You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by "alina.frey" <af...@goscis.com> on 2021/05/19 14:53:35 UTC
Shiro - Session Loss
In my application I updated only the Shiro library, from shiro-all-1.2.3.jar
to shiro-all-1.7.0.jar. I did not change any other libraries, nor
configuration files, other than the build path to refer to the new Shiro
library.
Users that were able to login before, are now not able to. Digging in the
log files, it shows that the users do actually get logged in, and a session
is associated with them.
Watching the session cookie in the browser. When the user tries to log in,
the initial session cookie that is shown in the browser is the same as one
recorded in the logs. This initial session cookie gets replaced immediately
with a different one. Therefore the user cannot login into the application.
Printing out all the active sessions: three sessions are displayed, and only
the initial session is associated with the user. One of the other two
sessions is the one displayed in the browser.
Trying to figure what's happening and what causes this. Trying to figure out
what settings do I need to change, to make the application work as before.
Thanks a bunch!
-Alina.
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by "alina.frey" <af...@goscis.com>.
1. Anything in your logs?
If you are referring to Shiro logs, I don't know where they are recorded.
If you are referring to logs capture by my application, I do not see any of
the errors taht would be thrown by the supporting code below.
2. What happens when the user isn't able to login? Are they redirected back
to the login page?
Yes. A relevant message is displayed in a pop up, and then the same login
page is displayed.
3. Is your browser rejecting the cookie? (or is it sent back to the server
on the next request?)
Where do I need to look to see this? Where do I see the requests that are
being sent? In the Console or Network tabs of browser's Developer Tools?
Here is the supporting code for logging in with Shiro:
public UserLoginBean tryLogin(String username, String password) throws
Exception {
//check for null username or password
... //return null;
// get the login bean based on the user id
UserLoginBean loginBean = getUserRecord(username);
// check for user does not exist
if(){... // return null;}
// check for password must have been reset to plain text
else if(){...}
// password is encrypted so verify user login
else {
try {
// get the currently executing user and create token
Subject newUser = SecurityUtils.getSubject();
if (newUser != null) {
logger.debug("SessionID prior to logging in:
" + newUser.getSession().getId());
...
// The username and password authentication
token. Set rememberMe to false
UsernamePasswordToken token = new
UsernamePasswordToken(username,
password.toCharArray(), false);
newUser.login(token);
...
logger.debug("SessionID after to logging in:
" + newUser.getSession().getId());
logger.debug("Is user authenticated? " +
newUser.isAuthenticated());
}
...
// successful login
logger.info("!!!!!!! Successful login !!!!!!! ");
return loginBean;
} catch (UnknownAccountException e) {
logger.error("LOGIN ERROR: No Such User Exists");
throw new InvalidLoginException();
} catch (IncorrectCredentialsException e) {
logger.error("LOGIN ERROR: Invalid Password");
throw new InvalidLoginException();
} catch (LockedAccountException e) {
logger.error("LOGIN ERROR: Locked Account");
throw new AccountLockedException();
} catch (AlreadyAuthenticatedException e) {
logger.error("LOGIN ERROR: User Already Logged In");
throw new AlreadyLoggedInException();
} catch (SessionNotAvailableException e) {
logger.error("LOGIN ERROR: Another user logged in
using current browser");
throw new BrowserSessionTakenException();
} catch (Exception e) {
logger.error(e.getMessage());
logger.error("LOGIN ERROR: General Unspecific Login
Failure");
return null;
}
}
}
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by "alina.frey" <af...@goscis.com>.
A little update with my discoveries so far.
The code breaks when upgrading from shiro 1.2.6 to shiro 1.3.0.
I was able to access the server side as soon as I modified the URLs in
Shiro.ini to reflect path without the slash "/" at the beginning of the
path:
[urls]
<web_app>/FileUploadServlet = authc
<web_app>/FileDownloadServlet = authc
<web_app>/UserUnloadServlet = authc
<web_app>/soa_service = authc
<web_app>/data_update = authc
<web_app>/data_view = authc
<web_app>/load_lists = authc
<web_app>/error_services = authc
<web_app>/query_db = authc
<web_app>.html = authc
Also, another discovery is that currentUser.isAuthenticated() returns TRUE
with Shiro 1.2.6 and FALSE with Shiro 1.3.0. That's why my application was
not loading. This is the code used for that:
Subject currentUser = SecurityUtils.getSubject();
if (currentUser.isAuthenticated()) {
return true;
} else {
return false;
}
So, I have to figure out if I need to call the current user in a different
way, or is there something that I need to change in my shiro.ini.
ANY suggestion would be very much appreciated.
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by Brian Demers <br...@gmail.com>.
You have two SLF4J implements on your class path, I’m guessing you need to remove SLF4J-simple.
-Brian
> On May 31, 2021, at 9:59 AM, alina.frey <af...@goscis.com> wrote:
>
> I have slf4j-log4j12-1.7.9.jar alongside log4j-1.2.17.jar.
> Please see attached an image of all the libraries that are included in the
> class path.
>
> <http://shiro-user.582556.n2.nabble.com/file/t396689/Libraries.jpg>
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by Brian Demers <br...@gmail.com>.
Where you able to get the log output?
On Fri, Jun 18, 2021 at 3:50 PM alina.frey <af...@goscis.com> wrote:
> A little update with my discoveries so far.
>
> The code breaks when upgrading from shiro 1.2.6 to shiro 1.3.0.
>
> I was able to access the server side as soon as I modified the URLs in
> Shiro.ini to reflect path without the slash "/" at the beginning of the
> path:
>
> [urls]
>
> <web_app>/FileUploadServlet = authc
> <web_app>/FileDownloadServlet = authc
> <web_app>/UserUnloadServlet = authc
> <web_app>/soa_service = authc
> <web_app>/data_update = authc
> <web_app>/data_view = authc
> <web_app>/load_lists = authc
> <web_app>/error_services = authc
> <web_app>/query_db = authc
> <web_app>.html = authc
>
> Also, another discovery is that currentUser.isAuthenticated() returns TRUE
> with Shiro 1.2.6 and FALSE with Shiro 1.3.0. That's why my application was
> not loading. This is the code used for that:
>
> Subject currentUser = SecurityUtils.getSubject();
> if (currentUser.isAuthenticated()) {
> return true;
> } else {
> return false;
> }
>
> Also, currentUser.getPrincipal() returns null with shiro 1.3.0, while it
> returns the logged in user with shiro 1.2.6.
>
> So, I have to figure out if I need to call the current user in a different
> way, or is there something that I need to change in my shiro.ini.
>
> ANY suggestion would be very much appreciated.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>
Re: Shiro - Session Loss
Posted by "alina.frey" <af...@goscis.com>.
A little update with my discoveries so far.
The code breaks when upgrading from shiro 1.2.6 to shiro 1.3.0.
I was able to access the server side as soon as I modified the URLs in
Shiro.ini to reflect path without the slash "/" at the beginning of the
path:
[urls]
<web_app>/FileUploadServlet = authc
<web_app>/FileDownloadServlet = authc
<web_app>/UserUnloadServlet = authc
<web_app>/soa_service = authc
<web_app>/data_update = authc
<web_app>/data_view = authc
<web_app>/load_lists = authc
<web_app>/error_services = authc
<web_app>/query_db = authc
<web_app>.html = authc
Also, another discovery is that currentUser.isAuthenticated() returns TRUE
with Shiro 1.2.6 and FALSE with Shiro 1.3.0. That's why my application was
not loading. This is the code used for that:
Subject currentUser = SecurityUtils.getSubject();
if (currentUser.isAuthenticated()) {
return true;
} else {
return false;
}
Also, currentUser.getPrincipal() returns null with shiro 1.3.0, while it
returns the logged in user with shiro 1.2.6.
So, I have to figure out if I need to call the current user in a different
way, or is there something that I need to change in my shiro.ini.
ANY suggestion would be very much appreciated.
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by "alina.frey" <af...@goscis.com>.
I have slf4j-log4j12-1.7.9.jar alongside log4j-1.2.17.jar.
Please see attached an image of all the libraries that are included in the
class path.
<http://shiro-user.582556.n2.nabble.com/file/t396689/Libraries.jpg>
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by Brian Demers <br...@gmail.com>.
Do you have the SLF4J log4j implementation on your class path?
http://logging.apache.org/log4j/2.x/log4j-slf4j-impl/
-Brian
> On May 28, 2021, at 3:28 PM, alina.frey <af...@goscis.com> wrote:
>
> I set up Shiro to the last working version: shiro-all-1.2.6.jar
> Set logging to DEBUG, in log4j.properties:
>
> # Default Shiro logging
> log4j.logger.org.apache.shiro=DEBUG
> log4j.logger.org.apache.shiro.realm.text.PropertiesRealm=DEBUG
> log4j.logger.org.apache.shiro.cache.ehcache.EhCache=DEBUG
> log4j.logger.org.apache.shiro.io=DEBUG
> log4j.logger.org.apache.shiro.web.servlet=DEBUG
> log4j.logger.org.apache.shiro.util.ThreadContext=DEBUG
>
> Logging in successfully, but Shiro logs are NOT printed out.
>
> What am I supposed to see?
> Are there any examples of shiro logs anywhere? Just so I can get an idea
> what I'm looking for.
> I assume the logs would be printed out in the log file mentioned in the
> log4j.properties, correct?
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by "alina.frey" <af...@goscis.com>.
I set up Shiro to the last working version: shiro-all-1.2.6.jar
Set logging to DEBUG, in log4j.properties:
# Default Shiro logging
log4j.logger.org.apache.shiro=DEBUG
log4j.logger.org.apache.shiro.realm.text.PropertiesRealm=DEBUG
log4j.logger.org.apache.shiro.cache.ehcache.EhCache=DEBUG
log4j.logger.org.apache.shiro.io=DEBUG
log4j.logger.org.apache.shiro.web.servlet=DEBUG
log4j.logger.org.apache.shiro.util.ThreadContext=DEBUG
Logging in successfully, but Shiro logs are NOT printed out.
What am I supposed to see?
Are there any examples of shiro logs anywhere? Just so I can get an idea
what I'm looking for.
I assume the logs would be printed out in the log file mentioned in the
log4j.properties, correct?
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by Brian Demers <br...@gmail.com>.
With that log configuration, you should see Shiro log events very request. I’d suggest turning up that last one “ThreadContext” to at least debug as well.
You can try to turn them up to “trace” as well.
I’d suggest taking a step back and changing one thing at a time (this is still my go to strategy when debugging a problem). Go back to your working version and increase the logging (make sure you see log output from Shiro).
Once you have that going, increase the Shiro version and repeat the process, compare the logs and look for differences.
If that doesn’t help I’d recommend creating a simple standalone app that will reproduce the problem, put on GitHub (or similar) and we can take a look.
-Brian
> On May 27, 2021, at 3:17 PM, alina.frey <af...@goscis.com> wrote:
>
> ThreadContext
Re: Shiro - Session Loss
Posted by "alina.frey" <af...@goscis.com>.
I am printing logs on both sides Client and Server sides, but I cannot see
any error that would help me find out why after Shiro login, the Server side
is not reachable anymore. Please see below the error caught in the Client
side after Shiro login and the Sever is not reachable anymore. It's the
content of <app_name>_main.html mentioned in shiro.ini > shiro.loginUrl
For logging, I'm using the following Loggers:
- For the client side: com.allen_sauer.gwt.log.client.Log
- For the server side: org.apache.log4j.Logger
A few questions:
1. Would shiro print OTHER messages, aside from the ones that my application
is already printing?
2. If so, do I need to add anything else to the log4j.properties (see
below)?
3. Do I need to add anything else to shiro.ini to make logs visible?
================================
log4j.properties
================================
# Do not inherit appenders from the root logger.
log4j.additivity.default=false
# Set root logger level and attach zero or more appenders.
log4j.rootLogger=DEBUG, file
# Set up the file appender.
log4j.appender.file=org.apache.log4j.RollingFileAppender
log4j.appender.file.Name=<application_name>Logger
log4j.appender.file.File=<path-to-log-file>.log
log4j.appender.file.MaxFileSize=2MB
log4j.appender.file.MaxBackupIndex=25
log4j.appender.file.ImmediateFlush=true
log4j.appender.file.layout=org.apache.log4j.PatternLayout
log4j.appender.file.layout.ConversionPattern=%-6p%d{DATE} - %C{1}.%M:%L -
%m%n
# Default Shiro logging
log4j.logger.org.apache.shiro=DEBUG
#log4j.logger.org.apache.shiro.realm.text.PropertiesRealm=INFO
#log4j.logger.org.apache.shiro.cache.ehcache.EhCache=INFO
#log4j.logger.org.apache.shiro.io=INFO
#log4j.logger.org.apache.shiro.web.servlet=INFO
log4j.logger.org.apache.shiro.util.ThreadContext=INFO
================================
shiro.ini
================================
[main]
# authorization paths
shiro.loginUrl = /<app_name>_main.html
#Sha256 encryption
credentialsMatcher =
org.apache.shiro.authc.credential.Sha256CredentialsMatcher
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 1024
# Oracle DataSource JNDI Remote Connection (Production)
ds = org.apache.shiro.jndi.JndiObjectFactory
ds.requiredType = javax.sql.DataSource
ds.resourceName = jdbc/dbConnectionDS
# JDBC Realm Setup
jdbcRealm = <path_to_app>.server.auth.CustomJdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.dataSource = $ds
jdbcRealm.credentialsMatcher = $credentialsMatcher
### SQL Queries, Modified and System Default
# User Query
jdbcRealm.authenticationQuery = SELECT password, salt FROM <users_table>
WHERE user_id = ?
# User Roles
jdbcRealm.userRolesQuery = SELECT lab_id FROM <users_table> WHERE user_id =
?
# User Permissions
jdbcRealm.permissionsLookupEnabled = false
# Set Security Manager Properties
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = <session_name>.session
cookie.path = /;
#sessionValidationScheduler =
org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
#sessionValidationScheduler.interval = 180000
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionDAO = $sessionDAO
sessionManager.sessionIdCookie = $cookie
# Session timeout in msec...currently 15 mins
sessionManager.globalSessionTimeout = 900000
#sessionManager.sessionValidationScheduler = $sessionValidationScheduler
securityManager = <path_to_app>.server.auth.UniquePrincipalSecurityManager
securityManager.sessionManager = $sessionManager
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.realms = $jdbcRealm
[users]
[roles]
[urls]
/<app_name>_main.html = authc
/logout = logout
/<app_name>/FileUploadServlet = authc
/<app_name>/FileDownloadServlet = authc
/<app_name>/UserUnloadServlet = authc
/<app_name>/soa_service = authc
/<app_name>/data_update = authc
/<app_name>/data_view = authc
/<app_name>/load_lists = authc
/<app_name>/error_services = authc
/<app_name>/query_db = authc
================================
Error caught on Client side after
Shiro login and
Sever not being reachable anymore.
It's the content of <app_name>_main.html mentioned in shiro.ini >
shiro.loginUrl
================================
caught: <html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link type="text/css" rel="stylesheet"
href="<app_name>_main.css">
<title>application_name</title>
<script type="text/javascript"
src="<app_name>/<app_name>.nocache.js"></script>
<script type="text/javascript"
src="<app_name>/UnloadUser.js"></script>
</head>
<body>
<div id="main_container"></div>
<iframe src="javascript:''" id="__gwt_historyFrame" tabIndex='-1'
style="position:absolute;width:0;height:0;border:0"></iframe>
<noscript>
<div>
Your web browser must have JavaScript enabled
in order for this application to display correctly.
</div>
</noscript>
</body>
</html>
from StaticListsService_Proxy.getLabs
cause: null
StackTrace:
Unknown.Sc(<app_name>-0.js),Unknown.Kd(<app_name>-0.js),Unknown.new
TZ(<app_name>-0.js),Unknown.b3(<app_name>-0.js),Unknown.vj(<app_name>-0.js),Unknown.Jj(<app_name>-0.js),Unknown.eval(<app_name>-0.js),Unknown.ie(<app_name>-0.js),Unknown.le(<app_name>-0.js),Unknown.eval(<app_name>-0.js)
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by Brian Demers <br...@gmail.com>.
Oh, a GWT app.
My suggestion would be to turn up logging on both sides. I'm assuming that
InvocationException has a cause. You set `org.apache.shiro` log level to
DEBUG or TRACE, and you should be able to get more info.
On Tue, May 25, 2021 at 3:04 PM alina.frey <af...@goscis.com> wrote:
> I tried to pinpoint at what version of Shiro my application starts to lose
> session.
> So, nothing is changed in my application other than the shiro library.
> Discovered that the session loss happens starting with Shiro 1.3.2.
> o shiro-all.1.2.3.jar: No session loss. Login works.
> - Current version
> o shiro-all.1.2.6.jar: No session loss. Login works.
> o shiro-all.1.3.2.jar: Session loss!!
> Need to figure out what changed between version 1.2.6. and 1.3.2,
> and
> change settings.
> Maybe shiro.ini needs to change, but I don't know what to change.
>
> Narrowing down to where the application actually crashes:
> o In UserLoginWindow.loginAttempt - Client side
> > MainEntryPoint.loginService.tryLogin(username,
> password, callBack) -
> Client side
> > LoginServiceImpl.tryLogin(username,
> password) - Server side
> > The user is authenticated (Log
> messages from server side are
> visible).
> > the callBack is onSuccess - Client side
> o Inside onSuccess:
> > The callBack returns the UserLoginBean, which is
> not null and all
> properties (username, password, etc.) have assigned value, with the
> exception of sToken
> > there are three cases:
> 1. userLoginBean = null - this is the
> case where Access is denied, and
> it prompts the user to login again
> 2. userLoginBean.getSalt == null -
> this is the case where the user needs
> to change password
> 3. All other cases
> > In our case we are passing the first two steps,
> landing in the third
> case.
> > In the third case, it calls a few functions,
> from the Client side to
> the Server side, but it looks like the application never reaches the server
> side.
> > The very first function that is called from the
> Client side to the
> Server side returns onFailure in its callBack!! - This is where the
> sessionID that is displayed in the web browser changes.
> > Every other function that is called after this,
> from the Client side to
> the Server side, returns onFailure.
>
> So, in conclusion, it looks like the application crashes right after the
> user is logged in with Shiro 1.3.2, and ANY call is made from the Client
> side to the Server side.
>
> To answer the follow-ups:
>
> 1. What is the error message that displays on your login page?
> The message that is displayed is a general message for the cases when the
> exception caught is an instance of
> com.google.gwt.user.client.rpc.InvocationException. The actual text
> displayed is "The session has expired. The user needs to relogin." But it's
> not relevant, as it doesn't explain why it's an InvocationException :).
>
> 2. What else changed in your application?
> Nothing other than changing Shiro from 1.2.3 to 1.2.6 to 1.3.2. Shiro 1.3.2
> breaks the application.
>
> 3. Do you have a minimal repro example you can share on GitHub (or
> similar)?
> I don not have one, and I don't think I can share much :).
>
> 4. Were you able to look at the cookies in your browser?
> Yes, I can see the sessionID in the browser. For Shiro 1.2.3 and 1.2.6, the
> sessionID stays the same and the application is able to load after
> successful login.
> When Shiro is changed to 1.3.2, the sessionID changes, right after the user
> is authenticated on the server side. On the Client side under callBack
> onSuccess, the very first function that is called is a call to Server side.
> That function returns onFailure, like every other function after that,
> which
> are calls to the Server side.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>
Re: Shiro - Session Loss
Posted by "alina.frey" <af...@goscis.com>.
I tried to pinpoint at what version of Shiro my application starts to lose
session.
So, nothing is changed in my application other than the shiro library.
Discovered that the session loss happens starting with Shiro 1.3.2.
o shiro-all.1.2.3.jar: No session loss. Login works. - Current version
o shiro-all.1.2.6.jar: No session loss. Login works.
o shiro-all.1.3.2.jar: Session loss!!
Need to figure out what changed between version 1.2.6. and 1.3.2, and
change settings.
Maybe shiro.ini needs to change, but I don't know what to change.
Narrowing down to where the application actually crashes:
o In UserLoginWindow.loginAttempt - Client side
> MainEntryPoint.loginService.tryLogin(username, password, callBack) -
Client side
> LoginServiceImpl.tryLogin(username, password) - Server side
> The user is authenticated (Log messages from server side are
visible).
> the callBack is onSuccess - Client side
o Inside onSuccess:
> The callBack returns the UserLoginBean, which is not null and all
properties (username, password, etc.) have assigned value, with the
exception of sToken
> there are three cases:
1. userLoginBean = null - this is the case where Access is denied, and
it prompts the user to login again
2. userLoginBean.getSalt == null - this is the case where the user needs
to change password
3. All other cases
> In our case we are passing the first two steps, landing in the third
case.
> In the third case, it calls a few functions, from the Client side to
the Server side, but it looks like the application never reaches the server
side.
> The very first function that is called from the Client side to the
Server side returns onFailure in its callBack!! - This is where the
sessionID that is displayed in the web browser changes.
> Every other function that is called after this, from the Client side to
the Server side, returns onFailure.
So, in conclusion, it looks like the application crashes right after the
user is logged in with Shiro 1.3.2, and ANY call is made from the Client
side to the Server side.
To answer the follow-ups:
1. What is the error message that displays on your login page?
The message that is displayed is a general message for the cases when the
exception caught is an instance of
com.google.gwt.user.client.rpc.InvocationException. The actual text
displayed is "The session has expired. The user needs to relogin." But it's
not relevant, as it doesn't explain why it's an InvocationException :).
2. What else changed in your application?
Nothing other than changing Shiro from 1.2.3 to 1.2.6 to 1.3.2. Shiro 1.3.2
breaks the application.
3. Do you have a minimal repro example you can share on GitHub (or similar)?
I don not have one, and I don't think I can share much :).
4. Were you able to look at the cookies in your browser?
Yes, I can see the sessionID in the browser. For Shiro 1.2.3 and 1.2.6, the
sessionID stays the same and the application is able to load after
successful login.
When Shiro is changed to 1.3.2, the sessionID changes, right after the user
is authenticated on the server side. On the Client side under callBack
onSuccess, the very first function that is called is a call to Server side.
That function returns onFailure, like every other function after that, which
are calls to the Server side.
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by fp...@apache.org.
Hi,
You also have an overview of the jira tickets on the release notes:
https://github.com/apache/shiro/blob/1.7.x/RELEASE-NOTES
regards,
François
fpapon@apache.org
Le 24/05/2021 à 17:23, Brian Demers a écrit :
> Release notes: https://shiro.apache.org/news.html
> <https://shiro.apache.org/news.html> (includes links to release notes)
> Diffs: https://github.com/apache/shiro/compare/shiro-root-1.2.6..shiro-root-1.3.2
> <https://github.com/apache/shiro/compare/shiro-root-1.2.6..shiro-root-1.3.2>
>
> Follow-ups:
> What is the error message that displays on your login page?
> What else changed in your application?
> Do you have a minimal repro example you can share on GitHub (or similar)?
> Were you able to look at the cookies in your browser?
>
>
> On Sun, May 23, 2021 at 5:54 PM alina.frey <afrey@goscis.com
> <ma...@goscis.com>> wrote:
>
> Does anybody know where I can find info regarding what changed
> from one
> version of Shiro to another? Specifically I'm interested what
> changed from
> version 1.2.6 to version 1.3.2.
>
> shiro-all-1.2.3.jar: No session loss. Login works. - Current Shiro.
> shiro-all-1.2.6.jar: No session loss. Login works.
> shiro-all-1.3.2.jar: Session loss!!!
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
> <http://shiro-user.582556.n2.nabble.com/>
>
Re: Shiro - Session Loss
Posted by Brian Demers <br...@gmail.com>.
Release notes: https://shiro.apache.org/news.html (includes links to
release notes)
Diffs:
https://github.com/apache/shiro/compare/shiro-root-1.2.6..shiro-root-1.3.2
Follow-ups:
What is the error message that displays on your login page?
What else changed in your application?
Do you have a minimal repro example you can share on GitHub (or similar)?
Were you able to look at the cookies in your browser?
On Sun, May 23, 2021 at 5:54 PM alina.frey <af...@goscis.com> wrote:
> Does anybody know where I can find info regarding what changed from one
> version of Shiro to another? Specifically I'm interested what changed from
> version 1.2.6 to version 1.3.2.
>
> shiro-all-1.2.3.jar: No session loss. Login works. - Current Shiro.
> shiro-all-1.2.6.jar: No session loss. Login works.
> shiro-all-1.3.2.jar: Session loss!!!
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>
Re: Shiro - Session Loss
Posted by "alina.frey" <af...@goscis.com>.
Does anybody know where I can find info regarding what changed from one
version of Shiro to another? Specifically I'm interested what changed from
version 1.2.6 to version 1.3.2.
shiro-all-1.2.3.jar: No session loss. Login works. - Current Shiro.
shiro-all-1.2.6.jar: No session loss. Login works.
shiro-all-1.3.2.jar: Session loss!!!
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by "alina.frey" <af...@goscis.com>.
Replying to Benjamin's question related to Shiro versions where we start
seeing the session loss behavior:
shiro-all-1.2.3.jar: No session loss. Login works. - Current Shiro.
shiro-all-1.2.6.jar: No session loss. Login works.
shiro-all-1.3.2.jar: Session loss!!!
So what I need to find out is what changed between 1.2.6 and 1.3.2, to
narrow down what I should look for.
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by Brian Demers <br...@gmail.com>.
Responses inline:
On Wed, May 19, 2021 at 5:31 PM alina.frey <af...@goscis.com> wrote:
> 1. Anything in your logs?
> If you are referring to Shiro logs, I don't know where they are recorded.
> If you are referring to logs capture by my application, I do not see any of
> the errors taht would be thrown by the supporting code below.
>
Your application logs, Shiro uses slf4j (de facto standard logging api),
but where the logs go is up to your application.
>
> 2. What happens when the user isn't able to login? Are they redirected back
> to the login page?
> Yes. A relevant message is displayed in a pop up, and then the same login
> page is displayed.
>
What is the "relevant" message (that part sounds important)?
>
> 3. Is your browser rejecting the cookie? (or is it sent back to the server
> on the next request?)
> Where do I need to look to see this? Where do I see the requests that are
> being sent? In the Console or Network tabs of browser's Developer Tools?
>
Personally I used the networking tab of my browsers developer
console/tools. You should be able to see the `Set-Cookie` header in the
response from your server, and the browser should set a `Cookie` header
when making requests back to your server.
Your following code might actually be the problem, you _shouldn't_ need to
do any of that, The `ShiroFilter` will do all of this for you.
For example in this example just adds a login page that will post the
user/pass to the login.jsp:
https://github.com/apache/shiro/blob/shiro-root-1.7.1/samples/web/src/main/webapp/WEB-INF/shiro.ini#L59
(this is intercepted by the ShiroFilter)
That said, that isn't a one-size-fits-all solution, but in those cases you
still need to make sure the `ShiroFilter` gets executed early enough in
your request that the `Subject` is created before you execute your code.
For example this (in your code below) _shouldn't_ happen, as the subject
would have been created automatically for you (even if it's anonymous user)
```
Subject newUser = SecurityUtils.getSubject();
if (newUser != null) {
logger.debug("SessionID prior to logging in: " +
newUser.getSession().getId());
```
> Here is the supporting code for logging in with Shiro:
>
> public UserLoginBean tryLogin(String username, String password)
> throws
> Exception {
> //check for null username or password
> if(){//return null;}
>
> // get the login bean based on the user id
> UserLoginBean loginBean = getUserRecord(username);
>
> // user does not exist
> if(){//return null;}
>
> // password must have been reset to plain text
> else if (loginBean.getSalt() == null) {...}
>
> // password is encrypted so verify user login
> else {
> try {
> // get the currently executing user and create token
> Subject newUser = SecurityUtils.getSubject();
>
> if (newUser != null) {
>
> logger.debug("SessionID prior to
> logging in: " +
> newUser.getSession().getId());
>
> ...
>
> // The username and password authentication token. Set
> rememberMe to false
> UsernamePasswordToken token = new
> UsernamePasswordToken(username, password.toCharArray(), false);
> newUser.login(token);
>
> ...
>
>
> logger.debug("SessionID after to logging in: " +
> newUser.getSession().getId());
> logger.debug("Is user authenticated? " +
> newUser.isAuthenticated());
>
> }
> ...
>
> // successful login
> logger.info("!!!!!!! Successful login
> !!!!!!! ");
> return loginBean;
>
> } catch (UnknownAccountException e) {
> logger.error("LOGIN ERROR: No Such User Exists");
> throw new InvalidLoginException();
> } catch (IncorrectCredentialsException e) {
> logger.error("LOGIN ERROR: Invalid Password");
> throw new InvalidLoginException();
> } catch (LockedAccountException e) {
> logger.error("LOGIN ERROR: Locked Account");
> throw new AccountLockedException();
> } catch (AlreadyAuthenticatedException e) {
> logger.error("LOGIN ERROR: User Already Logged In");
> throw new AlreadyLoggedInException();
> } catch (SessionNotAvailableException e) {
> logger.error("LOGIN ERROR: Another user logged in using
> current browser");
> throw new BrowserSessionTakenException();
> } catch (Exception e) {
> logger.error(e.getMessage());
> logger.error("LOGIN ERROR: General Unspecific Login
> Failure");
> return null;
> }
> }
> }
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>
Re: Shiro - Session Loss
Posted by "alina.frey" <af...@goscis.com>.
1. Anything in your logs?
If you are referring to Shiro logs, I don't know where they are recorded.
If you are referring to logs capture by my application, I do not see any of
the errors taht would be thrown by the supporting code below.
2. What happens when the user isn't able to login? Are they redirected back
to the login page?
Yes. A relevant message is displayed in a pop up, and then the same login
page is displayed.
3. Is your browser rejecting the cookie? (or is it sent back to the server
on the next request?)
Where do I need to look to see this? Where do I see the requests that are
being sent? In the Console or Network tabs of browser's Developer Tools?
Here is the supporting code for logging in with Shiro:
public UserLoginBean tryLogin(String username, String password) throws
Exception {
//check for null username or password
if(){//return null;}
// get the login bean based on the user id
UserLoginBean loginBean = getUserRecord(username);
// user does not exist
if(){//return null;}
// password must have been reset to plain text
else if (loginBean.getSalt() == null) {...}
// password is encrypted so verify user login
else {
try {
// get the currently executing user and create token
Subject newUser = SecurityUtils.getSubject();
if (newUser != null) {
logger.debug("SessionID prior to logging in: " +
newUser.getSession().getId());
...
// The username and password authentication token. Set
rememberMe to false
UsernamePasswordToken token = new
UsernamePasswordToken(username, password.toCharArray(), false);
newUser.login(token);
...
logger.debug("SessionID after to logging in: " +
newUser.getSession().getId());
logger.debug("Is user authenticated? " +
newUser.isAuthenticated());
}
...
// successful login
logger.info("!!!!!!! Successful login !!!!!!! ");
return loginBean;
} catch (UnknownAccountException e) {
logger.error("LOGIN ERROR: No Such User Exists");
throw new InvalidLoginException();
} catch (IncorrectCredentialsException e) {
logger.error("LOGIN ERROR: Invalid Password");
throw new InvalidLoginException();
} catch (LockedAccountException e) {
logger.error("LOGIN ERROR: Locked Account");
throw new AccountLockedException();
} catch (AlreadyAuthenticatedException e) {
logger.error("LOGIN ERROR: User Already Logged In");
throw new AlreadyLoggedInException();
} catch (SessionNotAvailableException e) {
logger.error("LOGIN ERROR: Another user logged in using
current browser");
throw new BrowserSessionTakenException();
} catch (Exception e) {
logger.error(e.getMessage());
logger.error("LOGIN ERROR: General Unspecific Login
Failure");
return null;
}
}
}
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by "alina.frey" <af...@goscis.com>.
I'm new to Shiro. How do I check if sesionDAO may be over-spilling?
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by Tamás Cservenák <ta...@cservenak.net>.
sessionDAO is enterprise cache dao...
We were losing sessions when our cache was misconfigured (like LRU was set
with sone low size). Check your sesionDAO, it may be overspilling?
Hth
T
On Wed, May 19, 2021, 19:36 Brian Demers <br...@gmail.com> wrote:
> Anything in your logs?
>
> What happens when the user isn't able to login? Are they redirected back
> to the login page?
>
> Is your browser rejecting the cookie? (or is it sent back the the server
> on the next request?)
>
> On Wed, May 19, 2021 at 12:04 PM alina.frey <af...@goscis.com> wrote:
>
>> I will try to replace Shiro with intermediary versions between 1.2.3 and ,
>> and will get back to you with results.
>>
>> Meanwhile, here is what I have in the shiro.ini file.
>>
>>
>>
>>
>> # =======================
>> # Shiro INI configuration
>> # =======================
>>
>> [main]
>>
>> # authorization paths
>> shiro.loginUrl = /<app_name>_main.html
>>
>> #Sha256 encryption
>> credentialsMatcher =
>> org.apache.shiro.authc.credential.Sha256CredentialsMatcher
>> credentialsMatcher.storedCredentialsHexEncoded = false
>> credentialsMatcher.hashIterations = 1024
>>
>> # Oracle DataSource JNDI Remote Connection (Production)
>> ds = org.apache.shiro.jndi.JndiObjectFactory
>> ds.requiredType = javax.sql.DataSource
>> ds.resourceName = jdbc/dbConnectionDS
>>
>> # JDBC Realm Setup
>> jdbcRealm = <path_to_app>.server.auth.CustomJdbcRealm
>>
>> jdbcRealm.permissionsLookupEnabled = true
>> jdbcRealm.dataSource = $ds
>> jdbcRealm.credentialsMatcher = $credentialsMatcher
>>
>> ### SQL Queries, Modified and System Default
>> # User Query
>> jdbcRealm.authenticationQuery = SELECT password, salt FROM <users_table>
>> WHERE user_id = ?
>>
>> # User Roles
>> jdbcRealm.userRolesQuery = SELECT lab_id FROM <users_table> WHERE user_id
>> =
>> ?
>>
>> # User Permissions
>> jdbcRealm.permissionsLookupEnabled = false
>>
>> # Set Security Manager Properties
>> cookie = org.apache.shiro.web.servlet.SimpleCookie
>> cookie.name = <session_name>.session
>> cookie.path = /;
>> #sessionValidationScheduler =
>> org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
>> #sessionValidationScheduler.interval = 180000
>> sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
>> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>> sessionManager.sessionDAO = $sessionDAO
>> sessionManager.sessionIdCookie = $cookie
>> # Session timeout in msec...currently 15 mins
>> sessionManager.globalSessionTimeout = 900000
>> #sessionManager.sessionValidationScheduler = $sessionValidationScheduler
>> securityManager = <path_to_app>.server.auth.UniquePrincipalSecurityManager
>> securityManager.sessionManager = $sessionManager
>> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>> securityManager.cacheManager = $cacheManager
>> securityManager.realms = $jdbcRealm
>>
>> [users]
>>
>>
>> [roles]
>>
>>
>> [urls]
>>
>> /<app_name>_main.html = authc
>> /logout = logout
>> /<app_name>/FileUploadServlet = authc
>> /<app_name>/FileDownloadServlet = authc
>> /<app_name>/UserUnloadServlet = authc
>> /<app_name>/soa_service = authc
>> /<app_name>/data_update = authc
>> /<app_name>/data_view = authc
>> /<app_name>/load_lists = authc
>> /<app_name>/error_services = authc
>> /<app_name>/query_db = authc
>>
>>
>>
>>
>> --
>> Sent from: http://shiro-user.582556.n2.nabble.com/
>>
>
Re: Shiro - Session Loss
Posted by Brian Demers <br...@gmail.com>.
Anything in your logs?
What happens when the user isn't able to login? Are they redirected back to
the login page?
Is your browser rejecting the cookie? (or is it sent back the the server on
the next request?)
On Wed, May 19, 2021 at 12:04 PM alina.frey <af...@goscis.com> wrote:
> I will try to replace Shiro with intermediary versions between 1.2.3 and ,
> and will get back to you with results.
>
> Meanwhile, here is what I have in the shiro.ini file.
>
>
>
>
> # =======================
> # Shiro INI configuration
> # =======================
>
> [main]
>
> # authorization paths
> shiro.loginUrl = /<app_name>_main.html
>
> #Sha256 encryption
> credentialsMatcher =
> org.apache.shiro.authc.credential.Sha256CredentialsMatcher
> credentialsMatcher.storedCredentialsHexEncoded = false
> credentialsMatcher.hashIterations = 1024
>
> # Oracle DataSource JNDI Remote Connection (Production)
> ds = org.apache.shiro.jndi.JndiObjectFactory
> ds.requiredType = javax.sql.DataSource
> ds.resourceName = jdbc/dbConnectionDS
>
> # JDBC Realm Setup
> jdbcRealm = <path_to_app>.server.auth.CustomJdbcRealm
>
> jdbcRealm.permissionsLookupEnabled = true
> jdbcRealm.dataSource = $ds
> jdbcRealm.credentialsMatcher = $credentialsMatcher
>
> ### SQL Queries, Modified and System Default
> # User Query
> jdbcRealm.authenticationQuery = SELECT password, salt FROM <users_table>
> WHERE user_id = ?
>
> # User Roles
> jdbcRealm.userRolesQuery = SELECT lab_id FROM <users_table> WHERE user_id =
> ?
>
> # User Permissions
> jdbcRealm.permissionsLookupEnabled = false
>
> # Set Security Manager Properties
> cookie = org.apache.shiro.web.servlet.SimpleCookie
> cookie.name = <session_name>.session
> cookie.path = /;
> #sessionValidationScheduler =
> org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
> #sessionValidationScheduler.interval = 180000
> sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> sessionManager.sessionDAO = $sessionDAO
> sessionManager.sessionIdCookie = $cookie
> # Session timeout in msec...currently 15 mins
> sessionManager.globalSessionTimeout = 900000
> #sessionManager.sessionValidationScheduler = $sessionValidationScheduler
> securityManager = <path_to_app>.server.auth.UniquePrincipalSecurityManager
> securityManager.sessionManager = $sessionManager
> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> securityManager.cacheManager = $cacheManager
> securityManager.realms = $jdbcRealm
>
> [users]
>
>
> [roles]
>
>
> [urls]
>
> /<app_name>_main.html = authc
> /logout = logout
> /<app_name>/FileUploadServlet = authc
> /<app_name>/FileDownloadServlet = authc
> /<app_name>/UserUnloadServlet = authc
> /<app_name>/soa_service = authc
> /<app_name>/data_update = authc
> /<app_name>/data_view = authc
> /<app_name>/load_lists = authc
> /<app_name>/error_services = authc
> /<app_name>/query_db = authc
>
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>
Re: Shiro - Session Loss
Posted by "alina.frey" <af...@goscis.com>.
I will try to replace Shiro with intermediary versions between 1.2.3 and ,
and will get back to you with results.
Meanwhile, here is what I have in the shiro.ini file.
# =======================
# Shiro INI configuration
# =======================
[main]
# authorization paths
shiro.loginUrl = /<app_name>_main.html
#Sha256 encryption
credentialsMatcher =
org.apache.shiro.authc.credential.Sha256CredentialsMatcher
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 1024
# Oracle DataSource JNDI Remote Connection (Production)
ds = org.apache.shiro.jndi.JndiObjectFactory
ds.requiredType = javax.sql.DataSource
ds.resourceName = jdbc/dbConnectionDS
# JDBC Realm Setup
jdbcRealm = <path_to_app>.server.auth.CustomJdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.dataSource = $ds
jdbcRealm.credentialsMatcher = $credentialsMatcher
### SQL Queries, Modified and System Default
# User Query
jdbcRealm.authenticationQuery = SELECT password, salt FROM <users_table>
WHERE user_id = ?
# User Roles
jdbcRealm.userRolesQuery = SELECT lab_id FROM <users_table> WHERE user_id =
?
# User Permissions
jdbcRealm.permissionsLookupEnabled = false
# Set Security Manager Properties
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = <session_name>.session
cookie.path = /;
#sessionValidationScheduler =
org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
#sessionValidationScheduler.interval = 180000
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionDAO = $sessionDAO
sessionManager.sessionIdCookie = $cookie
# Session timeout in msec...currently 15 mins
sessionManager.globalSessionTimeout = 900000
#sessionManager.sessionValidationScheduler = $sessionValidationScheduler
securityManager = <path_to_app>.server.auth.UniquePrincipalSecurityManager
securityManager.sessionManager = $sessionManager
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.realms = $jdbcRealm
[users]
[roles]
[urls]
/<app_name>_main.html = authc
/logout = logout
/<app_name>/FileUploadServlet = authc
/<app_name>/FileDownloadServlet = authc
/<app_name>/UserUnloadServlet = authc
/<app_name>/soa_service = authc
/<app_name>/data_update = authc
/<app_name>/data_view = authc
/<app_name>/load_lists = authc
/<app_name>/error_services = authc
/<app_name>/query_db = authc
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Shiro - Session Loss
Posted by Benjamin Marwell <bm...@apache.org>.
Hi Alina,
thanks for your report. Can you modify your test environment in such a
way that you can find the exact version where it happens for the first
time?
1.2.3 to 1.7.0 is quite a big leap.
Some random things which we modified and categorize as a breaking change:
Default ciphers were changed from an alias to their non-aliased names.
Cookies are secure by default.
Also helpful would be your shiro.ini or at least the realms you are using.
Thanks,
Ben
Am Mi., 19. Mai 2021 um 16:53 Uhr schrieb alina.frey <af...@goscis.com>:
>
> In my application I updated only the Shiro library, from shiro-all-1.2.3.jar
> to shiro-all-1.7.0.jar. I did not change any other libraries, nor
> configuration files, other than the build path to refer to the new Shiro
> library.
>
> Users that were able to login before, are now not able to. Digging in the
> log files, it shows that the users do actually get logged in, and a session
> is associated with them.
>
> Watching the session cookie in the browser. When the user tries to log in,
> the initial session cookie that is shown in the browser is the same as one
> recorded in the logs. This initial session cookie gets replaced immediately
> with a different one. Therefore the user cannot login into the application.
> Printing out all the active sessions: three sessions are displayed, and only
> the initial session is associated with the user. One of the other two
> sessions is the one displayed in the browser.
>
> Trying to figure what's happening and what causes this. Trying to figure out
> what settings do I need to change, to make the application work as before.
>
> Thanks a bunch!
> -Alina.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/