You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by Steinar Bang <sb...@dod.no> on 2019/01/19 19:53:42 UTC

Is the cookie path important for Shiro

I'm working on a solution where a webapp[1] running in apache karaf
provides forms based authentication for nginx.  The webapp uses Shiro to
handle the login and login check.

It now sort of works: authentication for the rest of the website works
but authentication fails for the webapp itself.

Is the path of the cookie(s) important for shiro authentication?

What happens, is as follows:
 1. I open an nginx URL in a browser eg. http://lorenzo.hjemme.lan/testauth.html
 2. The nginx auth module [2] makes a call to /authservice/check to
    check the logged in state
 3. The /authservice/check URL is reverse proxie'd to http://localhost:8181/authservice/check
 4. http://localhost:8181/authservice is a webapp with shiro, running in
    apache karaf
 5. The http://localhost:8181/authservice/check URL returns 401 (Needs
    Authentication)
 6. The 401 causes nginx to open http://lorenzo.hjemme.lan/authservice/login
 7. http://lorenzo.hjemme.lan/authservice/login is reverse-proxied to http://localhost:8181/authservice/login
 8. A successful login results in cookies with path=/authservice set on
    the response and a 302 redirect to the original URL (http://lorenzo.hjemme.lan/testauth.html)
 9. The reverse proxy config rewrites path=/authservice to path=/ on the cookies
10. The browser again tries to open http://lorenzo.hjemme.lan/testauth.html
    this time with a shiro cookie with path=/
11. The nginx auth module makes a check call to /authservice/check with
    the cookie, and the check URL returns 200
12. Nginx serves http://lorenzo.hjemme.lan/testauth.html Success! So
    far, so good!
13. Then I try opening http://lorenzo.hjemme.lan/authservice and then
    shiro auth fails and redirects to the login page (this all happens
    inside the shiro webapp, nginx isn't involved
15. The http://localhost:8181/authservice/check is set up with anon
    access in shiro, so by itself isn't redirected by shiro, and this
    code returns true:

Is it the changed path of the cookie that cause the shiro failure?  What
can I do to create a cookie that works both inside /authservice and
outside?

Thanks!

References:
[1] <https://github.com/steinarb/authservice>
[2] <http://nginx.org/en/docs/http/ngx_http_auth_request_module.html>

Re: Is the cookie path important for Shiro

Posted by Steinar Bang <sb...@dod.no>.
>>>>> Brian Demers <br...@public.gmane.org>:

> What does the request shiro receives look like?

Hm... I was going to do some wireshark captures to illustrate the
problem.  

But what happened now was that everything worked as expected... ie the
authproblem when entering the webapp after a cookie path rewrite no
longer occurs...:-)

Nevertheless the captures may be of interest.

The captures are on port 8181, ie. the captures are the way shiro sees
them, and the nginx cookie path rewrites aren't shown.

 1. A capture of an nginx auth check before doing a login
     https://gist.github.com/steinarb/7bb695f350592c63111bac9d30782d89#file-initial-auth-check
 2. A capture of opening the login page (redirected there by nginx when
    the auth failed)
     https://gist.github.com/steinarb/7bb695f350592c63111bac9d30782d89#file-open-login-page
 3. A capture of of the login POST (redirecting to the original page)
     https://gist.github.com/steinarb/7bb695f350592c63111bac9d30782d89#file-successful-login-post
 4. A capture of a successful auth check
     https://gist.github.com/steinarb/7bb695f350592c63111bac9d30782d89#file-successful-auth-check-from-nginx
 5. A capture of what happens when entering the webapp's path from the
    nginx frontend (ie. http://lorenzo.hjemme.lan/authservice/).  This
    is the one that was failing for me, but now is working
     https://gist.github.com/steinarb/7bb695f350592c63111bac9d30782d89#file-opening-the-top-level-authservice-path

> Is the rewrite also changing the request path?

No.  The base path as seen from nginx is http://lorenzo.hjemme.lan/authservice
and the base path as seen from karaf is http://localhost:8181/authservice

> Does that affect the path filtering rules you have set up?

I don't think so.  It seemed to work as expected "inside" the
http://lorenzo.hjemme.lan/authservice URL before I introduced the cookie
path rewrite.

But when I introduced the rewrite http://lorenzo.hjemme.lan/ worked
while http://lorenzo.hjemme.lan/authservice failed.

However now both work.  I have no idea what made it start working.  Some
kind of cookie expiry, perhaps...?

Thanks!


- Steinar

Re: Is the cookie path important for Shiro

Posted by Brian Demers <br...@gmail.com>.
What does the request shiro receives look like?  Is the rewrite also
changing the request path? Does that affect the path filtering rules you
have set up?

On Sat, Jan 19, 2019 at 2:53 PM Steinar Bang <sb...@dod.no> wrote:

> I'm working on a solution where a webapp[1] running in apache karaf
> provides forms based authentication for nginx.  The webapp uses Shiro to
> handle the login and login check.
>
> It now sort of works: authentication for the rest of the website works
> but authentication fails for the webapp itself.
>
> Is the path of the cookie(s) important for shiro authentication?
>
> What happens, is as follows:
>  1. I open an nginx URL in a browser eg.
> http://lorenzo.hjemme.lan/testauth.html
>  2. The nginx auth module [2] makes a call to /authservice/check to
>     check the logged in state
>  3. The /authservice/check URL is reverse proxie'd to
> http://localhost:8181/authservice/check
>  4. http://localhost:8181/authservice is a webapp with shiro, running in
>     apache karaf
>  5. The http://localhost:8181/authservice/check URL returns 401 (Needs
>     Authentication)
>  6. The 401 causes nginx to open
> http://lorenzo.hjemme.lan/authservice/login
>  7. http://lorenzo.hjemme.lan/authservice/login is reverse-proxied to
> http://localhost:8181/authservice/login
>  8. A successful login results in cookies with path=/authservice set on
>     the response and a 302 redirect to the original URL (
> http://lorenzo.hjemme.lan/testauth.html)
>  9. The reverse proxy config rewrites path=/authservice to path=/ on the
> cookies
> 10. The browser again tries to open
> http://lorenzo.hjemme.lan/testauth.html
>     this time with a shiro cookie with path=/
> 11. The nginx auth module makes a check call to /authservice/check with
>     the cookie, and the check URL returns 200
> 12. Nginx serves http://lorenzo.hjemme.lan/testauth.html Success! So
>     far, so good!
> 13. Then I try opening http://lorenzo.hjemme.lan/authservice and then
>     shiro auth fails and redirects to the login page (this all happens
>     inside the shiro webapp, nginx isn't involved
> 15. The http://localhost:8181/authservice/check is set up with anon
>     access in shiro, so by itself isn't redirected by shiro, and this
>     code returns true:
>
> Is it the changed path of the cookie that cause the shiro failure?  What
> can I do to create a cookie that works both inside /authservice and
> outside?
>
> Thanks!
>
> References:
> [1] <https://github.com/steinarb/authservice>
> [2] <http://nginx.org/en/docs/http/ngx_http_auth_request_module.html>
>