You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Nagaraju Kurma <na...@enhancesys.com> on 2013/07/25 09:53:40 UTC
UNABLE TO HIDE JSESSION ID FROM URL
http://localhost:8080/SomeProjecct/login;JSESSIONID=0df6336e-3372-44a1-8d8e-52c50defefd3
i would like to hide this jsession id from the url.....
when is observe shiro security API it is stating like this
HttpServletResponse implementation to support URL Encoding of Shiro Session
IDs.
It is only used when using Shiro's native Session Management configuration
(and not when using the Servlet Container session configuration, which is
Shiro's default in a web environment). Because the servlet container
already performs url encoding of its own session ids, instances of this
class are only needed when using Shiro native sessions.
Note that this implementation relies in part on source code from the Tomcat
6.x distribution for encoding URLs for session ID URL Rewriting (we didn't
want to re-invent the wheel). Since Shiro is also Apache 2.0 license, all
regular licenses and conditions have remained in tact.
but in anyways i am forced to hide the jsession id from url, please does
anybody issue the solution,
very thankful to u :)
--
Regards,****
Nagaraju.
Re: UNABLE TO HIDE JSESSION ID FROM URL
Posted by Alexander Openkowski <op...@googlemail.com>.
Sorry I do not know exactly how to do it in your case. I'm not even sure
that it's the right way to do it : ) I guess one of the real Shiro experts
will tell you soon.
But what seems strange to me is that you have
"/login = anon"
I always thought the login page has to be 'authc'? Maybe this "/login =
anon" rule does not have any effect?
Have a look at the docs, too:
http://shiro.apache.org/session-management.html -> Section: "shiro.ini -
Disable Session Creation per request"
Although you are not using the ini config I guess the filter key is the
same, so "noSessionCreation" seems right. There they put it before the
authc, have you tried that?
I'm just quite sure that
"/** = authc, noSessionCreation"
is not what you want as this, as far as I know, would mean that no session
is created ever.
On Fri, Jul 26, 2013 at 3:28 PM, Nagaraju Kurma <
nagaraju.kurma@enhancesys.com> wrote:
> thanks for helpful reply......
>
> unfortunately here i am not using shiro.ini file as the security realm,
> instead i am using postgresql database to store users, roles,......,etc
>
> like ur configuration in filterChain..... our configuration is as follows
>
> this is shiro with spring integration
>
> <bean id="shiroFilter"
> class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
> <property name="securityManager" ref="securityManager" />
> <property name="loginUrl" value="/login" />
> <property name="successUrl"
> value="redirect:/main/welcome1?cat=dashboard.summary" />
> <property name="unauthorizedUrl" value="/login" />
> <property name="filterChainDefinitions">
> <value>
> /framework/default/skins/css/login_style.css = anon
> /framework/default/skins_ie/js/html5shiv.js = anon
> /framework/default/skins/images/lock_icon.gif = anon
> /framework/default/skins/images/enhancesys_top_logo.png = anon
>
> /login = anon <!-- login request
> trapper--->
>
> /main/logout = logout
> /** = authc
> </value>
> </property>
> </bean>
>
> here my anon is the login request trapper, as u said i tried in different
> ways like
> 1) /login = anon, NO_SESSION_CREATION ---------------> i got exception
> saying that there is no filter named as
> NO_SESSION_CREATION
>
> 2) /login = anon, noSessionCreation -----------------> no
> efftect
>
> 3) /** = authc ,NO_SESSION_CREATION -------------> same exception
>
> 4) /** = authc ,noSessionCreation -----------------> in impact
>
> suggest me how to do it........
>
> thanking you, :)
>
>
>
>
>
> On Fri, Jul 26, 2013 at 1:30 PM, Alexander Openkowski <
> opncow@googlemail.com> wrote:
>
>> My login page is located under 'mydomain.com/app/account/login.jsp'. To
>> hide the jsessionid when landing on the login page I added the following to
>> my ShiroGuiceModule:
>>
>> addFilterChain("/app/account/**", AUTHC, NO_SESSION_CREATION); // before
>> I only had AUTHC filter there
>>
>> So basically the trick seems to be to not create a session until the user
>> logs in.
>> If you're using .ini configuration it shouldn't be too hard to adapt that
>> I think.
>>
>> Btw: If there is something wrong with this approach please tell me!
>>
>> HTH,
>> Alex
>>
>>
>> On Fri, Jul 26, 2013 at 7:24 AM, Nagaraju Kurma <
>> nagaraju.kurma@enhancesys.com> wrote:
>>
>>> thanks for your suggestions,
>>> here i am using native session but not servlet session.
>>>
>>> when shiro session was extended from servlet session it has got some
>>> more extra activities.
>>> i searched in google and tried with the following different options
>>>
>>>
>>> 1) in web.xml
>>> -----------------
>>>
>>> <session-config>
>>> <tracking-mode>COOKIE</tracking-mode></session-config>
>>>
>>>
>>>
>>>
>>>
>>>
>>> 2) context.xml
>>>
>>>
>>> <?xml version='1.0' encoding='utf-8'?><Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true"></Context>
>>>
>>>
>>> 3) added on filter
>>>
>>>
>>> *package net.enhancesys.auth.filter;
>>>
>>> import java.io.IOException;
>>>
>>> import javax.servlet.Filter;
>>> import javax.servlet.FilterChain;
>>> import javax.servlet.FilterConfig;
>>> import javax.servlet.ServletException;
>>> import javax.servlet.ServletRequest;
>>> import javax.servlet.ServletResponse;
>>> import javax.servlet.http.HttpServletRequest;
>>> import javax.servlet.http.HttpServletResponse;
>>> import javax.servlet.http.HttpServletResponseWrapper;
>>> import javax.servlet.http.HttpSession;
>>>
>>> public class DisableUrlSessionFilter implements Filter {
>>>
>>> /*
>>> * private static Log logger =
>>> * LogFactory.getLog(DisableUrlSessionFilter.class);
>>> */
>>> /**
>>> * Filters requests to disable URL-based session identifiers.
>>> */
>>> public void doFilter(ServletRequest request, ServletResponse response,
>>> FilterChain chain) throws IOException, ServletException {
>>> // skip non-http requests
>>> if (!(request instanceof HttpServletRequest)) {
>>> chain.doFilter(request, response);
>>> return;
>>> }
>>>
>>> HttpServletRequest httpRequest = (HttpServletRequest) request;
>>> HttpServletResponse httpResponse = (HttpServletResponse) response;
>>>
>>> // clear session if session id in URL
>>> if (httpRequest.isRequestedSessionIdFromURL()) {
>>> HttpSession session = httpRequest.getSession();
>>> if (session != null) {
>>> session.invalidate();
>>> }
>>> }
>>>
>>> // wrap response to remove URL encoding
>>> HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(
>>> httpResponse) {
>>> @Override
>>> public String encodeRedirectUrl(String url) {
>>> return url;
>>> }
>>>
>>> @Override
>>> public String encodeRedirectURL(String url) {
>>> return url;
>>> }
>>>
>>> @Override
>>> public String encodeUrl(String url) {
>>>
>>> return url;
>>> }
>>>
>>> @Override
>>> public String encodeURL(String url) {
>>> return url;
>>> }
>>> };
>>>
>>> // process next request in chain
>>> chain.doFilter(request, wrappedResponse);
>>> }
>>>
>>> /**
>>> * Unused.
>>> */
>>> public void init(FilterConfig config) throws ServletException {
>>> }
>>>
>>> /**
>>> * Unused.
>>> */
>>> public void destroy() {
>>> }
>>> }*
>>>
>>>
>>>
>>> for the above filter in web.xml
>>>
>>> * <filter-mapping> <filter-name>somename</filter-name>
>>> <url-pattern>/*</url-pattern> </filter-mapping> <filter>
>>> <filter-name>somename</filter-name>
>>> <filter-class>AboveFilterName</filter-class> </filter>
>>> *
>>>
>>>
>>>
>>> *but no solution was helpled me...*
>>> *
>>> *
>>> *thanking you*
>>>
>>>
>>>>
>>>> --
>>>>
>>>> Regards,****
>>>>
>>>> Nagaraju.
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Regards,****
>>>
>>> Nagaraju.
>>>
>>
>>
>
>
> --
>
> Regards,****
>
> Nagaraju.
>
Re: UNABLE TO HIDE JSESSION ID FROM URL
Posted by Nagaraju Kurma <na...@enhancesys.com>.
thanks for helpful reply......
unfortunately here i am not using shiro.ini file as the security realm,
instead i am using postgresql database to store users, roles,......,etc
like ur configuration in filterChain..... our configuration is as follows
this is shiro with spring integration
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/login" />
<property name="successUrl"
value="redirect:/main/welcome1?cat=dashboard.summary" />
<property name="unauthorizedUrl" value="/login" />
<property name="filterChainDefinitions">
<value>
/framework/default/skins/css/login_style.css = anon
/framework/default/skins_ie/js/html5shiv.js = anon
/framework/default/skins/images/lock_icon.gif = anon
/framework/default/skins/images/enhancesys_top_logo.png = anon
/login = anon <!-- login request
trapper--->
/main/logout = logout
/** = authc
</value>
</property>
</bean>
here my anon is the login request trapper, as u said i tried in different
ways like
1) /login = anon, NO_SESSION_CREATION ---------------> i got exception
saying that there is no filter named as
NO_SESSION_CREATION
2) /login = anon, noSessionCreation -----------------> no efftect
3) /** = authc ,NO_SESSION_CREATION -------------> same exception
4) /** = authc ,noSessionCreation -----------------> in impact
suggest me how to do it........
thanking you, :)
On Fri, Jul 26, 2013 at 1:30 PM, Alexander Openkowski <opncow@googlemail.com
> wrote:
> My login page is located under 'mydomain.com/app/account/login.jsp'. To
> hide the jsessionid when landing on the login page I added the following to
> my ShiroGuiceModule:
>
> addFilterChain("/app/account/**", AUTHC, NO_SESSION_CREATION); // before I
> only had AUTHC filter there
>
> So basically the trick seems to be to not create a session until the user
> logs in.
> If you're using .ini configuration it shouldn't be too hard to adapt that
> I think.
>
> Btw: If there is something wrong with this approach please tell me!
>
> HTH,
> Alex
>
>
> On Fri, Jul 26, 2013 at 7:24 AM, Nagaraju Kurma <
> nagaraju.kurma@enhancesys.com> wrote:
>
>> thanks for your suggestions,
>> here i am using native session but not servlet session.
>>
>> when shiro session was extended from servlet session it has got some more
>> extra activities.
>> i searched in google and tried with the following different options
>>
>>
>> 1) in web.xml
>> -----------------
>>
>> <session-config>
>> <tracking-mode>COOKIE</tracking-mode></session-config>
>>
>>
>>
>>
>>
>> 2) context.xml
>>
>>
>> <?xml version='1.0' encoding='utf-8'?><Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true"></Context>
>>
>>
>> 3) added on filter
>>
>>
>> *package net.enhancesys.auth.filter;
>>
>> import java.io.IOException;
>>
>> import javax.servlet.Filter;
>> import javax.servlet.FilterChain;
>> import javax.servlet.FilterConfig;
>> import javax.servlet.ServletException;
>> import javax.servlet.ServletRequest;
>> import javax.servlet.ServletResponse;
>> import javax.servlet.http.HttpServletRequest;
>> import javax.servlet.http.HttpServletResponse;
>> import javax.servlet.http.HttpServletResponseWrapper;
>> import javax.servlet.http.HttpSession;
>>
>> public class DisableUrlSessionFilter implements Filter {
>>
>> /*
>> * private static Log logger =
>> * LogFactory.getLog(DisableUrlSessionFilter.class);
>> */
>> /**
>> * Filters requests to disable URL-based session identifiers.
>> */
>> public void doFilter(ServletRequest request, ServletResponse response,
>> FilterChain chain) throws IOException, ServletException {
>> // skip non-http requests
>> if (!(request instanceof HttpServletRequest)) {
>> chain.doFilter(request, response);
>> return;
>> }
>>
>> HttpServletRequest httpRequest = (HttpServletRequest) request;
>> HttpServletResponse httpResponse = (HttpServletResponse) response;
>>
>> // clear session if session id in URL
>> if (httpRequest.isRequestedSessionIdFromURL()) {
>> HttpSession session = httpRequest.getSession();
>> if (session != null) {
>> session.invalidate();
>> }
>> }
>>
>> // wrap response to remove URL encoding
>> HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(
>> httpResponse) {
>> @Override
>> public String encodeRedirectUrl(String url) {
>> return url;
>> }
>>
>> @Override
>> public String encodeRedirectURL(String url) {
>> return url;
>> }
>>
>> @Override
>> public String encodeUrl(String url) {
>>
>> return url;
>> }
>>
>> @Override
>> public String encodeURL(String url) {
>> return url;
>> }
>> };
>>
>> // process next request in chain
>> chain.doFilter(request, wrappedResponse);
>> }
>>
>> /**
>> * Unused.
>> */
>> public void init(FilterConfig config) throws ServletException {
>> }
>>
>> /**
>> * Unused.
>> */
>> public void destroy() {
>> }
>> }*
>>
>>
>>
>> for the above filter in web.xml
>>
>> * <filter-mapping> <filter-name>somename</filter-name>
>> <url-pattern>/*</url-pattern> </filter-mapping> <filter>
>> <filter-name>somename</filter-name>
>> <filter-class>AboveFilterName</filter-class> </filter>
>> *
>>
>>
>>
>> *but no solution was helpled me...*
>> *
>> *
>> *thanking you*
>>
>>
>>>
>>> --
>>>
>>> Regards,****
>>>
>>> Nagaraju.
>>>
>>>
>>
>>
>> --
>>
>> Regards,****
>>
>> Nagaraju.
>>
>
>
--
Regards,****
Nagaraju.
Re: UNABLE TO HIDE JSESSION ID FROM URL
Posted by Alexander Openkowski <op...@googlemail.com>.
My login page is located under 'mydomain.com/app/account/login.jsp'. To
hide the jsessionid when landing on the login page I added the following to
my ShiroGuiceModule:
addFilterChain("/app/account/**", AUTHC, NO_SESSION_CREATION); // before I
only had AUTHC filter there
So basically the trick seems to be to not create a session until the user
logs in.
If you're using .ini configuration it shouldn't be too hard to adapt that I
think.
Btw: If there is something wrong with this approach please tell me!
HTH,
Alex
On Fri, Jul 26, 2013 at 7:24 AM, Nagaraju Kurma <
nagaraju.kurma@enhancesys.com> wrote:
> thanks for your suggestions,
> here i am using native session but not servlet session.
>
> when shiro session was extended from servlet session it has got some more
> extra activities.
> i searched in google and tried with the following different options
>
>
> 1) in web.xml
> -----------------
>
> <session-config>
> <tracking-mode>COOKIE</tracking-mode></session-config>
>
>
>
>
> 2) context.xml
>
>
> <?xml version='1.0' encoding='utf-8'?><Context docBase="PATH_TO_WEBAPP" path="/CONTEXT" disableURLRewriting="true"></Context>
>
>
> 3) added on filter
>
>
> *package net.enhancesys.auth.filter;
>
> import java.io.IOException;
>
> import javax.servlet.Filter;
> import javax.servlet.FilterChain;
> import javax.servlet.FilterConfig;
> import javax.servlet.ServletException;
> import javax.servlet.ServletRequest;
> import javax.servlet.ServletResponse;
> import javax.servlet.http.HttpServletRequest;
> import javax.servlet.http.HttpServletResponse;
> import javax.servlet.http.HttpServletResponseWrapper;
> import javax.servlet.http.HttpSession;
>
> public class DisableUrlSessionFilter implements Filter {
>
> /*
> * private static Log logger =
> * LogFactory.getLog(DisableUrlSessionFilter.class);
> */
> /**
> * Filters requests to disable URL-based session identifiers.
> */
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain chain) throws IOException, ServletException {
> // skip non-http requests
> if (!(request instanceof HttpServletRequest)) {
> chain.doFilter(request, response);
> return;
> }
>
> HttpServletRequest httpRequest = (HttpServletRequest) request;
> HttpServletResponse httpResponse = (HttpServletResponse) response;
>
> // clear session if session id in URL
> if (httpRequest.isRequestedSessionIdFromURL()) {
> HttpSession session = httpRequest.getSession();
> if (session != null) {
> session.invalidate();
> }
> }
>
> // wrap response to remove URL encoding
> HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(
> httpResponse) {
> @Override
> public String encodeRedirectUrl(String url) {
> return url;
> }
>
> @Override
> public String encodeRedirectURL(String url) {
> return url;
> }
>
> @Override
> public String encodeUrl(String url) {
>
> return url;
> }
>
> @Override
> public String encodeURL(String url) {
> return url;
> }
> };
>
> // process next request in chain
> chain.doFilter(request, wrappedResponse);
> }
>
> /**
> * Unused.
> */
> public void init(FilterConfig config) throws ServletException {
> }
>
> /**
> * Unused.
> */
> public void destroy() {
> }
> }*
>
>
>
> for the above filter in web.xml
>
> * <filter-mapping> <filter-name>somename</filter-name>
> <url-pattern>/*</url-pattern> </filter-mapping> <filter>
> <filter-name>somename</filter-name>
> <filter-class>AboveFilterName</filter-class> </filter>
> *
>
>
>
> *but no solution was helpled me...*
> *
> *
> *thanking you*
>
>
>>
>> --
>>
>> Regards,****
>>
>> Nagaraju.
>>
>>
>
>
> --
>
> Regards,****
>
> Nagaraju.
>
Re: UNABLE TO HIDE JSESSION ID FROM URL
Posted by Nagaraju Kurma <na...@enhancesys.com>.
thanks for your suggestions,
here i am using native session but not servlet session.
when shiro session was extended from servlet session it has got some more
extra activities.
i searched in google and tried with the following different options
1) in web.xml
-----------------
<session-config>
<tracking-mode>COOKIE</tracking-mode></session-config>
2) context.xml
<?xml version='1.0' encoding='utf-8'?><Context
docBase="PATH_TO_WEBAPP" path="/CONTEXT"
disableURLRewriting="true"></Context>
3) added on filter
*package net.enhancesys.auth.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import javax.servlet.http.HttpSession;
public class DisableUrlSessionFilter implements Filter {
/*
* private static Log logger =
* LogFactory.getLog(DisableUrlSessionFilter.class);
*/
/**
* Filters requests to disable URL-based session identifiers.
*/
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// skip non-http requests
if (!(request instanceof HttpServletRequest)) {
chain.doFilter(request, response);
return;
}
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
// clear session if session id in URL
if (httpRequest.isRequestedSessionIdFromURL()) {
HttpSession session = httpRequest.getSession();
if (session != null) {
session.invalidate();
}
}
// wrap response to remove URL encoding
HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(
httpResponse) {
@Override
public String encodeRedirectUrl(String url) {
return url;
}
@Override
public String encodeRedirectURL(String url) {
return url;
}
@Override
public String encodeUrl(String url) {
return url;
}
@Override
public String encodeURL(String url) {
return url;
}
};
// process next request in chain
chain.doFilter(request, wrappedResponse);
}
/**
* Unused.
*/
public void init(FilterConfig config) throws ServletException {
}
/**
* Unused.
*/
public void destroy() {
}
}*
for the above filter in web.xml
* <filter-mapping> <filter-name>somename</filter-name>
<url-pattern>/*</url-pattern> </filter-mapping> <filter>
<filter-name>somename</filter-name>
<filter-class>AboveFilterName</filter-class> </filter>
*
*but no solution was helpled me...*
*
*
*thanking you*
>
> --
>
> Regards,****
>
> Nagaraju.
>
>
--
Regards,****
Nagaraju.
Re: UNABLE TO HIDE JSESSION ID FROM URL
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
Don't use all upper case in your subject line. It's very annoying and equates to yelling over email. Bad form.
Otherwise there is an option in web.xml to not use jsessionid attribute. Take a look at the documentation. I don't remember what this option is exactly.
On Jul 25, 2013, at 3:53 AM, Nagaraju Kurma <na...@enhancesys.com> wrote:
> http://localhost:8080/SomeProjecct/login;JSESSIONID=0df6336e-3372-44a1-8d8e-52c50defefd3
>
> i would like to hide this jsession id from the url.....
>
> when is observe shiro security API it is stating like this
>
>
> HttpServletResponse implementation to support URL Encoding of Shiro Session IDs.
> It is only used when using Shiro's native Session Management configuration (and not when using the Servlet Container session configuration, which is Shiro's default in a web environment). Because the servlet container already performs url encoding of its own session ids, instances of this class are only needed when using Shiro native sessions.
>
> Note that this implementation relies in part on source code from the Tomcat 6.x distribution for encoding URLs for session ID URL Rewriting (we didn't want to re-invent the wheel). Since Shiro is also Apache 2.0 license, all regular licenses and conditions have remained in tact.
>
>
>
> but in anyways i am forced to hide the jsession id from url, please does anybody issue the solution,
>
>
>
> very thankful to u :)
>
>
>
>
>
> --
> Regards,
>
> Nagaraju.