You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by malbinola <ma...@sonicle.com> on 2017/11/02 10:16:40 UTC
Sessions and Tomcat versioning
Hi all,
we are experiencing a strange behaviour using Shiro in conjunction with
Tomcat versioning/naming feature
(https://tomcat.apache.org/tomcat-8.0-doc/config/context.html#Naming).
Let's suppose that we have a deployed app named app##01.war on which we have
several logged users.
If we realease a new version of our webapp (app##02.war), after the webapp
is started up by tomcat, users on the instance ##01 start receiving 401
Unauthorized from the server and they are automatically redirected to login
page.
It seems that sessions of both webapp instances are treated in the same
pool.
How can we separate the session handling in order to avoid any interference
between the instances?
Any help would be appreciated.
Thanks.
Matteo A.
I leave here our shiro.ini configuration:
[main]
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = wtSessionId
cookie.path = /
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionListener = com.sonicle.webtop.core.app.ShiroSessionListener
sessionManager.sessionIdCookie = $cookie
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionIdCookieEnabled = true
securityManager.sessionManager.sessionIdUrlRewritingEnabled = false
securityManager.sessionManager.globalSessionTimeout = 900000
securityManager.sessionManager.sessionListeners = $sessionListener
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
realm = com.sonicle.webtop.core.shiro.WTRealm
securityManager.realms = $realm
authc = com.sonicle.webtop.core.shiro.WTFormAuthFilter
authc.loginUrl = /login
authc.successUrl = /
authc.usernameParam = wtusername
authc.passwordParam = wtpassword
authc.rememberMeParam = wtrememberme
authc.failureKeyAttribute = loginFailure
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Sessions and Tomcat versioning
Posted by Brian Demers <br...@gmail.com>.
Gabriele, this might be best for a separate thread.
My take on this is you don't need a hybrid session manager, you would still
use one or the other (it sounds like in your case you would want to use
your containers session).
Depending on what async lib you are using, you may just need to configure
how those threads are executed, typically you just need to associate the
thread with the current Subject.
https://shiro.apache.org/subject.html#thread-association
Put together a sample app of what you are trying to do and we should be
able to point you in the right direction!
-Brian
On Mon, Jan 15, 2018 at 8:32 AM, gbulfon <ga...@sonicle.com>
wrote:
> Hello,
>
> the versioning feature of Tomcat (parallel deployment) is too important for
> our live deployments.
> This was something usual for us while deploying WebTop4, using native
> container session manager.
>
> With WebTop5 we need the best of both worlds, and to achieve this I bet we
> need some kind of hybrid session manager implementing both the native
> container session manager and the default native shiro session manager:
> this
> would allow us to both have classic JSESSIONID management on Tomcat (making
> it work on parallel deployments) together with a native shiro session to
> work with our websockets management and rest APIs.
>
> We may invest in the development of such an hybrid manager, but we need
> some
> help on how to achieve this. We would contribute the final result,
> obviously.
>
> Can anyone help?
>
> Gabriele
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>
Re: Sessions and Tomcat versioning
Posted by gbulfon <ga...@sonicle.com>.
Hello,
the versioning feature of Tomcat (parallel deployment) is too important for
our live deployments.
This was something usual for us while deploying WebTop4, using native
container session manager.
With WebTop5 we need the best of both worlds, and to achieve this I bet we
need some kind of hybrid session manager implementing both the native
container session manager and the default native shiro session manager: this
would allow us to both have classic JSESSIONID management on Tomcat (making
it work on parallel deployments) together with a native shiro session to
work with our websockets management and rest APIs.
We may invest in the development of such an hybrid manager, but we need some
help on how to achieve this. We would contribute the final result,
obviously.
Can anyone help?
Gabriele
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Sessions and Tomcat versioning
Posted by Brian Demers <br...@gmail.com>.
Hey Matteo!
You basically have two main options:
1.) Use the native container sessions. This allows you to use any of the
container's clustering techniques you want. (its just standard servlet
sessions)
2.) Use the DefaultWebSessionManager. You can configure your session
management (and clustering) outside of your container (in your
shiro config) Out of the box you could use EhCache, Hazelcast, etc)
On Fri, Dec 1, 2017 at 4:16 AM, malbinola <ma...@sonicle.com> wrote:
> Brian Demers wrote
> > If you want to use Tomcat (or other servlet container’s sessions) use
> > ‘ServletContainerSessionManager’ instead:
> >
> > https://shiro.apache.org/static/current/apidocs/org/
> apache/shiro/web/session/mgt/ServletContainerSessionManager.html
>
> You are right Brian but from one side we don't want to compromise future
> benefits related to generic (i mean not container specific) clustering or
> enterprise-caching configurations.
> On the other side we appreciate the single configuration point of the
> shiro.ini file; using container's sessions means using tomcat specific
> configuration options in context.xml.
> We would have the cake and also eat it.
>
> Anyway, the purpose of my questions is only to understand if there is a
> chance to use Tomcat's parallel deployment in conjunction with Shiro's
> native sessions, or/and maybe to obtain some advices in order to achieve
> our
> goal. Any thoughts?
>
> In our webapp, we make use of websockets and current implementation is able
> to associate multiple websockes channels (eg. in case of two browser tabs)
> to the same session of the logged user.
> If eventually we decide to go back to ServletContainerSessionManager,
> could
> we have some problems or something to keep in mind with this kind of
> situation?
>
> Thank you,
> Matteo
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>
Re: Sessions and Tomcat versioning
Posted by malbinola <ma...@sonicle.com>.
Brian Demers wrote
> If you want to use Tomcat (or other servlet container’s sessions) use
> ‘ServletContainerSessionManager’ instead:
>
> https://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/session/mgt/ServletContainerSessionManager.html
You are right Brian but from one side we don't want to compromise future
benefits related to generic (i mean not container specific) clustering or
enterprise-caching configurations.
On the other side we appreciate the single configuration point of the
shiro.ini file; using container's sessions means using tomcat specific
configuration options in context.xml.
We would have the cake and also eat it.
Anyway, the purpose of my questions is only to understand if there is a
chance to use Tomcat's parallel deployment in conjunction with Shiro's
native sessions, or/and maybe to obtain some advices in order to achieve our
goal. Any thoughts?
In our webapp, we make use of websockets and current implementation is able
to associate multiple websockes channels (eg. in case of two browser tabs)
to the same session of the logged user.
If eventually we decide to go back to ServletContainerSessionManager, could
we have some problems or something to keep in mind with this kind of
situation?
Thank you,
Matteo
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Sessions and Tomcat versioning
Posted by Brian Demers <br...@gmail.com>.
> Is there any way (maybe extending the DefaultWebSessionManager) to inform
> Tomcat about shiro session management?
>
If you want to use Tomcat (or other servlet container’s sessions) use ‘ServletContainerSessionManager’ instead:
https://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/session/mgt/ServletContainerSessionManager.html
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Sessions and Tomcat versioning
Posted by malbinola <ma...@sonicle.com>.
Thanks Felipe...
After checking the relevant parts of your shiro.ini, i think that the our
issue is related to use of Shiro's native sessions.
It seems that using DefaultWebSessionManager blinds Tomcat completely,
preventing it from understanding real session distribution over webapp's
instances.
In fact, if i look into the Tomcat Manager application, all session counters
remains at 0.
Is there any way (maybe extending the DefaultWebSessionManager) to inform
Tomcat about shiro session management?
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Sessions and Tomcat versioning
Posted by Felipe Jaekel <fk...@gmail.com>.
Hi,
I've been using Shiro + Tomcat parallel deployment without issues for some
years. Currently I'm using Tomcat 8.5.20 and Shiro 1.4.0.
Here is my shiro.ini file:
[main]
shiro.loginUrl = /login.jsf
authc.loginUrl = /login.jsf
user = br.com.tecnico.login.UserFilter
user.loginUrl = /login.jsf
logout = br.com.tecnico.login.LogoutFilter
logout.redirectUrl = http://www.company-name.com.br
roles = br.com.tecnico.login.RolesAuthorizationFilter
roles.loginUrl = /login.jsf
roles.unauthorizedUrl = /authorizationError.jsf
# DataSource config
ds = org.apache.shiro.jndi.JndiObjectFactory
ds.requiredType = javax.sql.DataSource
ds.resourceName = openejb:Resource/MySql
# JDBC realm config
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.authorizationCachingEnabled = true
jdbcRealm.permissionsLookupEnabled = false
jdbcRealm.authenticationQuery = SELECT senha FROM TBTecnico WHERE usuario =
?
jdbcRealm.userRolesQuery = SELECT role FROM RoleUsuario WHERE usuario = ?
jdbcRealm.dataSource = $ds
securityManager.realms = $jdbcRealm
# Cache
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
[urls]
/logout = logout
# Chat interno
/page/chatInterno/mensagens.jsf = user
# Capacitação
/page/capacitacao/inscricao.jsf = user
/page/capacitacao/certificado.jsf = user
/page/capacitacao/participacao.jsf = user
/page/capacitacao/prova.jsf = user
/page/capacitacao/video/visualizarVideos.jsf = user
/page/capacitacao/consultaInscricao.jsf = roles[gerente,
consulta_inscricao_capacitacao]
/page/capacitacao/etiquetas.jsf = user
/page/capacitacao/** = roles[admin_capacitacao, coordenador_projeto]
# Comercial
/page/comercial/bonificacaoImplantacao.jsf = roles[admin_comercial]
/page/comercial/tipoContato.jsf = roles[admin_comercial, gerente,
contato_cliente]
/page/comercial/contatos.jsf = roles[admin_comercial, gerente,
contato_cliente]
/page/comercial/gestaoClientes.jsf = roles[gerente, admin_comercial,
comercial]
/page/comercial/gerarProposta.jsf = roles[admin_comercial, comercial,
comercial_proposta]
/page/comercial/gestaoProposta.jsf = roles[admin_comercial, comercial,
comercial_proposta]
/page/comercial/captacaoClientes.jsf = roles[admin_comercial, comercial]
/page/comercial/licenca.jsf = roles[admin]
/page/comercial/assinaturaHmac.jsf = roles[assinatura_hmac]
/page/comercial/tabelaReajusteSolucao.jsf = roles[admin_comercial]
# Colaboradores
/page/colaboradores/portal.jsf = user
/page/agenda/calendario.jsf = roles[admin_agenda, agenda, tecnico,
comercial, coordenador_projeto]
/page/rdv/protocoloRecebimento.jsf = roles[admin_rdv]
/page/rdv/valorKm.jsf = roles[admin_rdv]
/page/rdv/** = roles[admin_rdv, tecnico, comercial, coordenador_projeto,
viajante, rdv]
/page/agenda/evento/agenda.jsf = roles[evento]
/page/colaboradores/gestaoComunicacao.jsf = user
/page/colaboradores/habilidades.jsf = roles[admin_escritorioProjeto]
/page/colaboradores/nivelConhecimento.jsf = roles[admin_escritorioProjeto]
/page/colaboradores/assinaturaEmail.jsf = user
# Gerencia
/page/agenda/painelGestao/painelGestao.jsf = roles[admin_agenda, gerente]
/page/agenda/gestaoAutorizacao/autorizacaoVisita.jsf = roles[admin_agenda,
gerente]
/page/agenda/rat/atendimentoEmAdamento.jsf = roles[admin_agenda, gerente]
/page/gerencia/atores.jsf = roles[admin_projeto]
/page/gerencia/controlePassagemAerea/** = roles[gerente]
/page/gerencia/pesquisa/acompanhamento.jsf = roles[gerente]
/page/gerencia/pesquisa/pesquisasRecusadas.jsf = roles[gerente]
/page/gerencia/pesquisa/** = roles[admin_pesquisa]
/page/gerencia/atendimentoTecnicoDialog.jsf = roles[gerente]
/page/gerencia/painel/painelGerencia.jsf = roles[gerente]
/page/gerencia/gestaoProjeto.jsf = roles[gerente, admin_projeto]
/page/gerencia/projetos/timeLine.jsf = roles[gerente, admin_projeto]
/page/gerencia/projetos/gestaoRecursos.jsf = roles[gerente, admin_projeto]
/page/gerencia/apartamentos.jsf = roles[admin_agenda, gerente]
/page/solicitacaoVisita/visitaDiagnostico.jsf = roles[gerente]
/page/gerencia/rdv/consultaRdv.jsf = roles[admin_rdv, coordenador_projeto]
/page/gerencia/elicitacao/** = roles[diagnostico_situacional,
coordenador_projeto]
/page/gerencia/relatorio/** = roles[gerente, diretor]
/page/gerencia/escritorios.jsf = roles[gerente, diretor]
/page/plano/kanban.jsf = roles[gerente, coordenador_projeto, kanban]
/page/plano/acompanhamentoProjetosKanban.jsf = roles[gerente,
coordenador_projeto, kanban]
/page/gerencia/monitorProjeto/monitorProjeto.jsf = roles[gerente,
coordenador_projeto, monitor_projeto]
/page/gerencia/hotel.jsf = roles[admin_agenda, gerente]
/page/gerencia/reservaHotel.jsf = roles[admin_agenda, gerente]
/page/rpc/relatorioRPC.jsf = roles[gerente]
/page/agenda/rat/atendidosRat.jsf = roles[admin_agenda, gerente]
# Financeiro
/page/financeiro/** = roles[admin_financeiro]
/page/mensagemBoleto.jsf = roles[mensagem_boleto]
# RH
/page/rh/** = roles[rh]
# Serviços
/page/comunicados.jsf = user
/page/calendarioOficial.jsf = user
/page/comprovanteRendimentos.jsf = user
/page/consultaGastoUnimed.jsf = user
/page/demonstrativoPagamento.jsf = user
/page/sistema/leituraEmailBounce.jsf = roles[admin_sac]
/page/recadastramentoSenha.jsf = user
/page/envioEmail/envioEmail.jsf = roles[envio_email, admin_comercial,
comercial]
/page/rh/aniversariantesMes.jsf = user
# Site
/page/site/suporte.jsf = user
/page/site/gestaoSuporte.jsf = roles[moderador_suporte]
/page/permissao/permissaoUsuario.jsf = roles[admin_permissao]
/page/site/emailPendente.jsf = roles[admin_agenda, admin_sac,
admin_capacitacao, admin_comercial, admin_rdv]
/page/site/dbs.jsf = roles[site]
/page/site/imagemPopUp.jsf = roles[site]
/page/site/cadastroComunicado.jsf = roles[site]
/page/site/cadastroCliente.jsf = roles[cadastro_cliente]
/page/site/cadastroColaborador.jsf = roles[cadastro_colaborador]
/page/startTestServer.jsf = user
/page/site/cadastroComunicadoSgh.jsf = roles[comunicado_sgh]
###########
# Suporte #
###########
#Consulta RAT
/page/agenda/rat/consultaRat.jsf = roles[atendente, gerente, tecnico,
coordenador_projeto]
# Tele Suporte
/page/servico/classificacaoAtendimento.jsf = roles[admin_sac]
/page/servico/produto.jsf = roles[admin_produto, admin_comercial, comercial]
/page/teleSuporte/bancoInformacoes/** = roles[supervisor]
/page/teleSuporte/informacaoProvisoriaCliente/informacaoProvisoriaCliente.jsf
= roles[supervisor, informacoes_provisorias_cliente]
/page/teleSuporte/relatoriosSacweb.jsf = roles[supervisor]
/page/teleSuporte/finalizarAtendimento.jsf = roles[supervisor]
/page/teleSuporte/indicadores.jsf = roles[supervisor]
/page/teleSuporte/historicoSacweb.jsf = user
/page/teleSuporte/sacwebEmailGerente.jsf = roles[gerente]
/page/teleSuporte/geracaoPacoteDialog.jsf = user
/page/teleSuporte/** = user
/page/sistema/** = roles[admin_sac]
/page/upload/fileUploadDialogCliente.jsf = roles[atendente]
/template/fileUploadDialog.jsf = user
# Você on-line
/page/atendimento/atendimento.jsf = user
/page/atendimento/cadastroAtendente.jsf = roles[admin_sac]
/page/atendimento/monitoria.jsf = roles[admin_sac]
/page/atendimento/** = roles[atendente, admin_sac]
# Home Office
/page/teleTrabalho/cadastroImpressaoDigital.jsf = roles[admin_biometria]
/page/teleTrabalho/marcacaoPonto.jsf = roles[biometria]
/page/teleTrabalho/relatorioPonto.jsf = roles[admin_biometria]
/page/solicitacaoVisita/solicitacaoVisita.jsf = user
/page/solicitacaoVisita/acompanhamentoSolicitacaoVisita.jsf = roles[gerente]
############
# Técnicos #
############
# Agenda
/page/agenda/atendimentoEscritorio.jsf = roles[atendimento_escritorio,
gerente]
/page/agenda/cadastroReservaVeiculo.jsf = roles[reserva_veiculo, gerente]
/page/agenda/painelVeiculos/painelVeiculos.jsf = roles[reserva_veiculo,
gerente]
/page/agenda/pesquisa.jsf = roles[admin_agenda]
/page/agenda/localizacao.jsf = roles[admin_agenda, agenda, tecnico]
/page/agenda/** = roles[admin_agenda, tecnico, coordenador_projeto]
## Veículos ##
/page/servico/modeloVeiculo.jsf = roles[admin_veiculo]
/page/servico/veiculo.jsf = roles[admin_veiculo]
# Atualizações
/page/download/download.jsf = roles[atualizacoes, tecnico,
coordenador_projeto]
/page/atualizacaoSus/gerenciamento.jsf = roles[atualizacao_sus]
/page/atualizacaoSus/gerenciamentoAtualizacaoSus.jsf =
roles[atualizacao_sus]
/page/atualizacaoSus/download.jsf = roles[atualizacoes, tecnico]
/page/atualizacaoSus/downloadAtualizacaoSus.jsf = roles[atualizacoes,
tecnico, coordenador_projeto]
/page/senhaCliente.jsf = roles[atualizacoes, tecnico, coordenador_projeto]
# Plano de Ação
/page/plano/plano.jsf = roles[tecnico, admin_plano, gerente,
coordenador_projeto]
/page/plano/** = roles[admin_plano, gerente, coordenador_projeto]
# Relatórios
/page/perfilCliente.jsf = roles[tecnico, perfil_cliente]
# Solicitações
/page/solicitacaoServico/** = roles[tecnico, solicitacao_servico,
coordenador_projeto]
# Tarefa Interna
/page/tarefaInterna/visualizacaoTarefaInterna.jsf = user
# Gerador de Relatórios
/page/cadastroRelatorio.jsf = roles[tecnico, gerente, gerador_relatorio]
# Dialgos
/dialogs/** = user
###############################################################################
# Previne que páginas sem mapeamento sejam acessadas
/page/** = roles[admin]
2017-11-02 8:16 GMT-02:00 malbinola <ma...@sonicle.com>:
> Hi all,
> we are experiencing a strange behaviour using Shiro in conjunction with
> Tomcat versioning/naming feature
> (https://tomcat.apache.org/tomcat-8.0-doc/config/context.html#Naming).
> Let's suppose that we have a deployed app named app##01.war on which we
> have
> several logged users.
> If we realease a new version of our webapp (app##02.war), after the webapp
> is started up by tomcat, users on the instance ##01 start receiving 401
> Unauthorized from the server and they are automatically redirected to login
> page.
>
> It seems that sessions of both webapp instances are treated in the same
> pool.
> How can we separate the session handling in order to avoid any interference
> between the instances?
>
> Any help would be appreciated.
> Thanks.
>
> Matteo A.
>
> I leave here our shiro.ini configuration:
>
> [main]
> cookie = org.apache.shiro.web.servlet.SimpleCookie
> cookie.name = wtSessionId
> cookie.path = /
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> sessionListener = com.sonicle.webtop.core.app.ShiroSessionListener
> sessionManager.sessionIdCookie = $cookie
>
> securityManager.sessionManager = $sessionManager
> securityManager.sessionManager.sessionIdCookieEnabled = true
> securityManager.sessionManager.sessionIdUrlRewritingEnabled = false
> securityManager.sessionManager.globalSessionTimeout = 900000
> securityManager.sessionManager.sessionListeners = $sessionListener
>
> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> securityManager.cacheManager = $cacheManager
>
> realm = com.sonicle.webtop.core.shiro.WTRealm
> securityManager.realms = $realm
>
> authc = com.sonicle.webtop.core.shiro.WTFormAuthFilter
> authc.loginUrl = /login
> authc.successUrl = /
> authc.usernameParam = wtusername
> authc.passwordParam = wtpassword
> authc.rememberMeParam = wtrememberme
> authc.failureKeyAttribute = loginFailure
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>