did have a look at Shiro's FilterChain definitions:


From the looks of it, it doesn't have the flexibility of mapping to URLs and/or Servlets with different DispatcherTypes at load time like how I'd be able to via FilterRegistration in a class implementing ServletContainerInitializer.onStartup().  My custom filter loader and filter chain allows that flexibility at load time while guarantees the load order.  Currently, all of my filters have only the necessary code to verify application (non-blocking) flow as desired.  None of them have behind scenes mechanisms yet.

Also, I'm setting some preferred default values to SessionCookieConfig before loading the listeners.  Would that interfere with Shiro's session/cookie management?

This is the load order in the ServletContainerInitializer.onStartup():
  1. Set SessionCookieConfig preferred default values
  2. Load listeners
  3. Map static files path (CSS, JS, images) to the default servlet
  4. Load the servlets
  5. Load the Shiro Filter first
    1. Load other filters
  6. Configure Thymeleaf
Thanks,
Tommy


On Mon, Mar 2, 2020 at 5:52 PM Brian Demers <[hidden email]> wrote:
Let’s take a step Barack, what are you trying to do with the SecurityManager?
Sorry but I still feel like this thread is bouncing between two option. (This could just be me though) Let’s just consider the “working” Shiro.ini for now. 

Is the ShiroFilter getting processed before your code?




-Brian

On Mar 2, 2020, at 7:50 PM, Tommy Pham <[hidden email]> wrote:


Hi Alessio,

I'm loading the Shiro Filter via FilterRegistration in a class implementing ServletContainerInitializer.onStartup().  Loading the filter(s) this way do not guaranteed ordering as loaded from my testing of various approaches (web.xml, annotations, and, preferably, programmatically).  I have my own filter loader and filter chain that guarantees the order for my filters which are not visible in the FilterRegistration:

-----------------------------
.onStartup:303 - -------- Filter Registrations ------------------------------
.lambda$onStartup$12:307 - Filter name: log4jServletFilter
.lambda$onStartup$12:308 -     Registered class: org.apache.logging.log4j.web.Log4jServletFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) Filter
.lambda$onStartup$12:308 -     Registered class: org.apache.tomcat.websocket.server.WsFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: AppFilterLoader
.lambda$onStartup$12:308 -     Registered class: com.domain.web.AppFilterLoader
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: FilterDefaultJsp
.lambda$onStartup$12:308 -     Registered class: com.domain.web.FilterDefaultJsp
.lambda$onStartup$12:311 -     Servlet mapping(s):
.lambda$onStartup$9:312 -              default
.lambda$onStartup$9:312 -              jsp
.lambda$onStartup$12:307 - Filter name: TestFilterSecure
.lambda$onStartup$12:308 -     Registered class: com.domain.web.TestFilterSecure
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /secure/*
.lambda$onStartup$12:307 - Filter name: ShiroFilter
.lambda$onStartup$12:308 -     Registered class: org.apache.shiro.web.servlet.ShiroFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.onStartup:325 - ------------------------------------------------------------
-----------------------------------------------------------

  I've tried loading the Shiro Filter my custom loader but it failed because of invalid FilterChain type.  Oddly enough, if I have the Shiro Filter loaded first, it works fine.  I need to further test why this is and if it's consistent across web container restarts.  I was hoping to have Filters executing in this order:

logging -> security (block request or start Shiro session) -> other filters -> mapped servlet.

since I have don't the desire to waste system resource to start a session when the request is blocked.  But as long as I can get Shiro working, I can work with it for now.

Thanks,
Tommy

On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla <[hidden email]> wrote:
To me, it looks like the Shiro Filter is not installed or your own filter runs before it has a chance to associate Shiro objects with the thread.

On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[hidden email]> wrote:
Hi Brian,

I'm still having issues getting a valid session when specifying SecurityManager via SecurityUtils.  If I omit that, I get exceptions.   After some more troubleshooting, I've added some fake test accounts from the official tutorial and set TRACE log level to org.apache.shiro.  Below is the log:

02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any specified config locations.
02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI instance or config locations specified.  Trying default config locations.
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [main]
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [users]
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: root = secret, admin
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: guest = guest, guest
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: presidentskroob = 12345, president
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: lonestarr = vespa, goodguy, schwartz
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [roles]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: admin = *
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: schwartz = lightsaber:*
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: goodguy = winnebago:drive:eagle5
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [urls]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: /** = anon
02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered non-empty INI configuration at location '/WEB-INF/shiro.ini'.  Using for configuration.
02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or empty.  Defaulting to the default section (name = "")
02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered the [roles] section.  Processing...
02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered the [users] section.  Processing...
02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 - Before url processing.
02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - Creating chain [/**] from String definition [anon]
02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 - Attempting to apply path [/**] to filter [anon] with config [null]
02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published WebEnvironment as ServletContext attribute with name [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY]
02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 352 ms.
02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [D:\apache-tomcat\webapps\erm.war] has finished in [9,120] ms
02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] com.domain.security.FilterSecurity.doFilter:147 - >> ThreadContext.getResources(): true 0
02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]
02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]


It seems that the resources is empty when i don't set the SecurityManager in SecurityUtils.  Thus, from what I could tell from the code, the SecurityUtils.getSecurityManager() would fail since the resources map is empty and the cascade failure of getting a session.  I haven't been able to track down how the resources in ThreadContext is set yet :(

Thanks,
Tommy


On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[hidden email]> wrote:
I'm not sure I'm following Tommy.  You have a few different messages, the one mentioning your shiro.ini

when the shiro.ini is indeed in /WEB-INF/

implies that you have fixed the original issue?  by i'm guessing you are still running into issues?


On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[hidden email]> wrote:
I've added some debug logging to troubleshoot the session cookie:

https://imgur.com/a/vaTZrxP  

And this is the Shiro's generated session ID:  1984c09f-ee77-461a-96f2-cb3d4cbac8eb

On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[hidden email]> wrote:
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

Brian Demers
Can you put together a minimal example app the shows the problem You are having and stick it on GitHub (or similar)

-Brian

On Mar 3, 2020, at 4:29 AM, Tommy Pham <[hidden email]> wrote:


Hi Brian,

I apologize for the confusion.  Previously, I had to set the SecurityManager via SecurityUtils because of the exception.  Now I don't need to.  When I last sent the email, the Shiro session was working fine w/o setting the SecurityManager and session ID doesn't change on subsequent page reload.  After a system restarts, unfortunately, I now have session ID changing again w/o setting SecurityManager.  As for Filter execution order, it's working how I'd like to per the logs even though the Shiro Filter is loaded first in the FilterRegistration:


My security filter started a valid session and my mapped servlet eventually retrieve that session w/o creation as seen in the above logs.  However, subsequent page reloads now generates a different ID :(...  I did have a look at Shiro's FilterChain definitions:


From the looks of it, it doesn't have the flexibility of mapping to URLs and/or Servlets with different DispatcherTypes at load time like how I'd be able to via FilterRegistration in a class implementing ServletContainerInitializer.onStartup().  My custom filter loader and filter chain allows that flexibility at load time while guarantees the load order.  Currently, all of my filters have only the necessary code to verify application (non-blocking) flow as desired.  None of them have behind scenes mechanisms yet.

Also, I'm setting some preferred default values to SessionCookieConfig before loading the listeners.  Would that interfere with Shiro's session/cookie management?

This is the load order in the ServletContainerInitializer.onStartup():
  1. Set SessionCookieConfig preferred default values
  2. Load listeners
  3. Map static files path (CSS, JS, images) to the default servlet
  4. Load the servlets
  5. Load the Shiro Filter first
    1. Load other filters
  6. Configure Thymeleaf
Thanks,
Tommy


On Mon, Mar 2, 2020 at 5:52 PM Brian Demers <[hidden email]> wrote:
Let’s take a step Barack, what are you trying to do with the SecurityManager?
Sorry but I still feel like this thread is bouncing between two option. (This could just be me though) Let’s just consider the “working” Shiro.ini for now. 

Is the ShiroFilter getting processed before your code?




-Brian

On Mar 2, 2020, at 7:50 PM, Tommy Pham <[hidden email]> wrote:


Hi Alessio,

I'm loading the Shiro Filter via FilterRegistration in a class implementing ServletContainerInitializer.onStartup().  Loading the filter(s) this way do not guaranteed ordering as loaded from my testing of various approaches (web.xml, annotations, and, preferably, programmatically).  I have my own filter loader and filter chain that guarantees the order for my filters which are not visible in the FilterRegistration:

-----------------------------
.onStartup:303 - -------- Filter Registrations ------------------------------
.lambda$onStartup$12:307 - Filter name: log4jServletFilter
.lambda$onStartup$12:308 -     Registered class: org.apache.logging.log4j.web.Log4jServletFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) Filter
.lambda$onStartup$12:308 -     Registered class: org.apache.tomcat.websocket.server.WsFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: AppFilterLoader
.lambda$onStartup$12:308 -     Registered class: com.domain.web.AppFilterLoader
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: FilterDefaultJsp
.lambda$onStartup$12:308 -     Registered class: com.domain.web.FilterDefaultJsp
.lambda$onStartup$12:311 -     Servlet mapping(s):
.lambda$onStartup$9:312 -              default
.lambda$onStartup$9:312 -              jsp
.lambda$onStartup$12:307 - Filter name: TestFilterSecure
.lambda$onStartup$12:308 -     Registered class: com.domain.web.TestFilterSecure
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /secure/*
.lambda$onStartup$12:307 - Filter name: ShiroFilter
.lambda$onStartup$12:308 -     Registered class: org.apache.shiro.web.servlet.ShiroFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.onStartup:325 - ------------------------------------------------------------
-----------------------------------------------------------

  I've tried loading the Shiro Filter my custom loader but it failed because of invalid FilterChain type.  Oddly enough, if I have the Shiro Filter loaded first, it works fine.  I need to further test why this is and if it's consistent across web container restarts.  I was hoping to have Filters executing in this order:

logging -> security (block request or start Shiro session) -> other filters -> mapped servlet.

since I have don't the desire to waste system resource to start a session when the request is blocked.  But as long as I can get Shiro working, I can work with it for now.

Thanks,
Tommy

On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla <[hidden email]> wrote:
To me, it looks like the Shiro Filter is not installed or your own filter runs before it has a chance to associate Shiro objects with the thread.

On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[hidden email]> wrote:
Hi Brian,

I'm still having issues getting a valid session when specifying SecurityManager via SecurityUtils.  If I omit that, I get exceptions.   After some more troubleshooting, I've added some fake test accounts from the official tutorial and set TRACE log level to org.apache.shiro.  Below is the log:

02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any specified config locations.
02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI instance or config locations specified.  Trying default config locations.
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [main]
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [users]
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: root = secret, admin
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: guest = guest, guest
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: presidentskroob = 12345, president
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: lonestarr = vespa, goodguy, schwartz
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [roles]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: admin = *
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: schwartz = lightsaber:*
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: goodguy = winnebago:drive:eagle5
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [urls]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: /** = anon
02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered non-empty INI configuration at location '/WEB-INF/shiro.ini'.  Using for configuration.
02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or empty.  Defaulting to the default section (name = "")
02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered the [roles] section.  Processing...
02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered the [users] section.  Processing...
02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 - Before url processing.
02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - Creating chain [/**] from String definition [anon]
02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 - Attempting to apply path [/**] to filter [anon] with config [null]
02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published WebEnvironment as ServletContext attribute with name [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY]
02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 352 ms.
02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [D:\apache-tomcat\webapps\erm.war] has finished in [9,120] ms
02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] com.domain.security.FilterSecurity.doFilter:147 - >> ThreadContext.getResources(): true 0
02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]
02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]


It seems that the resources is empty when i don't set the SecurityManager in SecurityUtils.  Thus, from what I could tell from the code, the SecurityUtils.getSecurityManager() would fail since the resources map is empty and the cascade failure of getting a session.  I haven't been able to track down how the resources in ThreadContext is set yet :(

Thanks,
Tommy


On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[hidden email]> wrote:
I'm not sure I'm following Tommy.  You have a few different messages, the one mentioning your shiro.ini

when the shiro.ini is indeed in /WEB-INF/

implies that you have fixed the original issue?  by i'm guessing you are still running into issues?


On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[hidden email]> wrote:
I've added some debug logging to troubleshoot the session cookie:

https://imgur.com/a/vaTZrxP  

And this is the Shiro's generated session ID:  1984c09f-ee77-461a-96f2-cb3d4cbac8eb

On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[hidden email]> wrote:
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Shiro Session Management

tommyhp2
Hi Brian,


This is another project (web mail and control panel for Apache James Server) I've been wanting to work on.  Since it's purpose is a lot simpler than my current main project, the back end mechanisms are simpler.  The session ID issue still persists:

Request -> access log Filter -> security Filter (block or get valid session) -> other filters -> mapped servlet (use session)

The session ID is regenerated for subsequent page loads :(

Thanks,
Tommy



On Tue, Mar 3, 2020 at 6:05 AM Brian Demers <[hidden email]> wrote:
Can you put together a minimal example app the shows the problem You are having and stick it on GitHub (or similar)

-Brian

On Mar 3, 2020, at 4:29 AM, Tommy Pham <[hidden email]> wrote:


Hi Brian,

I apologize for the confusion.  Previously, I had to set the SecurityManager via SecurityUtils because of the exception.  Now I don't need to.  When I last sent the email, the Shiro session was working fine w/o setting the SecurityManager and session ID doesn't change on subsequent page reload.  After a system restarts, unfortunately, I now have session ID changing again w/o setting SecurityManager.  As for Filter execution order, it's working how I'd like to per the logs even though the Shiro Filter is loaded first in the FilterRegistration:


My security filter started a valid session and my mapped servlet eventually retrieve that session w/o creation as seen in the above logs.  However, subsequent page reloads now generates a different ID :(...  I did have a look at Shiro's FilterChain definitions:


From the looks of it, it doesn't have the flexibility of mapping to URLs and/or Servlets with different DispatcherTypes at load time like how I'd be able to via FilterRegistration in a class implementing ServletContainerInitializer.onStartup().  My custom filter loader and filter chain allows that flexibility at load time while guarantees the load order.  Currently, all of my filters have only the necessary code to verify application (non-blocking) flow as desired.  None of them have behind scenes mechanisms yet.

Also, I'm setting some preferred default values to SessionCookieConfig before loading the listeners.  Would that interfere with Shiro's session/cookie management?

This is the load order in the ServletContainerInitializer.onStartup():
  1. Set SessionCookieConfig preferred default values
  2. Load listeners
  3. Map static files path (CSS, JS, images) to the default servlet
  4. Load the servlets
  5. Load the Shiro Filter first
    1. Load other filters
  6. Configure Thymeleaf
Thanks,
Tommy


On Mon, Mar 2, 2020 at 5:52 PM Brian Demers <[hidden email]> wrote:
Let’s take a step Barack, what are you trying to do with the SecurityManager?
Sorry but I still feel like this thread is bouncing between two option. (This could just be me though) Let’s just consider the “working” Shiro.ini for now. 

Is the ShiroFilter getting processed before your code?




-Brian

On Mar 2, 2020, at 7:50 PM, Tommy Pham <[hidden email]> wrote:


Hi Alessio,

I'm loading the Shiro Filter via FilterRegistration in a class implementing ServletContainerInitializer.onStartup().  Loading the filter(s) this way do not guaranteed ordering as loaded from my testing of various approaches (web.xml, annotations, and, preferably, programmatically).  I have my own filter loader and filter chain that guarantees the order for my filters which are not visible in the FilterRegistration:

-----------------------------
.onStartup:303 - -------- Filter Registrations ------------------------------
.lambda$onStartup$12:307 - Filter name: log4jServletFilter
.lambda$onStartup$12:308 -     Registered class: org.apache.logging.log4j.web.Log4jServletFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: Tomcat WebSocket (JSR356) Filter
.lambda$onStartup$12:308 -     Registered class: org.apache.tomcat.websocket.server.WsFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: AppFilterLoader
.lambda$onStartup$12:308 -     Registered class: com.domain.web.AppFilterLoader
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.lambda$onStartup$12:307 - Filter name: FilterDefaultJsp
.lambda$onStartup$12:308 -     Registered class: com.domain.web.FilterDefaultJsp
.lambda$onStartup$12:311 -     Servlet mapping(s):
.lambda$onStartup$9:312 -              default
.lambda$onStartup$9:312 -              jsp
.lambda$onStartup$12:307 - Filter name: TestFilterSecure
.lambda$onStartup$12:308 -     Registered class: com.domain.web.TestFilterSecure
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /secure/*
.lambda$onStartup$12:307 - Filter name: ShiroFilter
.lambda$onStartup$12:308 -     Registered class: org.apache.shiro.web.servlet.ShiroFilter
.lambda$onStartup$12:316 -     URL pattern mapping(s):
.lambda$onStartup$10:317 -             /*
.onStartup:325 - ------------------------------------------------------------
-----------------------------------------------------------

  I've tried loading the Shiro Filter my custom loader but it failed because of invalid FilterChain type.  Oddly enough, if I have the Shiro Filter loaded first, it works fine.  I need to further test why this is and if it's consistent across web container restarts.  I was hoping to have Filters executing in this order:

logging -> security (block request or start Shiro session) -> other filters -> mapped servlet.

since I have don't the desire to waste system resource to start a session when the request is blocked.  But as long as I can get Shiro working, I can work with it for now.

Thanks,
Tommy

On Mon, Mar 2, 2020 at 2:57 PM Alessio Stalla <[hidden email]> wrote:
To me, it looks like the Shiro Filter is not installed or your own filter runs before it has a chance to associate Shiro objects with the thread.

On Mon, 2 Mar 2020 at 23:41, Tommy Pham <[hidden email]> wrote:
Hi Brian,

I'm still having issues getting a valid session when specifying SecurityManager via SecurityUtils.  If I omit that, I get exceptions.   After some more troubleshooting, I've added some fake test accounts from the official tutorial and set TRACE log level to org.apache.shiro.  Below is the log:

02-Mar-2020 01:30:37.481 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:95 - Checking any specified config locations.
02-Mar-2020 01:30:37.482 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.parseConfig:100 - No INI instance or config locations specified.  Trying default config locations.
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [main]
02-Mar-2020 01:30:37.489 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [users]
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: root = secret, admin
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: guest = guest, guest
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: presidentskroob = 12345, president
02-Mar-2020 01:30:37.491 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: darkhelmet = ludicrousspeed, darklord, schwartz
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: lonestarr = vespa, goodguy, schwartz
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [roles]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: admin = *
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: schwartz = lightsaber:*
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: goodguy = winnebago:drive:eagle5
02-Mar-2020 01:30:37.492 DEBUG [Catalina-utility-2] org.apache.shiro.config.Ini.load:401 - Parsing [urls]
02-Mar-2020 01:30:37.492 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini$Section.splitKeyValue:604 - Discovered key/value pair: /** = anon
02-Mar-2020 01:30:37.493 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.IniWebEnvironment.getDefaultIni:217 - Discovered non-empty INI configuration at location '/WEB-INF/shiro.ini'.  Using for configuration.
02-Mar-2020 01:30:37.495 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.500 TRACE [Catalina-utility-2] org.apache.shiro.config.Ini.cleanName:168 - Specified name was null or empty.  Defaulting to the default section (name = "")
02-Mar-2020 01:30:37.643 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.660 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:179 - Discovered the [roles] section.  Processing...
02-Mar-2020 01:30:37.662 DEBUG [Catalina-utility-2] org.apache.shiro.realm.text.IniRealm.processDefinitions:185 - Discovered the [users] section.  Processing...
02-Mar-2020 01:30:37.670 DEBUG [Catalina-utility-2] org.apache.shiro.config.IniFactorySupport.createInstance:149 - Creating instance from Ini [sections=users,roles,urls]
02-Mar-2020 01:30:37.675 TRACE [Catalina-utility-2] org.apache.shiro.web.filter.authc.FormAuthenticationFilter.setLoginUrl:89 - Adding login url to applied paths.
02-Mar-2020 01:30:37.677 TRACE [Catalina-utility-2] org.apache.shiro.web.config.IniFilterChainResolverFactory.createChains:185 - Before url processing.
02-Mar-2020 01:30:37.677 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain:127 - Creating chain [/**] from String definition [anon]
02-Mar-2020 01:30:37.678 DEBUG [Catalina-utility-2] org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.applyChainConfig:278 - Attempting to apply path [/**] to filter [anon] with config [null]
02-Mar-2020 01:30:37.679 DEBUG [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:142 - Published WebEnvironment as ServletContext attribute with name [org.apache.shiro.web.env.EnvironmentLoader.ENVIRONMENT_ATTRIBUTE_KEY]
02-Mar-2020 01:30:37.680 INFO [Catalina-utility-2] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 352 ms.
02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [D:\apache-tomcat\webapps\erm.war] has finished in [9,120] ms
02-Mar-2020 01:30:41.838 INFO [http-nio-8080-exec-181] com.domain.security.FilterSecurity.doFilter:147 - >> ThreadContext.getResources(): true 0
02-Mar-2020 01:30:41.841 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]
02-Mar-2020 01:30:41.844 TRACE [http-nio-8080-exec-181] org.apache.shiro.util.ThreadContext.get:126 - get() - in thread [http-nio-8080-exec-181]


It seems that the resources is empty when i don't set the SecurityManager in SecurityUtils.  Thus, from what I could tell from the code, the SecurityUtils.getSecurityManager() would fail since the resources map is empty and the cascade failure of getting a session.  I haven't been able to track down how the resources in ThreadContext is set yet :(

Thanks,
Tommy


On Mon, Mar 2, 2020 at 7:59 AM Brian Demers <[hidden email]> wrote:
I'm not sure I'm following Tommy.  You have a few different messages, the one mentioning your shiro.ini

when the shiro.ini is indeed in /WEB-INF/

implies that you have fixed the original issue?  by i'm guessing you are still running into issues?


On Sun, Mar 1, 2020 at 9:17 PM Tommy Pham <[hidden email]> wrote:
I've added some debug logging to troubleshoot the session cookie:

https://imgur.com/a/vaTZrxP  

And this is the Shiro's generated session ID:  1984c09f-ee77-461a-96f2-cb3d4cbac8eb

On Sun, Mar 1, 2020 at 5:11 PM Tommy Pham <[hidden email]> wrote:
According this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration

Should I see a cookie for Shiro's session based upon my minimalist configuration?  I only see cookie for the JSESSIONID.

On Sun, Mar 1, 2020 at 2:22 PM Tommy Pham <[hidden email]> wrote:
I've also tried:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);


and received this:

org.apache.shiro.config.ConfigurationException: java.io.IOException: Resource [classpath:shiro.ini] could not be found.
	org.apache.shiro.config.Ini.loadFromPath(Ini.java:250)
	org.apache.shiro.config.Ini.fromResourcePath(Ini.java:233)
	org.apache.shiro.config.IniSecurityManagerFactory.<init>(IniSecurityManagerFactory.java:73)
	com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
	com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:153)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
	com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
	com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
	org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
when the shiro.ini is indeed in /WEB-INF/.  The log shows that the listener initialized successfully:

01-Mar-2020 14:11:28.432 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:133 - Starting Shiro environment initialization.
01-Mar-2020 14:11:28.714 INFO [Catalina-utility-1] org.apache.shiro.web.env.EnvironmentLoader.initEnvironment:147 - Shiro environment initialized in 282 ms.

Does it matter if configuring both listener and filter in web.xml or via a class implementing ServletContainerInitializer.onStartup()?

Thanks,
Tommy

On Sun, Mar 1, 2020 at 1:50 PM Tommy Pham <[hidden email]> wrote:
Yes. If I omit setting the SecurityManager in the code per the official guide/documentation, I get this exception:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
    org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
    org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626)
    org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56)
    com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
    com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.security.FilterAccessLog.doFilter(FilterAccessLog.java:45)
    com.sointe.web.AppFilterChain.doFilter(AppFilterChain.java:66)
    com.sointe.web.AppFilterLoader.doFilter(AppFilterLoader.java:146)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)


On Sun, Mar 1, 2020 at 12:59 PM Brian Demers <[hidden email]> wrote:
Are you creating a new security manager for each request?


I’m not sure how you are using this logic, but you should let Shiro do all of this for you (via the ShiroFilter).

-Brian

> On Mar 1, 2020, at 2:43 PM, tommyhp2 <[hidden email]> wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback.  Here's the code I used to check for the
> session:
>
> https://pastebin.com/F5SMmLpq
>
> The shiro.ini is very basic and minimal:
>
> [main]
> [users]
> [roles]
> [urls]
> /** = anon
>
> Most of the content (99%) in shiro.ini are comments and examples as notes
> for future implementation of authentication and authorization.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
12