Login successful, but isAuthenticated is false upon the next request

[Albert Kam <mo...@gmail.com>]

The docs in http://shiro.apache.org/spring.html states :
For simplest integration, so that all SecurityUtils.* methods work in all
cases,
make the securityManager bean a static singleton.
DO NOT do this in web applications - see the 'Web Applications' section
below instead.
<bean
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
    <property name="staticMethod"
value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
    <property name="arguments" ref="securityManager"/>
 </bean>

And from
http://mail-archives.apache.org/mod_mbox/shiro-user/201211.mbox/%3CCAAtvD4WLA_Gu_1qOFJBLoo7UbYOLmSSA2yRxCH-5Tq-yZut0ZA@mail.gmail.com%3E,
it says :

SecurityUtils.getSubject() is mainly a convenience - Shiro can - and does-
work quite well in any environment.  If there isn't a thread-per-request
model, the Shiro end-user (or framework developer) just has to do some
extra work to allow an app developer to use something other than
SecurityUtils.

So, if i dont understand wrongly,
- Setting the securityManager in the xml is actually just fine
- Using SecurityUtils.getSubject() in web environment + native session is
also just fine ?

I am trying to understand these because i cannot seem to get successful
login to persist between requests.
My case is as follows :
- I am using both the xml snippet above + SecurityUtils.getSubject() +
spring + the latest apache Shiro
- My first access to the server will activate the creation of the session
(without doing any logins)
  I can see it inside my db since i am using a custom sessionDAO for this
  and it returns the main page
- At the main page, i try login, where the token is authenticated
successfully,
  as the output is true for the subject.isAuthenticated()
  And then it's redirected to the main page again
- Now when the main page opens, it still says unauthenticated (from the
output of SecurityUtils.getSubject().isAuthenticated()),
  even when the session has been created,
  and even in previous request, the subject's authentication is successful
(meaning the realm is correct)

What did i do wrongly here ?
<http://mail-archives.apache.org/mod_mbox/shiro-user/201211.mbox/%3CCAAtvD4WLA_Gu_1qOFJBLoo7UbYOLmSSA2yRxCH-5Tq-yZut0ZA@mail.gmail.com%3E>
-- 
Do not pursue the past. Do not lose yourself in the future.
The past no longer is. The future has not yet come.
Looking deeply at life as it is in the very here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh)

Re: Login successful, but isAuthenticated is false upon the next request

[you_are_awesome <yo...@rocketmail.com>]

Hi,
I have the same issue.But i am not using spring.Its simple Servlet
Container's default session manager .
my shiro.ini look like this
[main] 
# realm to be used
jdbcRealm=com.myAuthenticationJdbcRealm
jdbcRealm.jndiDataSourceName=java:comp/env/jdbc/dbpool
#jdbcRealm.dataSource = $ds
jdbcRealm.permissionsLookupEnabled=true 
# password hashing specification
credentialMatcher = com.MYCredentialsMatcher
jdbcRealm.credentialsMatcher = $credentialMatcher
# replace form authentication filter with verbose filter 
authc = com.MyFormAuthenticationFilter
# request parameter with login error information; if not present filter
assumes 'shiroLoginFailure'
authc.failureKeyAttribute=simpleShiroApplicationLoginFailure
# specify login page
authc.loginUrl = /jsp/admin/Login.jsp
# name of request parameter with username; if not present filter assumes
'username'
authc.usernameParam = username
# name of request parameter with password; if not present filter assumes
'password'
authc.passwordParam = password
# redirect after successful login
authc.successUrl  = /admin/home/HomePage.do
# roles filter: redirect to error page if user does not have access rights
roles.unauthorizedUrl = /common/loginFailed.do
logout= com.MyLogoutFilter
logout.redirectUrl = /jsp/admin/Login.jsp
[urls]
# force ssl for login page 
/common/Logout.do=noSessionCreation,logout
/jsp/admin/Login.jsp=authc
/jsp/loymartjsp/**=authc
/jsp/**=authc
/admin/**=authc
/platform/**=authc
/program/**=authc.

please help me on this




--
View this message in context: http://shiro-user.582556.n2.nabble.com/Login-successful-but-isAuthenticated-is-false-upon-the-next-request-tp7578909p7579233.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Login successful, but isAuthenticated is false upon the next request

[Albert Kam <mo...@gmail.com>]

So the problem was not on using the SecurityUtils.* methods.
Its my custom dao native session implementation that was faulty, causing
the authenticated flag unpersisted by my custom dao.
Thats why its successful authentication didnt last after the request ended
and kept returning to the login page.

On Saturday, July 13, 2013, Albert Kam wrote:

> The docs in http://shiro.apache.org/spring.html states :
> For simplest integration, so that all SecurityUtils.* methods work in all
> cases,
>  make the securityManager bean a static singleton.
> DO NOT do this in web applications - see the 'Web Applications' section
> below instead.
> <bean
> class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
>     <property name="staticMethod"
> value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
>     <property name="arguments" ref="securityManager"/>
>  </bean>
>
> And from
> http://mail-archives.apache.org/mod_mbox/shiro-user/201211.mbox/%3CCAAtvD4WLA_Gu_1qOFJBLoo7UbYOLmSSA2yRxCH-5Tq-yZut0ZA@mail.gmail.com%3E,
> it says :
>
> SecurityUtils.getSubject() is mainly a convenience - Shiro can - and does-
> work quite well in any environment.  If there isn't a thread-per-request
> model, the Shiro end-user (or framework developer) just has to do some
> extra work to allow an app developer to use something other than
> SecurityUtils.
>
> So, if i dont understand wrongly,
> - Setting the securityManager in the xml is actually just fine
> - Using SecurityUtils.getSubject() in web environment + native session is
> also just fine ?
>
> I am trying to understand these because i cannot seem to get successful
> login to persist between requests.
> My case is as follows :
> - I am using both the xml snippet above + SecurityUtils.getSubject() +
> spring + the latest apache Shiro
> - My first access to the server will activate the creation of the session
> (without doing any logins)
>   I can see it inside my db since i am using a custom sessionDAO for this
>   and it returns the main page
> - At the main page, i try login, where the token is authenticated
> successfully,
>   as the output is true for the subject.isAuthenticated()
>   And then it's redirected to the main page again
> - Now when the main page opens, it still says unauthenticated (from the
> output of SecurityUtils.getSubject().isAuthenticated()),
>   even when the session has been created,
>   and even in previous request, the subject's authentication is successful
> (meaning the realm is correct)
>
> What did i do wrongly here ?
>
> <http://mail-archives.apache.org/mod_mbox/shiro-user/201211.mbox/%3CCAAtvD4WLA_Gu_1qOFJBLoo7UbYOLmSSA2yRxCH-5Tq-yZut0ZA@mail.gmail.com%3E>
> --
> Do not pursue the past. Do not lose yourself in the future.
> The past no longer is. The future has not yet come.
> Looking deeply at life as it is in the very here and now,
> the practitioner dwells in stability and freedom.
> (Thich Nhat Hanh)
>


-- 
Do not pursue the past. Do not lose yourself in the future.
The past no longer is. The future has not yet come.
Looking deeply at life as it is in the very here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh)