You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by Steinar Bang <sb...@dod.no> on 2019/01/16 19:39:18 UTC
How to change or set the path of the jsessionid cookie?
I'm working on creating a shiro based login service for used with the
nginx auth module (to provide forms based login for the entire nginx
site).
And I'm getting closer. Right now the problem is that the cookie is
stored under the webcontext path (in my case "/authservice").
Is there a simple way for me, using the shiro API, to change the path to
be the root path of the web site? Ie. "" or "/" or whatever is
appropriate? (something that would cover the entire web server).
Thanks!
- Steinar
Re: How to change or set the path of the jsessionid cookie?
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Steinar Bang <sb...@public.gmane.org>:
>>>>> Brian Demers <br...@public.gmane.org>:
>> Take a look at `ServletContainerSessionManager` if you just want to
>> use the containers session management
> Thanks for the tip!
> However, I wasn't able to figure out how to use this to adjust the
> storage path for the jsessionid (and the rememberme) cookie?
> I'm perfectly fine with having shiro store the cookies in the response,
> but I wish to change the cookie path.
Hm... I guess I could use this to replace the WebSessionContext[1] which is
where shiro retrieves the HttpServletRequest[2] it uses to get the
context path[3] that it uses to set the cookie path...?
Looks like the HttpServletRequesteWrapper[4] can be used to manipulate
the context path and for all other things let the regular request through...?
References:
[1] <https://shiro.apache.org/static/1.3.0/apidocs/org/apache/shiro/web/session/mgt/WebSessionContext.html>
[2] <https://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpServletRequest.html>
[3] <https://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpServletRequest.html#getContextPath()>
[4] <https://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpServletRequestWrapper.html>
Re: How to change or set the path of the jsessionid cookie?
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Brian Demers <br...@public.gmane.org>:
> Take a look at `ServletContainerSessionManager` if you just want to use the
> containers session management
Thanks for the tip!
However, I wasn't able to figure out how to use this to adjust the
storage path for the jsessionid (and the rememberme) cookie?
I'm perfectly fine with having shiro store the cookies in the response,
but I wish to change the cookie path.
Re: How to change or set the path of the jsessionid cookie?
Posted by Brian Demers <br...@gmail.com>.
Take a look at `ServletContainerSessionManager` if you just want to use the
containers session management
On Wed, Jan 16, 2019 at 4:32 PM Steinar Bang <sb...@dod.no> wrote:
> >>>>> Jean-Baptiste Onofré <jb...@public.gmane.org>:
>
> > AFAIK, it's not yet possible, but it makes sense to have something
> > configurable there.
>
> Ok, that means I'll have to resort to plan B, and it isn't pretty...:-)
>
> 1. Add another jersey endpoint
> 2. in that endpoint inject the jsessionid cookie
> 3. 302 to the jersey endpoint after a successful auth
> 4. in the jersey endpoint set the jsessionid cookie under a new path
> and then redirect to the original URL
>
> (It's a hack and I was hoping there was a simple way to avoid it...)
>
Re: How to change or set the path of the jsessionid cookie?
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Steinar Bang <sb...@public.gmane.org>:
>>>>> Jean-Baptiste Onofré <jb...@public.gmane.org>:
>> AFAIK, it's not yet possible, but it makes sense to have something
>> configurable there.
> Ok, that means I'll have to resort to plan B, and it isn't pretty...:-)
I also tried a plan C: having nginx rewrite the cookie path in the
reverse proxy config from nginx to karaf.
https://www.jeroenreijn.com/2015/06/migrating_from_apache_to_nginx_proxy_cookie_paths.html
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path
However, the path didn't seem to work... until today, suddenly it did.
I guess some cookies timed out...? :-)
Note to self: always test shiro auth in chrome incognito (or equivalent
in a different browser).
Re: How to change or set the path of the jsessionid cookie?
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Jean-Baptiste Onofré <jb...@public.gmane.org>:
> AFAIK, it's not yet possible, but it makes sense to have something
> configurable there.
Ok, that means I'll have to resort to plan B, and it isn't pretty...:-)
1. Add another jersey endpoint
2. in that endpoint inject the jsessionid cookie
3. 302 to the jersey endpoint after a successful auth
4. in the jersey endpoint set the jsessionid cookie under a new path
and then redirect to the original URL
(It's a hack and I was hoping there was a simple way to avoid it...)
Re: How to change or set the path of the jsessionid cookie?
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi Steinar,
AFAIK, it's not yet possible, but it makes sense to have something
configurable there.
Regards
JB
On 16/01/2019 20:39, Steinar Bang wrote:
> I'm working on creating a shiro based login service for used with the
> nginx auth module (to provide forms based login for the entire nginx
> site).
>
> And I'm getting closer. Right now the problem is that the cookie is
> stored under the webcontext path (in my case "/authservice").
>
> Is there a simple way for me, using the shiro API, to change the path to
> be the root path of the web site? Ie. "" or "/" or whatever is
> appropriate? (something that would cover the entire web server).
>
> Thanks!
>
>
> - Steinar
>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com