You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by David Stutzman <sh...@dstutz.com> on 2021/04/08 14:38:41 UTC

Re: Strange issue on logout

I went back and took another look at this and turned on trace logging 
and figured out the InvalidRequestFilter is tripping, specifically on a 
semicolon in the URL.  That filter was added in 1.6.0 hence that's the 
first version we see the issue.

So now the part I'm not sure about is how/why the URL is being modified 
after logout.  If I click the login button the URL in the browser is:
https://localhost:8443/app/login.xhtml;jsessionid=<snip> and, as 
advertised by the IRF, I get a 400 response code.

The logout process is done through a servlet with the following 
implementation:
     protected void processRequest(HttpServletRequest request, 
HttpServletResponse response) throws ServletException, IOException {
         SecurityUtils.getSubject().logout();
         request.getSession().invalidate();
response.sendRedirect(request.getServletContext().getContextPath());
     }

And it is on the index page that things start to break.  There's a 
single image that doesn't load due to the request url having the 
jssessionid appended and that gets a 400 response and if I click the 
"Log In" button and it goes to that url (with the appended jsessionid), 
I get the main error that results in a blank page with just "Invalid 
request".

So am I doing something wrong in my logout logic or is this a Shiro issue?

Thanks!

On 12/17/2020 9:55 AM, Francois Papon wrote:
> Ok thanks, we will take a look.
>
> regards,
>
> François
> fpapon@apache.org

Re: Strange issue on logout

Posted by Brian Demers <br...@gmail.com>.

Thanks for following up David!

On Mon, Apr 12, 2021 at 9:54 AM David Stutzman <sh...@dstutz.com> wrote:

> Actually that created another error:
> 09:44:53,127 WARNING
> [javax.enterprise.resource.webcontainer.jsf.lifecycle] (default task-7)
> #{login.login()}: java.lang.IllegalStateException: UT010033: No session:
> javax.faces.FacesException: #{login.login()}:
> java.lang.IllegalStateException: UT010033: No session
>
> What appears to have fixed it for us is adding to the web.xml:
>      <session-config>
>          <tracking-mode>COOKIE</tracking-mode>
>      </session-config>
>
> Which appears to accomplish the same thing of getting the container to
> NOT write the jsessionid into the url and then have Shiro block it due
> to the semicolon.  It's quite possible we have other settings/setup that
> are getting in the way of turning off the url rewriting from within
> Shiro.  Either way...we are back to a fully working setup as far as I
> can tell.
>
> Thanks,
> Dave
>
> On 4/8/2021 1:41 PM, Brian Demers wrote:
> > Hi David!
> >
> > Can you try making sure session rewriting is disabled:
> >
> > securityManager.sessionManager.sessionIdUrlRewritingEnabled
> >
> >
> https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29
> > <
> https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29
> >
> >
> > This could also be happing from your servlet container (but my guess
> > is the above will fix your issue).
> >
> > Let us know!
>

Re: Strange issue on logout

Posted by David Stutzman <sh...@dstutz.com>.

Actually that created another error:
09:44:53,127 WARNING 
[javax.enterprise.resource.webcontainer.jsf.lifecycle] (default task-7) 
#{login.login()}: java.lang.IllegalStateException: UT010033: No session: 
javax.faces.FacesException: #{login.login()}: 
java.lang.IllegalStateException: UT010033: No session

What appears to have fixed it for us is adding to the web.xml:
     <session-config>
         <tracking-mode>COOKIE</tracking-mode>
     </session-config>

Which appears to accomplish the same thing of getting the container to 
NOT write the jsessionid into the url and then have Shiro block it due 
to the semicolon.  It's quite possible we have other settings/setup that 
are getting in the way of turning off the url rewriting from within 
Shiro.  Either way...we are back to a fully working setup as far as I 
can tell.

Thanks,
Dave

On 4/8/2021 1:41 PM, Brian Demers wrote:
> Hi David!
>
> Can you try making sure session rewriting is disabled:
>
> securityManager.sessionManager.sessionIdUrlRewritingEnabled
>
> https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29 
> <https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29>
>
> This could also be happing from your servlet container (but my guess 
> is the above will fix your issue).
>
> Let us know!

Re: Strange issue on logout

Posted by Brian Demers <br...@gmail.com>.

Hi David!

Can you try making sure session rewriting is disabled:

securityManager.sessionManager.sessionIdUrlRewritingEnabled

https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29

This could also be happing from your servlet container (but my guess is the
above will fix your issue).

Let us know!

On Thu, Apr 8, 2021 at 10:39 AM David Stutzman <sh...@dstutz.com> wrote:

> I went back and took another look at this and turned on trace logging
> and figured out the InvalidRequestFilter is tripping, specifically on a
> semicolon in the URL.  That filter was added in 1.6.0 hence that's the
> first version we see the issue.
>
> So now the part I'm not sure about is how/why the URL is being modified
> after logout.  If I click the login button the URL in the browser is:
> https://localhost:8443/app/login.xhtml;jsessionid=<snip> and, as
> advertised by the IRF, I get a 400 response code.
>
> The logout process is done through a servlet with the following
> implementation:
>      protected void processRequest(HttpServletRequest request,
> HttpServletResponse response) throws ServletException, IOException {
>          SecurityUtils.getSubject().logout();
>          request.getSession().invalidate();
> response.sendRedirect(request.getServletContext().getContextPath());
>      }
>
> And it is on the index page that things start to break.  There's a
> single image that doesn't load due to the request url having the
> jssessionid appended and that gets a 400 response and if I click the
> "Log In" button and it goes to that url (with the appended jsessionid),
> I get the main error that results in a blank page with just "Invalid
> request".
>
> So am I doing something wrong in my logout logic or is this a Shiro issue?
>
> Thanks!
>
> On 12/17/2020 9:55 AM, Francois Papon wrote:
> > Ok thanks, we will take a look.
> >
> > regards,
> >
> > François
> > fpapon@apache.org
>