You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Julien Muller <ju...@ezako.com> on 2011/11/01 00:59:27 UTC
Re: Shiro and GWT
Thanks you Jared for the answer.
When I try to comment /login.html = anon, I get a browser error 310 (
net::ERR_TOO_MANY_REDIRECTS) for all my calls.
Not sure why shiro seems to try to redirect me to the login page in an
infinite loop.
As a test, I tried to comment out authc.loginUrl = login.html and rename
login.html to login.jsp. I know this is weird, but this made it work.
I am using shiro 1.1.0, it now really looks like a bug to me. Not sure if
this is linked to GWT at all. Something like "authc special handling" for
login page only works with default name or jsp extension.
Anyone encountered the same issue?
--
Best Regards,
Julien
2011/10/31 Julien Muller <ju...@ezako.com>
> Hello,
> Thanks for the replies, for some reasons I did not receive any mail from
> the list, but I can see answers in the web based archive. I guess this is
> due to my (very) recent subscription.
>
> Here is my web.xml:
> <filter>
> <filter-name>ShiroFilter</filter-name>
> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
> </filter>
> <filter-mapping>
> <filter-name>ShiroFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> shiro.ini:
> [main]
> securityManager.sessionMode = native
> authc.loginUrl = login.html
>
> [users]
> julien = password, role1, role2
>
> [urls]
> /login.html = anon
> /* = authc
>
> Here is my login.html form:
> <form action="" id="loginForm" method="post">
> Username: <input type="text" name="username"/> <br/>
> Password: <input type="password" name="password"/><br/>
> <input type="checkbox" name="rememberMe" value="false"/>Remember Me?
> <br/>
> <input type="submit" name="submit" value="Login" />
> </form>
>
> This is only an early test, in the futur I plan to move login.html to GWT
> code and to manage RPC.
> By now, I'd like to get this working the following way:
> 1) User queries the application url
> 2) User get redirected to the login page and provide credentials
> 3) User is logged in and get redirected back to the application.
> By now, I get stuck on the login page.
>
> Not sure why this does not work. At some point, I thought this might be
> due to the embedded jetty server, but I get the same result once deployed
> on tomcat.
>
> --
>
> Best Regards,
> Julien
>
>
> 2011/10/31 Julien Muller <ju...@ezako.com>
> >
> > Hello,
> > I am evaluating security solutions for a GWT application.
> > I like the shiro approach since it seems simple and easy to plug to
> ldap, but I am afraid I did not really find working examples or tutorial
> about this context.
> > I acknowledge you cannot use shiro classes from client side
> (javascript), but do not think this should be a problem.
> > My understanding about what I should do (simple version with local users
> defined in shiro.ini):
> > - Add IniShiroFilter to my web.xml
> > - add shiro.ini with authc.loginUrl = login.html, users and urls.
> > - Add a login.html page
> > - I will handle rpc security afterwards passing credentials in my
> payload and perform server side validation for each call.
> > Up to know, I can tell my shiro.ini is taken into account, the
> application can forward to login.html, but then nothing else is done.
> > I have seen in this tutorial:
> http://www.brucephillips.name/blog/print.cfm?id=7766522C-3048-7B4D-A96E8EA958A8E540
> > that a custom servlet is implemented for login. It seems to me it should
> be handled automatically by shiro (or not?).
> > Furthermore, shiro documentation let me believe that after login, the
> user will be automatically redirected to his original request page, which
> is definitely not the case during my tests.
> > Any help or guidance would be appreciated.
> > --
> >
> > Best Regards,
> > Julien
> >
>
>
Re: Shiro and GWT
Posted by Kalle Korhonen <ka...@gmail.com>.
It's not a bug but a common gotcha. The url you are posting your login
request to and the login landing page differ, so you need an anon
configuration, otherwise you just get redirected indefinitely between
the login landing page and authentication filter. Check the resulting
html of your login.html and see what's the action url you are posting
to. Put that url as your authc.loginUrl configuration and it should
work assuming the rest of your configuration is ok.
Kalle
On Mon, Oct 31, 2011 at 4:59 PM, Julien Muller <ju...@ezako.com> wrote:
> Thanks you Jared for the answer.
> When I try to comment /login.html = anon, I get a browser error 310
> (net::ERR_TOO_MANY_REDIRECTS) for all my calls.
> Not sure why shiro seems to try to redirect me to the login page in an
> infinite loop.
> As a test, I tried to comment out authc.loginUrl = login.html and rename
> login.html to login.jsp. I know this is weird, but this made it work.
> I am using shiro 1.1.0, it now really looks like a bug to me. Not sure if
> this is linked to GWT at all. Something like "authc special handling" for
> login page only works with default name or jsp extension.
> Anyone encountered the same issue?
> --
>
> Best Regards,
> Julien
>
> 2011/10/31 Julien Muller <ju...@ezako.com>
>>
>> Hello,
>> Thanks for the replies, for some reasons I did not receive any mail from
>> the list, but I can see answers in the web based archive. I guess this is
>> due to my (very) recent subscription.
>>
>> Here is my web.xml:
>> <filter>
>> <filter-name>ShiroFilter</filter-name>
>> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
>> </filter>
>> <filter-mapping>
>> <filter-name>ShiroFilter</filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>>
>> shiro.ini:
>> [main]
>> securityManager.sessionMode = native
>> authc.loginUrl = login.html
>>
>> [users]
>> julien = password, role1, role2
>>
>> [urls]
>> /login.html = anon
>> /* = authc
>>
>> Here is my login.html form:
>> <form action="" id="loginForm" method="post">
>> Username: <input type="text" name="username"/> <br/>
>> Password: <input type="password" name="password"/><br/>
>> <input type="checkbox" name="rememberMe" value="false"/>Remember Me?
>> <br/>
>> <input type="submit" name="submit" value="Login" />
>> </form>
>>
>> This is only an early test, in the futur I plan to move login.html to GWT
>> code and to manage RPC.
>> By now, I'd like to get this working the following way:
>> 1) User queries the application url
>> 2) User get redirected to the login page and provide credentials
>> 3) User is logged in and get redirected back to the application.
>> By now, I get stuck on the login page.
>>
>> Not sure why this does not work. At some point, I thought this might be
>> due to the embedded jetty server, but I get the same result once deployed on
>> tomcat.
>>
>> --
>>
>> Best Regards,
>> Julien
>>
>> 2011/10/31 Julien Muller <ju...@ezako.com>
>> >
>> > Hello,
>> > I am evaluating security solutions for a GWT application.
>> > I like the shiro approach since it seems simple and easy to plug to
>> > ldap, but I am afraid I did not really find working examples or tutorial
>> > about this context.
>> > I acknowledge you cannot use shiro classes from client side
>> > (javascript), but do not think this should be a problem.
>> > My understanding about what I should do (simple version with local users
>> > defined in shiro.ini):
>> > - Add IniShiroFilter to my web.xml
>> > - add shiro.ini with authc.loginUrl = login.html, users and urls.
>> > - Add a login.html page
>> > - I will handle rpc security afterwards passing credentials in my
>> > payload and perform server side validation for each call.
>> > Up to know, I can tell my shiro.ini is taken into account, the
>> > application can forward to login.html, but then nothing else is done.
>> > I have seen in this
>> > tutorial: http://www.brucephillips.name/blog/print.cfm?id=7766522C-3048-7B4D-A96E8EA958A8E540
>> > that a custom servlet is implemented for login. It seems to me it should
>> > be handled automatically by shiro (or not?).
>> > Furthermore, shiro documentation let me believe that after login, the
>> > user will be automatically redirected to his original request page, which is
>> > definitely not the case during my tests.
>> > Any help or guidance would be appreciated.
>> > --
>> >
>> > Best Regards,
>> > Julien
>> >
>>
>
>