You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by dbathily <di...@paraschool.com> on 2010/08/08 21:06:38 UTC

Login not persisted in session

Hello

I try to use shiro to secure a gwt application. I meets a very strange
problem, probably a bug. For simple testing, I created a servlet with only
this code.

	public void service(ServletRequest request, ServletResponse response)
			throws ServletException, IOException {
		logger.debug(request.getParameter("username"));
		logger.debug(request.getParameter("password"));
		
		Subject currentUser = SecurityUtils.getSubject();
		
		logger.debug(currentUser.getSession().getId());
		if(!currentUser.isAuthenticated()) {
			logger.debug("User is not authenticated. Try to authenticate");
			UsernamePasswordToken token = new UsernamePasswordToken("admin",
"admin");
			currentUser.login(token);
		}
		logger.debug("Is user authenticated ?" + currentUser.isAuthenticated());
		logger.debug(currentUser.getPrincipal());
		logger.debug(currentUser.getSession().getId());
	}

When I call the servlet directly, authentication succeed but it is not
persisted. currentUser.isAuthenticated() is always false in other call. Here
are 2 logs for this

http://shiro-user.582556.n2.nabble.com/file/n5386790/direct-call-1-log.txt
direct-call-1-log.txt 
http://shiro-user.582556.n2.nabble.com/file/n5386790/direct-call-2-log.txt
direct-call-2-log.txt 

I notice that the session id change for each request. On the other side,
when I pass through a jsp which contains a form, Authentication is
persisted. Here are the logs

http://shiro-user.582556.n2.nabble.com/file/n5386790/form-call-1-log.txt
form-call-1-log.txt 
http://shiro-user.582556.n2.nabble.com/file/n5386790/direct-call-3-log.txt
direct-call-3-log.txt 

Someone understand why this happen?
Thank you for your help

Didier Bathily
PS: Sorry for my English, i'm French ;)

-- 
View this message in context: http://shiro-user.582556.n2.nabble.com/Login-not-persisted-in-session-tp5386790p5386790.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Login not persisted in session

Posted by dbathily <di...@paraschool.com>.

Thank you Les for your reply.

I'm using the default servlet container 
sessions.

I've an update. In creating the war you're asking for, i've found 
that this problem is only in safari. I've done some tests in 2 macs with 
Safari and I've this problem. No problem with other browsers (i've test
chrome and eclipse built in browser) ^^

Here is the simple test http://dl.dropbox.com/u/8744634/shiro.zip

Thank you for your help

Didier
-- 
View this message in context: http://shiro-user.582556.n2.nabble.com/Login-not-persisted-in-session-tp5386790p5387069.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Login not persisted in session

Posted by Les Hazlewood <lh...@apache.org>.

Hi Didier,

This is very strange indeed - I've never seen it before.

Are you using shiro's native sessions?  Or the default servlet
container sessions?

Can we see your shiro configuration (e.g. shiro.ini or other similar mechanism)?

Or, it would be easiest if you could create an extremely simple webapp
(.war file) and attach it to a Jira issue.  Then we could test it out
for ourselves and use a debugger.

I'm very happy to help - it just that a test .war would help us get an
answer much faster.

Cheers,

Les

On Sun, Aug 8, 2010 at 12:06 PM, dbathily <di...@paraschool.com> wrote:
>
> Hello
>
> I try to use shiro to secure a gwt application. I meets a very strange
> problem, probably a bug. For simple testing, I created a servlet with only
> this code.
>
>        public void service(ServletRequest request, ServletResponse response)
>                        throws ServletException, IOException {
>                logger.debug(request.getParameter("username"));
>                logger.debug(request.getParameter("password"));
>
>                Subject currentUser = SecurityUtils.getSubject();
>
>                logger.debug(currentUser.getSession().getId());
>                if(!currentUser.isAuthenticated()) {
>                        logger.debug("User is not authenticated. Try to authenticate");
>                        UsernamePasswordToken token = new UsernamePasswordToken("admin",
> "admin");
>                        currentUser.login(token);
>                }
>                logger.debug("Is user authenticated ?" + currentUser.isAuthenticated());
>                logger.debug(currentUser.getPrincipal());
>                logger.debug(currentUser.getSession().getId());
>        }
>
> When I call the servlet directly, authentication succeed but it is not
> persisted. currentUser.isAuthenticated() is always false in other call. Here
> are 2 logs for this
>
> http://shiro-user.582556.n2.nabble.com/file/n5386790/direct-call-1-log.txt
> direct-call-1-log.txt
> http://shiro-user.582556.n2.nabble.com/file/n5386790/direct-call-2-log.txt
> direct-call-2-log.txt
>
> I notice that the session id change for each request. On the other side,
> when I pass through a jsp which contains a form, Authentication is
> persisted. Here are the logs
>
> http://shiro-user.582556.n2.nabble.com/file/n5386790/form-call-1-log.txt
> form-call-1-log.txt
> http://shiro-user.582556.n2.nabble.com/file/n5386790/direct-call-3-log.txt
> direct-call-3-log.txt
>
> Someone understand why this happen?
> Thank you for your help
>
> Didier Bathily
> PS: Sorry for my English, i'm French ;)
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Login-not-persisted-in-session-tp5386790p5386790.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>