You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by theStunnerz <th...@gmail.com> on 2016/05/26 01:03:01 UTC
Shiro authentication cache does not work when security is enabled
Hi Team,
I am a newbie to Java web application world.
We have implemented a web application using Spring + shiro(for security).
The application is using html,JavaScript, jquery for front end and Ajax to
call the rest services of the back end.
We have assigned the ehCache and enabled it for both authentication and
authorization. During the development phase, we have used the chrome browser
in security disabled mode. The authentication was happening only during the
login and subsequent calls were answered based on caching. All was fairytale
till we removed the security disabled mode of the chrome browser.
Starting from this point, every Ajax/rest call is going for authentication
and hence failing. I am not sure if my design of the application is silly or
there is something that can be done right now to solve the problem.
Could you please help me with a possible solution.
Thanks,
Surendra Babu C
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-authentication-cache-does-not-work-when-security-is-enabled-tp7581053.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro authentication cache does not work when security is
enabled
Posted by theStunnerz <th...@gmail.com>.
Hi,
I have resolved this by below stuff:
Add Access-Control-Allow-Credentials in cors.exposed.headers and
cors.allowed.origins set to * in web.xml.
Also, from UI Ajax call,
xhr.withcredentials=true
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-authentication-cache-does-not-work-when-security-is-enabled-tp7581053p7581065.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro authentication cache does not work when security is enabled
Posted by Brian Demers <br...@gmail.com>.
Sounds like that could be the problem. You probably just need to configure
your front end framework to deal with the cookie.
Let us know how it goes,
-Brian
On Tue, May 31, 2016 at 1:40 PM, theStunnerz <th...@gmail.com>
wrote:
> Hi Brian,
>
> We are not explicitly setting the session cookie. I have used fiddler to
> see if cookies are set by browser automatically, but they are not. And, the
> content is served by same server.
> On May 31, 2016 8:45 PM, "Brian Demers [via Shiro User]" <
> ml-node+s582556n7581058h52@n2.nabble.com> wrote:
>
> > Are your ajax requests including the session cookie? Is all your content
> > being served from the same server ?
> >
> > -Brian
> >
> > On Tue, May 31, 2016 at 1:23 AM, theStunnerz <[hidden email]
> > <http:///user/SendEmail.jtp?type=node&node=7581058&i=0>> wrote:
> >
> >> Googling further, I have come across the below web.xml settings.
> >> <session-config>
> >> <cookie-config>
> >> <http-only>true</http-only>
> >> <secure>true</secure>
> >> </cookie-config>
> >> </session-config>
> >>
> >> Even after this I am seeing the same issue. Should we do any client-side
> >> programming to resolve this? I see few posts, that have commented that,
> >> the
> >> browser does automatic stripping of cookies. I have no clue if that is
> >> true,
> >> and if so, what could be the possible solutions.
> >>
> >>
> >>
> >> --
> >> View this message in context:
> >>
> http://shiro-user.582556.n2.nabble.com/Shiro-authentication-cache-does-not-work-when-security-is-enabled-tp7581053p7581057.html
> >> Sent from the Shiro User mailing list archive at Nabble.com.
> >>
> >
> >
> >
> > ------------------------------
> > If you reply to this email, your message will be added to the discussion
> > below:
> >
> >
> http://shiro-user.582556.n2.nabble.com/Shiro-authentication-cache-does-not-work-when-security-is-enabled-tp7581053p7581058.html
> > To unsubscribe from Shiro authentication cache does not work when
> security
> > is enabled, click here
> > <
> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7581053&code=dGhlbmFtZWlzZ2FtZUBnbWFpbC5jb218NzU4MTA1M3wxMzU1MTYxMTcx
> >
> > .
> > NAML
> > <
> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> >
> >
>
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Shiro-authentication-cache-does-not-work-when-security-is-enabled-tp7581053p7581059.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Shiro authentication cache does not work when security is
enabled
Posted by theStunnerz <th...@gmail.com>.
Hi Brian,
We are not explicitly setting the session cookie. I have used fiddler to
see if cookies are set by browser automatically, but they are not. And, the
content is served by same server.
On May 31, 2016 8:45 PM, "Brian Demers [via Shiro User]" <
ml-node+s582556n7581058h52@n2.nabble.com> wrote:
> Are your ajax requests including the session cookie? Is all your content
> being served from the same server ?
>
> -Brian
>
> On Tue, May 31, 2016 at 1:23 AM, theStunnerz <[hidden email]
> <http:///user/SendEmail.jtp?type=node&node=7581058&i=0>> wrote:
>
>> Googling further, I have come across the below web.xml settings.
>> <session-config>
>> <cookie-config>
>> <http-only>true</http-only>
>> <secure>true</secure>
>> </cookie-config>
>> </session-config>
>>
>> Even after this I am seeing the same issue. Should we do any client-side
>> programming to resolve this? I see few posts, that have commented that,
>> the
>> browser does automatic stripping of cookies. I have no clue if that is
>> true,
>> and if so, what could be the possible solutions.
>>
>>
>>
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/Shiro-authentication-cache-does-not-work-when-security-is-enabled-tp7581053p7581057.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/Shiro-authentication-cache-does-not-work-when-security-is-enabled-tp7581053p7581058.html
> To unsubscribe from Shiro authentication cache does not work when security
> is enabled, click here
> <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7581053&code=dGhlbmFtZWlzZ2FtZUBnbWFpbC5jb218NzU4MTA1M3wxMzU1MTYxMTcx>
> .
> NAML
> <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-authentication-cache-does-not-work-when-security-is-enabled-tp7581053p7581059.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro authentication cache does not work when security is enabled
Posted by Brian Demers <br...@gmail.com>.
Are your ajax requests including the session cookie? Is all your content
being served from the same server ?
-Brian
On Tue, May 31, 2016 at 1:23 AM, theStunnerz <th...@gmail.com>
wrote:
> Googling further, I have come across the below web.xml settings.
> <session-config>
> <cookie-config>
> <http-only>true</http-only>
> <secure>true</secure>
> </cookie-config>
> </session-config>
>
> Even after this I am seeing the same issue. Should we do any client-side
> programming to resolve this? I see few posts, that have commented that, the
> browser does automatic stripping of cookies. I have no clue if that is
> true,
> and if so, what could be the possible solutions.
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Shiro-authentication-cache-does-not-work-when-security-is-enabled-tp7581053p7581057.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Shiro authentication cache does not work when security is
enabled
Posted by theStunnerz <th...@gmail.com>.
Googling further, I have come across the below web.xml settings.
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
Even after this I am seeing the same issue. Should we do any client-side
programming to resolve this? I see few posts, that have commented that, the
browser does automatic stripping of cookies. I have no clue if that is true,
and if so, what could be the possible solutions.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-authentication-cache-does-not-work-when-security-is-enabled-tp7581053p7581057.html
Sent from the Shiro User mailing list archive at Nabble.com.