You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Peter Ledbrook <pe...@cacoethes.co.uk> on 2009/09/23 10:22:50 UTC
Fwd: [grails-user] I want my cookie back (shiro)
Forwarded from the Grails mailing list. As far as I'm aware, the
session is managed by the servlet container. I have no idea how you
could restore the servlet session. You may have to use Shiro's session
instead, which is enabled with this configuration option:
security.shiro.session.mode = "shiro"
The default value is "http". You probably have to do some other stuff
to get your upload working, but I don't know what. Hopefully one of
the real Shiro experts can help.
Cheers,
Peter
---------- Forwarded message ----------
From: Finn Herpich <fi...@marfinn-software.de>
Date: 2009/9/22
Subject: [grails-user] I want my cookie back (shiro)
To: user@grails.codehaus.org
Hi *,
I'm currently playing around with swfUpload (http://swfupload.org) in
an application secured via the shiroPlugin.
So swfUpload has this nice plugin which enables it to send the cookies
(needed for shiros session handling afaik) in addition to the uploaded
file.
But, in the swfUpload it says:
"Note that this plugin sends the cookies name/values in the POST or
GET. On the server side they will not be accessible as cookies. Some
frameworks that automatically check cookies for session or
authentication values still will not be able to find the values."
My question here is: where can I place some code to restore the cookie
with the session-id from the POST/Get parameter?
Cheers
Marfinn Software GmbH
Firmensitz: Endenicher Straße 262, 53121 Bonn
Registergericht: Amtsgericht Bonn, HRB 16233
Geschäftsführer: Martin Hensel, Finn Herpich
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
Re: [grails-user] I want my cookie back (shiro)
Posted by Les Hazlewood <lh...@apache.org>.
The servlet spec mandates that if cookies are disabled, "URL rewriting
may be used by the server as the basis for session tracking". The
'server' here is the servlet container or the swfUpload plugin acting
as one.
If using this technique, the "session ID must be encoded as a path
parameter in the URL string.".
For example:
http://www.somedomain.com/anyPage.htm;JSESSIONID=<session ID here>
So, if the swfUpload plugin sees a JSESSIONID cookie, and appends that
as a query parameter, this _should_ work out of the box with any
servlet container. If it does not, the swfUpload plugin might not be
compliant with the servlet specification and I recommend that an issue
be raised with that plugin to fix it.
That being said, Shiro will automatically check for a query parameter
named JSESSIONID if it can't find a cookie. So, if you use the Shiro
'native' session mode, as Peter pointed out, and the swfUpload plugin
translates the JSESSIONID cookie to a query paramter, it should work.
But if it doesn't work with the normal servlet container, it may not
work with Shiro since Shiro adheres to the spec. You'd have to try
and find out, but it smells like something might be weird with the
swfUpload plugin...
HTH,
Les
On Wed, Sep 23, 2009 at 4:22 AM, Peter Ledbrook <pe...@cacoethes.co.uk> wrote:
> Forwarded from the Grails mailing list. As far as I'm aware, the
> session is managed by the servlet container. I have no idea how you
> could restore the servlet session. You may have to use Shiro's session
> instead, which is enabled with this configuration option:
>
> security.shiro.session.mode = "shiro"
>
> The default value is "http". You probably have to do some other stuff
> to get your upload working, but I don't know what. Hopefully one of
> the real Shiro experts can help.
>
> Cheers,
>
> Peter
>
>
> ---------- Forwarded message ----------
> From: Finn Herpich <fi...@marfinn-software.de>
> Date: 2009/9/22
> Subject: [grails-user] I want my cookie back (shiro)
> To: user@grails.codehaus.org
>
>
> Hi *,
>
> I'm currently playing around with swfUpload (http://swfupload.org) in
> an application secured via the shiroPlugin.
>
> So swfUpload has this nice plugin which enables it to send the cookies
> (needed for shiros session handling afaik) in addition to the uploaded
> file.
> But, in the swfUpload it says:
> "Note that this plugin sends the cookies name/values in the POST or
> GET. On the server side they will not be accessible as cookies. Some
> frameworks that automatically check cookies for session or
> authentication values still will not be able to find the values."
>
> My question here is: where can I place some code to restore the cookie
> with the session-id from the POST/Get parameter?
>
> Cheers
>
>
> Marfinn Software GmbH
> Firmensitz: Endenicher Straße 262, 53121 Bonn
> Registergericht: Amtsgericht Bonn, HRB 16233
> Geschäftsführer: Martin Hensel, Finn Herpich
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
> http://xircles.codehaus.org/manage_email
>