Shiro rediecting back to Login after successful Login

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Shiro rediecting back to Login after successful Login

jim.piersol@gmail.com
Shiro Newbie here.  I am still trying to get some simple Shiro integration done and I am stuck on something and could use a push.

I have a Java Servlet app running under Tomcat 8, Java 8
Using a HTML/JS front end

Wanting to secure the server with FORM based Auth

I have a very simple Login.html file, and I am redirected to it upon attempting to browse to any URL in my app.  I see successful login happening, but I am constantly redirected back to the Login.html.  The redirect is consistent on Chrome and IE.  Firefox will occasionally redirect correctly.

What I am doing is super basic, so I assume I am missing something simple too...

Here is my shiro.ini
---------------------------------------------
#-----------
# Main
# ----------
[main]

shiro.loginUrl = /login.html

myRealm = com.my.MyCustomRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

securityManager.realms = $myRealm

# -----------------------------------------------------------------------------
# URLS - followed by Filter Chains.
# -----------------------------------------------------------------------------
[urls]
/** = authc  
---------------------------------------------

Here is the auth method from MyCustomRealm:
----------------------------------------------------------------
@Override
        protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

                UsernamePasswordToken upToken = (UsernamePasswordToken) token;

                String name = upToken.getUsername();
                String password = new String(upToken.getPassword());

                if (name != null && password != null) {
                        Map userMap = MyDatabase.readCollection(User.USERS, String.class);
                        if (userMap.containsKey(name)) {
                                User user = (User) userMap.get(name);
                                String pw = user.getPassword();
                                if (password.equals(pw)) {
                                        return new SimpleAuthenticationInfo(name, password.toCharArray(), getName());
                                } else {
                                        throw new AuthenticationException("Invalid Password");
                                }
                        } else {
                                throw new AuthenticationException("Invalid Username");
                        }
                }
                throw new AuthenticationException("Username and Password required");
        }
--------------------------------------------------------------


Here is my web.xml
-------------------------------------------------------------
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
      version="3.0">
     
        <context-param>
        <param-name>resteasy.scan</param-name>
        <param-value>false</param-value>
    </context-param>
   
    <context-param>
        <param-name>resteasy.servlet.mapping.prefix</param-name>
        <param-value>/v1</param-value>
    </context-param>
   
    <listener>
        <listener-class>
            org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap
        </listener-class>
    </listener>
   
    <listener>
        <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
    </listener>
   
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
    </welcome-file-list>
   
    <filter>
        <filter-name>ShiroFilter</filter-name>
        <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
    </filter>
   
    <filter-mapping>
        <filter-name>ShiroFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher> 
        <dispatcher>FORWARD</dispatcher> 
        <dispatcher>INCLUDE</dispatcher> 
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>
   
    <servlet>
        <display-name>resteasy</display-name>
        <servlet-name>Resteasy</servlet-name>
        <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
        <init-param>
    <param-name>javax.ws.rs.Application</param-name>
    <param-value>com.my.MyRestApplication</param-value>
    </init-param>
    </servlet>

        <servlet>
                <display-name>My Application</display-name>
                <servlet-name>MyApp-Init</servlet-name>
                <servlet-class>com.my.AppInitServlet</servlet-class>
                <load-on-startup>1</load-on-startup>
        </servlet>
   
    <servlet>
        <display-name>EventBus</display-name>
        <servlet-name>EventBusServlet</servlet-name>
        <servlet-class>com.my.init.EventBusInitServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet>
        <servlet-name>Jersey2Config</servlet-name>
        <servlet-class>io.swagger.jaxrs.config.DefaultJaxrsConfig</servlet-class>
        <init-param>
            <param-name>api.version</param-name>
            <param-value>1.0.0</param-value>
        </init-param>
        <init-param>
            <param-name>swagger.api.basepath</param-name>
            <param-value>/CloudMgr/v1</param-value>
        </init-param>
        <load-on-startup>2</load-on-startup>
    </servlet>
   
    <servlet-mapping>
        <servlet-name>Resteasy</servlet-name>
        <url-pattern>/v1/*</url-pattern>
    </servlet-mapping>
</web-app>
---------------------------------------------------------


Do you see anything that would cause the constant redirection?  Ive have tried everything I can find from the docs...

Thanks, in Advance, and I apologize if I have missed something obvious.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

jim.piersol@gmail.com
This post was updated on .
To add to above...  I have tried using

authc.loginUrl=/login.html
authc.successUrl=/index.html

as well.  I get same results everytime.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

Brian Demers
Are the session cookies being sent to/from your browser ?

On Mon, Jul 18, 2016 at 11:50 AM, [hidden email]
<[hidden email]> wrote:

> To add to above...  I have tried using
>
> authc.loginUrl-/locgin.html
> authc.successUrl=/index.html
>
> as well.  I get same results everytime.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-rediecting-back-to-Login-after-successful-Login-tp7581130p7581131.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

lprimak
Try adding to [urls]
/login.html = anon
/** = authc

to disable authentication requirements to the login page.

That may help

> On Jul 18, 2016, at 11:44 AM, Brian Demers <[hidden email]> wrote:
>
> Are the session cookies being sent to/from your browser ?
>
> On Mon, Jul 18, 2016 at 11:50 AM, [hidden email]
> <[hidden email]> wrote:
>> To add to above...  I have tried using
>>
>> authc.loginUrl-/locgin.html
>> authc.successUrl=/index.html
>>
>> as well.  I get same results everytime.
>>
>>
>>
>> --
>> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-rediecting-back-to-Login-after-successful-Login-tp7581130p7581131.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

jim.piersol@gmail.com
In reply to this post by Brian Demers
It is a bit tricky to see all the interaction, but I do beliece the JSESSIONID is being passed.

When I hit the default URL for my App, at say http://localhost:8080/MyApp

In the Dev Console, I see a GET request for that URL with a Return Status of 302 Found.

Next I see a GET request to the Login.html page.

Once I plug in my User & Password and hit Submit, I see a POST including the FORM data, username, password, and rememberMe.  The response is the Login.html again...

I can set a breakpoint and see that my realm is getting hit to Authenticate the User though.

For what its worth, If I switch to Basic Auth and use the Browser to pop up the Auth Dialog, it works right.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

Brian Demers
You mentioned that Firefox will redirect correctly sometimes?
This has me more confused, can you reproduce this with a
incognito/private browsing mode in any of your browsers?

On Mon, Jul 18, 2016 at 3:13 PM, [hidden email]
<[hidden email]> wrote:

> It is a bit tricky to see all the interaction, but I do beliece the
> JSESSIONID is being passed.
>
> When I hit the default URL for my App, at say http://localhost:8080/MyApp
>
> In the Dev Console, I see a GET request for that URL with a Return Status of
> 302 Found.
>
> Next I see a GET request to the Login.html page.
>
> Once I plug in my User & Password and hit Submit, I see a POST including the
> FORM data, username, password, and rememberMe.  The response is the
> Login.html again...
>
> I can set a breakpoint and see that my realm is getting hit to Authenticate
> the User though.
>
> For what its worth, If I switch to Basic Auth and use the Browser to pop up
> the Auth Dialog, it works right.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-rediecting-back-to-Login-after-successful-Login-tp7581130p7581134.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

jim.piersol@gmail.com
yes, I typically start with Chrome Incognito windows, and it fails 100% of the time.  As I revisit Firefox, it seems to be consistently failing now as well.  Maybe my earlier attempt to try a diff browser was just an odd case.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

jim.piersol@gmail.com
This is very frustrating.  With everything else exactly the same, I can change 1 line in my shiro.ini and it works vs not works.

If I switch to Basic AUTH it works.  FORM based NOT.

[urls]
/login.html = anon
/** = authc  <--------This doesn't work

[urls]
/login.html = anon
/** = authcBasic  <---------This works.

Here is my Login.html page that FORM based uses:
-----------------------------------------------------------
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <title>Login</title>
</head>
<body>
  <form method=post action="" >
    <p>
      Username:
      <br />
      <input type="text"  name= "username" >
    </p>
    <p>
      Password:
      <br />
      <input type="password"  name= "password" >
    </p>
    <p>
      <input type="submit" value="Login">
    </p>
    <p>
      <input type="checkbox" name="rememberMe" value="true"> Remember Me?<br>
  </p>
  </form>
</body>
-------------------------------------------------------------


Any ideas would be appreciated.  I really want to use Shiro but can't get past this hiccup.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Shiro rediecting back to Login after successful Login

Richard Wheeldon
Try setting the form action to the same arg as the loginUrl parameter on your authcBasic config,

No promises but it looks wrong to me,

Richard

-----Original Message-----
From: [hidden email] [mailto:[hidden email]]
Sent: Tuesday, July 19, 2016 3:15 PM
To: [hidden email]
Subject: Re: Shiro rediecting back to Login after successful Login

This is very frustrating.  With everything else exactly the same, I can change 1 line in my shiro.ini and it works vs not works.

If I switch to Basic AUTH it works.  FORM based NOT.

[urls]
/login.html = anon
/** = authc  <--------This doesn't work

[urls]
/login.html = anon
/** = authcBasic  <---------This works.

Here is my Login.html page that FORM based uses:
-----------------------------------------------------------
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <title>Login</title>
</head>
<body>
  <form method=post action="" >
    <p>
      Username:
      <br />
      <input type="text"  name= "username" >
    </p>
    <p>
      Password:
      <br />
      <input type="password"  name= "password" >
    </p>
    <p>
      <input type="submit" value="Login">
    </p>
    <p>
      <input type="checkbox" name="rememberMe" value="true"> Remember Me?<br>
  </p>
  </form>
</body>
-------------------------------------------------------------


Any ideas would be appreciated.  I really want to use Shiro but can't get past this hiccup.



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-rediecting-back-to-Login-after-successful-Login-tp7581130p7581138.html
Sent from the Shiro User mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Shiro rediecting back to Login after successful Login

jim.piersol@gmail.com
I tried setting form action as suggested, and then also many other variations, with no luck.  Everything I can find about Shiro FORM based says to leave action field as empty, i.e. "", but it was worth a try.  I am really amazed that I am struggling with this.  It seems so simple on the outside...maybe too simple :-)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

lprimak
try moving all your “authenticated” pages into a sub-folder and see if that takes any effect

> On Jul 19, 2016, at 11:08 AM, [hidden email] wrote:
>
> I tried setting form action as suggested, and then also many other
> variations, with no luck.  Everything I can find about Shiro FORM based says
> to leave action field as empty, i.e. "", but it was worth a try.  I am
> really amazed that I am struggling with this.  It seems so simple on the
> outside...maybe too simple :-)
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-rediecting-back-to-Login-after-successful-Login-tp7581130p7581140.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

Brian Demers
Try changing `shiro.loginUrl` to `authc.loginUrl` in your shiro.ini file.

Also, basic auth works a little different, and your browser handles it
for you, so it is much easier to deal with.

On Tue, Jul 19, 2016 at 2:23 PM, Lenny Primak <[hidden email]> wrote:

> try moving all your “authenticated” pages into a sub-folder and see if that takes any effect
>
>> On Jul 19, 2016, at 11:08 AM, [hidden email] wrote:
>>
>> I tried setting form action as suggested, and then also many other
>> variations, with no luck.  Everything I can find about Shiro FORM based says
>> to leave action field as empty, i.e. "", but it was worth a try.  I am
>> really amazed that I am struggling with this.  It seems so simple on the
>> outside...maybe too simple :-)
>>
>>
>>
>> --
>> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-rediecting-back-to-Login-after-successful-Login-tp7581130p7581140.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

jim.piersol@gmail.com
Ive tried it both ways:  authc.loginUrl  & shiro.loginUrl  with same results.

Im wanting to try to see some of this logic in the debugger, but not sure if it is Tomcat or Shiro code that decides what to return to the browser once the Login form is submitted.

This is making JAAS seem like a piece of cake :-)  I really want to use Shiro Authorization scheme though.

Is there any samples out there using html to login vs JSP?  I haven't found anything that I can just download and try.  Maybe its something else in my system, totally unrelated, that is causing this effect...
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

Brian Demers
Hey Jim,

I'm sorry to see you are having such a rough go at it.

I grabbed the current 1.3.0-SNAPSHOT web sample (should work with
1.2.x as well), and switched the login.jsp to login.html, without
issue.

Granted I didn't try this with tomcat, I used jetty.
https://github.com/bdemers/shiro-web-html-example
You can start this with mvn jetty:run


I hope this helps

On Tue, Jul 19, 2016 at 2:55 PM, [hidden email]
<[hidden email]> wrote:

> Ive tried it both ways:  authc.loginUrl  & shiro.loginUrl  with same results.
>
> Im wanting to try to see some of this logic in the debugger, but not sure if
> it is Tomcat or Shiro code that decides what to return to the browser once
> the Login form is submitted.
>
> This is making JAAS seem like a piece of cake :-)  I really want to use
> Shiro Authorization scheme though.
>
> Is there any samples out there using html to login vs JSP?  I haven't found
> anything that I can just download and try.  Maybe its something else in my
> system, totally unrelated, that is causing this effect...
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-rediecting-back-to-Login-after-successful-Login-tp7581130p7581148.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

jim.piersol@gmail.com
ok, I have been able to dig deeper...

It seems that when the call comes into FormAuthenticationFilter.isAccessAllowed() (actually in super class of AuthenticatingFilter) AFTER a success login and redirect to successUrl, this method is always returning false.  It seems the call to getSubject is not finding an Authenticated Subject in the ThreadContext.  It is this method that doesn't find correct Subject:

public static Subject getSubject() {
        Subject subject = ThreadContext.getSubject();
        if (subject == null) {
            subject = (new Subject.Builder()).buildSubject();
            ThreadContext.bind(subject);
        }
        return subject;
    }

So my question is, what might cause this?  I am authenticating in my custom Realm (which works fine thru BASIC auth), I can see the correct authenticated Subject being created.  It is just not being found by SecurityUtils upon the next call.

Here is my auth method from my custom realm:
----------------------------------------------------------
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

                UsernamePasswordToken upToken = (UsernamePasswordToken) token;

                String name = upToken.getUsername();
                String password = new String(upToken.getPassword());

                if (name != null && password != null) {
                        Map userMap = VnfmDatabase.readCollection(User.USERS, String.class);
                        if (userMap.containsKey(name)) {
                                User user = (User) userMap.get(name);
                                String pw = user.getPassword();
                                if (password.equals(pw)) {
                                        return new SimpleAuthenticationInfo(name, password.toCharArray(), getName());
                                } else {
                                        throw new AuthenticationException("Invalid Password");
                                }
                        } else {
                                throw new AuthenticationException("Invalid Username");
                        }
                }
                throw new AuthenticationException("Username and Password required");
        }
------------------------------------------------------------

Does something else need to be done to ensure the authenticated Subject is stashed away somewhere properly?

My subsequent requests do have a JSESSIONID attached to them...
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

Brian Demers
Any chance you have a simple example of the problem you can post to github or someplace ?

On Wed, Jul 20, 2016 at 3:38 PM, [hidden email] <[hidden email]> wrote:
ok, I have been able to dig deeper...

It seems that when the call comes into
FormAuthenticationFilter.isAccessAllowed() (actually in super class of
AuthenticatingFilter) AFTER a success login and redirect to successUrl, this
method is always returning false.  It seems the call to getSubject is not
finding an Authenticated Subject in the ThreadContext.  It is this method
that doesn't find correct Subject:

public static Subject getSubject() {
        Subject subject = ThreadContext.getSubject();
        if (subject == null) {
            subject = (new Subject.Builder()).buildSubject();
            ThreadContext.bind(subject);
        }
        return subject;
    }

So my question is, what might cause this?  I am authenticating in my custom
Realm (which works fine thru BASIC auth), I can see the correct
authenticated Subject being created.  It is just not being found by
SecurityUtils upon the next call.

Here is my auth method from my custom realm:
----------------------------------------------------------
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
token) throws AuthenticationException {

                UsernamePasswordToken upToken = (UsernamePasswordToken) token;

                String name = upToken.getUsername();
                String password = new String(upToken.getPassword());

                if (name != null && password != null) {
                        Map userMap = VnfmDatabase.readCollection(User.USERS, String.class);
                        if (userMap.containsKey(name)) {
                                User user = (User) userMap.get(name);
                                String pw = user.getPassword();
                                if (password.equals(pw)) {
                                        return new SimpleAuthenticationInfo(name, password.toCharArray(),
getName());
                                } else {
                                        throw new AuthenticationException("Invalid Password");
                                }
                        } else {
                                throw new AuthenticationException("Invalid Username");
                        }
                }
                throw new AuthenticationException("Username and Password required");
        }
------------------------------------------------------------

Does something else need to be done to ensure the authenticated Subject is
stashed away somewhere properly?

My subsequent requests do have a JSESSIONID attached to them...



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-rediecting-back-to-Login-after-successful-Login-tp7581130p7581158.html
Sent from the Shiro User mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

jim.piersol@gmail.com
I dont have a simple example formed up  to submit yet, but what I have found is that my requests are being handled on multiple Threads (box stock Tomcat8) so I am seeing multiple different Subject (WebDelegatingSubject) Objects being stored in the ThreadLocal of ThreadContext, so only one of those gets set to isAuthenticated=true, so on next request from a different Thread, it finds a Subject that has not been marked as isAuthenticated=true, thus the redirect back to Login.html.

So I am not sure if there is something different I need to do when using Tomcat to ensure use of the same Thread?  Im assuming Jetty doesn't do this, but just a guess.

Thoughts?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

jim.piersol@gmail.com
Ok, I finally made some progress.  Seems that in order to get the Auth to work under Tomcat, I had to switch to native Shiro Session Management by adding the following properties to shiro.ini

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager


I do not need these when running with Jetty.

I would like to understand why the difference if anyone knows, and is anyone else using Tomcat8 without any issues?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

lprimak
Since both Tomcact and Jetty are servlet containers, there should be zero difference on how
Shiro integration works.  Something else is going on in your setup that’s interfering with normal operations.

> On Jul 21, 2016, at 10:56 AM, [hidden email] wrote:
>
> Ok, I finally made some progress.  Seems that in order to get the Auth to
> work under Tomcat, I had to switch to native Shiro Session Management by
> adding the following properties to shiro.ini
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> securityManager.sessionManager = $sessionManager
>
>
> I do not need these when running with Jetty.
>
> I would like to understand why the difference if anyone knows, and is anyone
> else using Tomcat8 without any issues?
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-rediecting-back-to-Login-after-successful-Login-tp7581130p7581164.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro rediecting back to Login after successful Login

jim.piersol@gmail.com
I would tend to agree with you.  I am using box stock Tomcat8 and Jetty 9.3.10.  Both on Windows.  Jetty works with nothing special set for Session Management, Tomcat does not.  I must use Shiro native SessionManagement in order for it to work.
12
Loading...