RE: Recording logouts using AuthenticationListener

[Richard Wheeldon <ri...@voxsmart.com>]

I've done some more digging with this, I've implemented a SessionListener as
well and it appears that the sessions aren't being invalidated either. I
basically looks like the logout isn't working at all. Can someone please
check I'm not doing something stupid:

1.       Am I correct in assuming that LogoutFilter, Subject.logout() or
similar actions should result in an invalidated session?

2.       Should I expect to get an onLogout event in a web application or is
there some extra magic I'm missing?

 

Any help would be much appreciated as I'm still totally stumped on what I
expected to be a relatively simple exercise,

 

Thanks,

 

Richard

 

From: Richard Wheeldon [mailto:richard.wheeldon@voxsmart.com] 
Sent: Monday, April 4, 2016 4:29 PM
To: user@shiro.apache.org
Subject: Recording logouts using AuthenticationListener

 

Hi,

 

I'm building a Web app using Shiro as a basic for authentication and RBAC.
I'm using the ShiroFilter loading a shiro INI which sets up a JDBC realm, a
form authentication filter and a log out filter tied into the default
security manager. All this is working as expected. No probs.

/login.jsp = formAuth

/logout = logoutFilter

/** = formAuth

 

Now I'm trying to get a custom log of login / logout actions working using
AuthenticationListener and am running into some problems. I've added my
custom listener to securityManager.authenticator.authenticationListeners and
it all loads fine. Logins are successfully recorded, I can get the username
from the token's principal. Login failures work in the same way. So far so
good.

securityManager.authenticator.authenticationListeners =
$auditLogAuthListener

 

But when I go to logout, the listener never gets called. AFAICT, this is
because onLogout only ever gets called if there is a non-empty list of
principals (see DefaultSecurityManager.logout) but the principals list never
seems to get set.

 

Has anyone got this to work who could give me a pointer or two to what I'm
doing wrong? It would be much appreciated,

 

Thanks,

 

Richard

 

RE: Recording logouts using AuthenticationListener

[Richard Wheeldon <ri...@voxsmart.com>]

Thanks for the advice. After much further faffing about I eventually figured out the problem – the cookie wasn’t being sent to the logout page. A quick one-liner and it’s all good:

 

sessionManager.sessionIdCookie.path = /

 

If anyone else runs into the problem, check the cookie being sent to the logout URL – the redirect will still work and it’ll appear like it’s doing the right thing – until you examine the session state which never gets cleared because it doesn’t know which session to clear.

 

Regards,

 

Richard

 

From: Lenny Primak [mailto:lprimak@hope.nyc.ny.us] 
Sent: Wednesday, May 4, 2016 10:59 PM
To: user@shiro.apache.org
Subject: Re: Recording logouts using AuthenticationListener

 

Yes, logout does work correctly with Shiro native sessions, and you are correct that session timeout isn’t pertinent in this particular case.

I’ve never used logoutFilter directly, so I would start by looking at it’s source code and seeing if it does what you expect it to do.

 

On May 4, 2016, at 4:55 PM, Richard Wheeldon <richard.wheeldon@voxsmart.com <ma...@voxsmart.com> > wrote:

 

Many thanks for the response.

 

I’ve tried debugging it – that’s how I discovered that the principals list was empty in the first instance but I’m not a Shiro expert and I’m rather hazy on what’s supposed to be setting it in the first place. Any ideas? Whilst it’s perfectly possible that I’ve found a bug I very much doubt it’s the primary cause of my current problems – it would be a huge security hole if something like logout didn’t work.

 

I’m trying to use the native Shiro sessions with a simple MemorySessionDAO. The plan is to put the session info into RDS eventually but I’m trying to keep things simple until I get the basic stuff (i.e. login and logout) working. I haven’t ruled out the possibility that the native session handling is getting in the way but AFAICT it’s not. The cookies passed back and forwards are all of the Shiroesque form: JSESSIONID=44256c7e-dd9e-4614-adf9-205f581fc695; _ga=GA1.1.775913481.1456225578

 

I’ve read the link you suggested but I’m not sure the section you refer to is entirely pertinent. If I manually logout, surely that should invalidate the current session immediately? Or have I misunderstood?

 

Thanks,

 

Richard

 

From: Lenny Primak [mailto:lprimak@hope.nyc.ny.us] 
Sent: Wednesday, May 4, 2016 10:14 PM
To: user@shiro.apache.org <ma...@shiro.apache.org> 
Subject: Re: Recording logouts using AuthenticationListener

 

Have you tried to debug it?  Maybe you have found a bug.

Are you using native Shiro sessions or web session proxy?

If using native sessions, have you set things up according to this documentation?

 <http://shiro.apache.org/session-management.html> http://shiro.apache.org/session-management.html

section “session validation & scheduling”

 

On May 4, 2016, at 3:11 PM, Richard Wheeldon < <ma...@voxsmart.com> richard.wheeldon@voxsmart.com> wrote:

 

I’ve done some more digging with this, I’ve implemented a SessionListener as well and it appears that the sessions aren’t being invalidated either. I basically looks like the logout isn’t working at all. Can someone please check I’m not doing something stupid:

1.       Am I correct in assuming that LogoutFilter, Subject.logout() or similar actions should result in an invalidated session?

2.       Should I expect to get an onLogout event in a web application or is there some extra magic I’m missing?

 

Any help would be much appreciated as I’m still totally stumped on what I expected to be a relatively simple exercise,

 

Thanks,

 

Richard

 

From: Richard Wheeldon [ <ma...@voxsmart.com> mailto:richard.wheeldon@voxsmart.com] 
Sent: Monday, April 4, 2016 4:29 PM
To:  <ma...@shiro.apache.org> user@shiro.apache.org
Subject: Recording logouts using AuthenticationListener

 

Hi,

 

I’m building a Web app using Shiro as a basic for authentication and RBAC. I’m using the ShiroFilter loading a shiro INI which sets up a JDBC realm, a form authentication filter and a log out filter tied into the default security manager. All this is working as expected. No probs.

/login.jsp = formAuth

/logout = logoutFilter

/** = formAuth

 

Now I’m trying to get a custom log of login / logout actions working using AuthenticationListener and am running into some problems. I’ve added my custom listener to securityManager.authenticator.authenticationListeners and it all loads fine. Logins are successfully recorded, I can get the username from the token’s principal. Login failures work in the same way. So far so good.

securityManager.authenticator.authenticationListeners = $auditLogAuthListener

 

But when I go to logout, the listener never gets called. AFAICT, this is because onLogout only ever gets called if there is a non-empty list of principals (see DefaultSecurityManager.logout) but the principals list never seems to get set.

 

Has anyone got this to work who could give me a pointer or two to what I’m doing wrong? It would be much appreciated,

 

Thanks,

 

Richard

 

Re: Recording logouts using AuthenticationListener

[Lenny Primak <lp...@hope.nyc.ny.us>]

Yes, logout does work correctly with Shiro native sessions, and you are correct that session timeout isn’t pertinent in this particular case.
I’ve never used logoutFilter directly, so I would start by looking at it’s source code and seeing if it does what you expect it to do.

> On May 4, 2016, at 4:55 PM, Richard Wheeldon <ri...@voxsmart.com> wrote:
> 
> Many thanks for the response.
>  
> I’ve tried debugging it – that’s how I discovered that the principals list was empty in the first instance but I’m not a Shiro expert and I’m rather hazy on what’s supposed to be setting it in the first place. Any ideas? Whilst it’s perfectly possible that I’ve found a bug I very much doubt it’s the primary cause of my current problems – it would be a huge security hole if something like logout didn’t work.
>  
> I’m trying to use the native Shiro sessions with a simple MemorySessionDAO. The plan is to put the session info into RDS eventually but I’m trying to keep things simple until I get the basic stuff (i.e. login and logout) working. I haven’t ruled out the possibility that the native session handling is getting in the way but AFAICT it’s not. The cookies passed back and forwards are all of the Shiroesque form: JSESSIONID=44256c7e-dd9e-4614-adf9-205f581fc695; _ga=GA1.1.775913481.1456225578
>  
> I’ve read the link you suggested but I’m not sure the section you refer to is entirely pertinent. If I manually logout, surely that should invalidate the current session immediately? Or have I misunderstood?
>  
> Thanks,
>  
> Richard
>  
> From: Lenny Primak [mailto:lprimak@hope.nyc.ny.us] 
> Sent: Wednesday, May 4, 2016 10:14 PM
> To: user@shiro.apache.org
> Subject: Re: Recording logouts using AuthenticationListener
>  
> Have you tried to debug it?  Maybe you have found a bug.
> Are you using native Shiro sessions or web session proxy?
> If using native sessions, have you set things up according to this documentation?
> http://shiro.apache.org/session-management.html <http://shiro.apache.org/session-management.html>
> section “session validation & scheduling”
>  
>> On May 4, 2016, at 3:11 PM, Richard Wheeldon <richard.wheeldon@voxsmart.com <ma...@voxsmart.com>> wrote:
>>  
>> I’ve done some more digging with this, I’ve implemented a SessionListener as well and it appears that the sessions aren’t being invalidated either. I basically looks like the logout isn’t working at all. Can someone please check I’m not doing something stupid:
>> 1.       Am I correct in assuming that LogoutFilter, Subject.logout() or similar actions should result in an invalidated session?
>> 2.       Should I expect to get an onLogout event in a web application or is there some extra magic I’m missing?
>>  
>> Any help would be much appreciated as I’m still totally stumped on what I expected to be a relatively simple exercise,
>>  
>> Thanks,
>>  
>> Richard
>>  
>> From: Richard Wheeldon [mailto:richard.wheeldon@voxsmart.com <ma...@voxsmart.com>] 
>> Sent: Monday, April 4, 2016 4:29 PM
>> To: user@shiro.apache.org <ma...@shiro.apache.org>
>> Subject: Recording logouts using AuthenticationListener
>>  
>> Hi,
>>  
>> I’m building a Web app using Shiro as a basic for authentication and RBAC. I’m using the ShiroFilter loading a shiro INI which sets up a JDBC realm, a form authentication filter and a log out filter tied into the default security manager. All this is working as expected. No probs.
>> /login.jsp = formAuth
>> /logout = logoutFilter
>> /** = formAuth
>>  
>> Now I’m trying to get a custom log of login / logout actions working using AuthenticationListener and am running into some problems. I’ve added my custom listener to securityManager.authenticator.authenticationListeners and it all loads fine. Logins are successfully recorded, I can get the username from the token’s principal. Login failures work in the same way. So far so good.
>> securityManager.authenticator.authenticationListeners = $auditLogAuthListener
>>  
>> But when I go to logout, the listener never gets called. AFAICT, this is because onLogout only ever gets called if there is a non-empty list of principals (see DefaultSecurityManager.logout) but the principals list never seems to get set.
>>  
>> Has anyone got this to work who could give me a pointer or two to what I’m doing wrong? It would be much appreciated,
>>  
>> Thanks,
>>  
>> Richard

RE: Recording logouts using AuthenticationListener

[Richard Wheeldon <ri...@voxsmart.com>]

Many thanks for the response.

 

I’ve tried debugging it – that’s how I discovered that the principals list was empty in the first instance but I’m not a Shiro expert and I’m rather hazy on what’s supposed to be setting it in the first place. Any ideas? Whilst it’s perfectly possible that I’ve found a bug I very much doubt it’s the primary cause of my current problems – it would be a huge security hole if something like logout didn’t work.

 

I’m trying to use the native Shiro sessions with a simple MemorySessionDAO. The plan is to put the session info into RDS eventually but I’m trying to keep things simple until I get the basic stuff (i.e. login and logout) working. I haven’t ruled out the possibility that the native session handling is getting in the way but AFAICT it’s not. The cookies passed back and forwards are all of the Shiroesque form: JSESSIONID=44256c7e-dd9e-4614-adf9-205f581fc695; _ga=GA1.1.775913481.1456225578

 

I’ve read the link you suggested but I’m not sure the section you refer to is entirely pertinent. If I manually logout, surely that should invalidate the current session immediately? Or have I misunderstood?

 

Thanks,

 

Richard

 

From: Lenny Primak [mailto:lprimak@hope.nyc.ny.us] 
Sent: Wednesday, May 4, 2016 10:14 PM
To: user@shiro.apache.org
Subject: Re: Recording logouts using AuthenticationListener

 

Have you tried to debug it?  Maybe you have found a bug.

Are you using native Shiro sessions or web session proxy?

If using native sessions, have you set things up according to this documentation?

http://shiro.apache.org/session-management.html

section “session validation & scheduling”

 

On May 4, 2016, at 3:11 PM, Richard Wheeldon <richard.wheeldon@voxsmart.com <ma...@voxsmart.com> > wrote:

 

I’ve done some more digging with this, I’ve implemented a SessionListener as well and it appears that the sessions aren’t being invalidated either. I basically looks like the logout isn’t working at all. Can someone please check I’m not doing something stupid:

1.       Am I correct in assuming that LogoutFilter, Subject.logout() or similar actions should result in an invalidated session?

2.       Should I expect to get an onLogout event in a web application or is there some extra magic I’m missing?

 

Any help would be much appreciated as I’m still totally stumped on what I expected to be a relatively simple exercise,

 

Thanks,

 

Richard

 

From: Richard Wheeldon [ <ma...@voxsmart.com> mailto:richard.wheeldon@voxsmart.com] 
Sent: Monday, April 4, 2016 4:29 PM
To:  <ma...@shiro.apache.org> user@shiro.apache.org
Subject: Recording logouts using AuthenticationListener

 

Hi,

 

I’m building a Web app using Shiro as a basic for authentication and RBAC. I’m using the ShiroFilter loading a shiro INI which sets up a JDBC realm, a form authentication filter and a log out filter tied into the default security manager. All this is working as expected. No probs.

/login.jsp = formAuth

/logout = logoutFilter

/** = formAuth

 

Now I’m trying to get a custom log of login / logout actions working using AuthenticationListener and am running into some problems. I’ve added my custom listener to securityManager.authenticator.authenticationListeners and it all loads fine. Logins are successfully recorded, I can get the username from the token’s principal. Login failures work in the same way. So far so good.

securityManager.authenticator.authenticationListeners = $auditLogAuthListener

 

But when I go to logout, the listener never gets called. AFAICT, this is because onLogout only ever gets called if there is a non-empty list of principals (see DefaultSecurityManager.logout) but the principals list never seems to get set.

 

Has anyone got this to work who could give me a pointer or two to what I’m doing wrong? It would be much appreciated,

 

Thanks,

 

Richard

 

Re: Recording logouts using AuthenticationListener

[Lenny Primak <lp...@hope.nyc.ny.us>]

Have you tried to debug it?  Maybe you have found a bug.
Are you using native Shiro sessions or web session proxy?
If using native sessions, have you set things up according to this documentation?
http://shiro.apache.org/session-management.html <http://shiro.apache.org/session-management.html>
section “session validation & scheduling”

> On May 4, 2016, at 3:11 PM, Richard Wheeldon <ri...@voxsmart.com> wrote:
> 
> I’ve done some more digging with this, I’ve implemented a SessionListener as well and it appears that the sessions aren’t being invalidated either. I basically looks like the logout isn’t working at all. Can someone please check I’m not doing something stupid:
> 1.       Am I correct in assuming that LogoutFilter, Subject.logout() or similar actions should result in an invalidated session?
> 2.       Should I expect to get an onLogout event in a web application or is there some extra magic I’m missing?
>  
> Any help would be much appreciated as I’m still totally stumped on what I expected to be a relatively simple exercise,
>  
> Thanks,
>  
> Richard
>  
> From: Richard Wheeldon [mailto:richard.wheeldon@voxsmart.com <ma...@voxsmart.com>] 
> Sent: Monday, April 4, 2016 4:29 PM
> To: user@shiro.apache.org <ma...@shiro.apache.org>
> Subject: Recording logouts using AuthenticationListener
>  
> Hi,
>  
> I’m building a Web app using Shiro as a basic for authentication and RBAC. I’m using the ShiroFilter loading a shiro INI which sets up a JDBC realm, a form authentication filter and a log out filter tied into the default security manager. All this is working as expected. No probs.
> /login.jsp = formAuth
> /logout = logoutFilter
> /** = formAuth
>  
> Now I’m trying to get a custom log of login / logout actions working using AuthenticationListener and am running into some problems. I’ve added my custom listener to securityManager.authenticator.authenticationListeners and it all loads fine. Logins are successfully recorded, I can get the username from the token’s principal. Login failures work in the same way. So far so good.
> securityManager.authenticator.authenticationListeners = $auditLogAuthListener
>  
> But when I go to logout, the listener never gets called. AFAICT, this is because onLogout only ever gets called if there is a non-empty list of principals (see DefaultSecurityManager.logout) but the principals list never seems to get set.
>  
> Has anyone got this to work who could give me a pointer or two to what I’m doing wrong? It would be much appreciated,
>  
> Thanks,
>  
> Richard