You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by David Stutzman <sh...@dstutz.com> on 2021/04/08 14:38:41 UTC
Re: Strange issue on logout
I went back and took another look at this and turned on trace logging
and figured out the InvalidRequestFilter is tripping, specifically on a
semicolon in the URL. That filter was added in 1.6.0 hence that's the
first version we see the issue.
So now the part I'm not sure about is how/why the URL is being modified
after logout. If I click the login button the URL in the browser is:
https://localhost:8443/app/login.xhtml;jsessionid=<snip> and, as
advertised by the IRF, I get a 400 response code.
The logout process is done through a servlet with the following
implementation:
protected void processRequest(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
SecurityUtils.getSubject().logout();
request.getSession().invalidate();
response.sendRedirect(request.getServletContext().getContextPath());
}
And it is on the index page that things start to break. There's a
single image that doesn't load due to the request url having the
jssessionid appended and that gets a 400 response and if I click the
"Log In" button and it goes to that url (with the appended jsessionid),
I get the main error that results in a blank page with just "Invalid
request".
So am I doing something wrong in my logout logic or is this a Shiro issue?
Thanks!
On 12/17/2020 9:55 AM, Francois Papon wrote:
> Ok thanks, we will take a look.
>
> regards,
>
> François
> fpapon@apache.org
Re: Strange issue on logout
Posted by Brian Demers <br...@gmail.com>.
Thanks for following up David!
On Mon, Apr 12, 2021 at 9:54 AM David Stutzman <sh...@dstutz.com> wrote:
> Actually that created another error:
> 09:44:53,127 WARNING
> [javax.enterprise.resource.webcontainer.jsf.lifecycle] (default task-7)
> #{login.login()}: java.lang.IllegalStateException: UT010033: No session:
> javax.faces.FacesException: #{login.login()}:
> java.lang.IllegalStateException: UT010033: No session
>
> What appears to have fixed it for us is adding to the web.xml:
> <session-config>
> <tracking-mode>COOKIE</tracking-mode>
> </session-config>
>
> Which appears to accomplish the same thing of getting the container to
> NOT write the jsessionid into the url and then have Shiro block it due
> to the semicolon. It's quite possible we have other settings/setup that
> are getting in the way of turning off the url rewriting from within
> Shiro. Either way...we are back to a fully working setup as far as I
> can tell.
>
> Thanks,
> Dave
>
> On 4/8/2021 1:41 PM, Brian Demers wrote:
> > Hi David!
> >
> > Can you try making sure session rewriting is disabled:
> >
> > securityManager.sessionManager.sessionIdUrlRewritingEnabled
> >
> >
> https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29
> > <
> https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29
> >
> >
> > This could also be happing from your servlet container (but my guess
> > is the above will fix your issue).
> >
> > Let us know!
>
Re: Strange issue on logout
Posted by David Stutzman <sh...@dstutz.com>.
Actually that created another error:
09:44:53,127 WARNING
[javax.enterprise.resource.webcontainer.jsf.lifecycle] (default task-7)
#{login.login()}: java.lang.IllegalStateException: UT010033: No session:
javax.faces.FacesException: #{login.login()}:
java.lang.IllegalStateException: UT010033: No session
What appears to have fixed it for us is adding to the web.xml:
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Which appears to accomplish the same thing of getting the container to
NOT write the jsessionid into the url and then have Shiro block it due
to the semicolon. It's quite possible we have other settings/setup that
are getting in the way of turning off the url rewriting from within
Shiro. Either way...we are back to a fully working setup as far as I
can tell.
Thanks,
Dave
On 4/8/2021 1:41 PM, Brian Demers wrote:
> Hi David!
>
> Can you try making sure session rewriting is disabled:
>
> securityManager.sessionManager.sessionIdUrlRewritingEnabled
>
> https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29
> <https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29>
>
> This could also be happing from your servlet container (but my guess
> is the above will fix your issue).
>
> Let us know!
Re: Strange issue on logout
Posted by Brian Demers <br...@gmail.com>.
Hi David!
Can you try making sure session rewriting is disabled:
securityManager.sessionManager.sessionIdUrlRewritingEnabled
https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29
This could also be happing from your servlet container (but my guess is the
above will fix your issue).
Let us know!
On Thu, Apr 8, 2021 at 10:39 AM David Stutzman <sh...@dstutz.com> wrote:
> I went back and took another look at this and turned on trace logging
> and figured out the InvalidRequestFilter is tripping, specifically on a
> semicolon in the URL. That filter was added in 1.6.0 hence that's the
> first version we see the issue.
>
> So now the part I'm not sure about is how/why the URL is being modified
> after logout. If I click the login button the URL in the browser is:
> https://localhost:8443/app/login.xhtml;jsessionid=<snip> and, as
> advertised by the IRF, I get a 400 response code.
>
> The logout process is done through a servlet with the following
> implementation:
> protected void processRequest(HttpServletRequest request,
> HttpServletResponse response) throws ServletException, IOException {
> SecurityUtils.getSubject().logout();
> request.getSession().invalidate();
> response.sendRedirect(request.getServletContext().getContextPath());
> }
>
> And it is on the index page that things start to break. There's a
> single image that doesn't load due to the request url having the
> jssessionid appended and that gets a 400 response and if I click the
> "Log In" button and it goes to that url (with the appended jsessionid),
> I get the main error that results in a blank page with just "Invalid
> request".
>
> So am I doing something wrong in my logout logic or is this a Shiro issue?
>
> Thanks!
>
> On 12/17/2020 9:55 AM, Francois Papon wrote:
> > Ok thanks, we will take a look.
> >
> > regards,
> >
> > François
> > fpapon@apache.org
>