You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Paulo Pires <pj...@ubiwhere.com> on 2012/05/18 17:19:56 UTC
Can't get a simple Web app to authenticate with JDBC Realm (MySQL)
Hi all,
First of all, thanks to the project contributors for putting such an
effort in this project.
Now, I'm struggling to get a simple Web application (just JSP 'stolen'
from Shiro samples code) to authenticate against a JDBC realm backed by
MySQL. Everytime I try to log-in the page just reloads again and doesn't
throw any kind of error.
I've made the project source-code public, so that anyone can look at it,
and eventually it may become the basis for a tutorial on this. You can
check it at https://github.com/pires/simple-shiro-web-app
I've tried to debug it, but somehow, my log4j configuration is not
working properly. I can see a 'shiro.log' file being generated and with
some output from commons.beanutils, but nothing about Shiro. I only get
error messages in Glassfish 'server.log' when some property in
'shiro.ini' is wrongly configured.
Any help will be highly appreciated.
Thanks!
--
Paulo Pires
Re: Can't get a simple Web app to authenticate with JDBC Realm (MySQL)
Posted by Paulo Pires <pj...@ubiwhere.com>.
One more note. I can see in new 6 connections to the
simple_shiro_web_app database in my MySQL server. I can even see a
connection idle time being reset every time I try to log in. So, the
connection pool is working. And the login process is going to the database.
Thank you Jared but I may have lead you to mistake, since I commented
org.apache for testing purposes. But still, you may have a point here.
I'll look further into it.
Thanks,
PP
On 18/05/12 18:02, Jared Bunting wrote:
>
> Since those are trace messages from beanutils, and you explicitly set
> org.apache to warn in log4j.properties, I'm still thinking that your
> logging configuration isn't getting picked up. You might try Googling
> for logging in glassfish.
>
> On May 18, 2012 10:20 AM, "Paulo Pires" <pjpires@ubiwhere.com
> <ma...@ubiwhere.com>> wrote:
>
> Hi all,
>
> First of all, thanks to the project contributors for putting such an
> effort in this project.
>
> Now, I'm struggling to get a simple Web application (just JSP 'stolen'
> from Shiro samples code) to authenticate against a JDBC realm
> backed by
> MySQL. Everytime I try to log-in the page just reloads again and
> doesn't
> throw any kind of error.
>
> I've made the project source-code public, so that anyone can look
> at it,
> and eventually it may become the basis for a tutorial on this. You can
> check it at https://github.com/pires/simple-shiro-web-app
>
> I've tried to debug it, but somehow, my log4j configuration is not
> working properly. I can see a 'shiro.log' file being generated and
> with
> some output from commons.beanutils, but nothing about Shiro. I
> only get
> error messages in Glassfish 'server.log' when some property in
> 'shiro.ini' is wrongly configured.
>
> Any help will be highly appreciated.
>
> Thanks!
>
> --
> Paulo Pires
>
--
Paulo Pires
Re: Can't get a simple Web app to authenticate with JDBC Realm (MySQL)
Posted by Les Hazlewood <lh...@apache.org>.
P.S. I just committed that fix in Shiro's 1.2.x branch and trunk. You
can use 1.2.1-SNAPHSOT or 1.3.0-SNAPSHOT versions to pick up this fix
automatically.
--
Les Hazlewood
CTO, Stormpath | http://stormpath.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
blog: http://leshazlewood.com
stormpath blog: http://www.stormpath.com/blog
On Fri, May 18, 2012 at 10:52 AM, Les Hazlewood <lh...@apache.org> wrote:
> Hi Paulo,
>
> I made some adjustments to the project to use hashed passwords
> correctly in the database, but I discovered that there is a bug in the
> PasswordMatcher implementation. I created an issue for this:
>
> https://issues.apache.org/jira/browse/SHIRO-363
>
> In the meantime, I've created a JdbcRealm subclass in your project to
> work around the issue. I'll commit the fix to Shiro shortly.
>
> The project with my fixes applied:
> https://github.com/lhazlewood/simple-shiro-web-app
>
> I've issued a pull request to you so you can incorporate those changes
> in your project if you like:
> https://github.com/pires/simple-shiro-web-app/pull/1
>
> HTH!
>
> Best,
>
> --
> Les Hazlewood
> CTO, Stormpath | http://stormpath.com | 888.391.5282
> twitter: @lhazlewood | http://twitter.com/lhazlewood
> blog: http://leshazlewood.com
> stormpath blog: http://www.stormpath.com/blog
>
> On Fri, May 18, 2012 at 10:22 AM, Paulo Pires <pj...@ubiwhere.com> wrote:
>> Hi Les,
>>
>> Thank you for taking time into helping me.
>>
>> I'll drop the ALTER statements. I use them for redeployments
>> automatically but you're right, they're no good in this project.
>>
>> Now, regarding the hashing, I've done it before. I even cloned your
>> trunk and built the hasher-cli.jar myself. But authentication wasn't
>> working as well, so I got back to cleartext passwords. I got confused
>> with 'salt' and the number of iterations as something I may have to pass
>> in shiro.ini to the passwordMatcher (HashedCredentialsMatcher). Or is it
>> the initial part of the value stored in the database?
>>
>> Isn't PasswordMatcher different from HashedCredentialsMatcher? I have it
>> in my shiro.in but it's commented.
>>
>> Cheers,
>> PP
>>
>> On 18/05/12 18:10, Les Hazlewood wrote:
>>> I just forked the project and tried to set up the DB - the pop_db.sql
>>> script was failing for me because of the alter statements at the top
>>> (there was nothing to alter since it was my first time creating the
>>> DB).
>>>
>>> Then I looked further down the script and noticed that you were
>>> populating the user table with raw (plaintext) password values for the
>>> password column. This is probably why your logins always fail:
>>>
>>> Because you've configured a PasswordService and PasswordMatcher, Shiro
>>> expects the passwords returned from the database to be in a recognized
>>> hash format. Because the column values are plaintext, the credentials
>>> comparison under the current configuration will always fail.
>>>
>>> You can use the Shiro command-line Hasher [1] to hash your test
>>> passwords. Take the output from that command and use that as your
>>> password column value.
>>>
>>> I know this is just a test/sample web app, but in the interest of
>>> clarity for others that might read this in the future, I should
>>> stress, very strongly, to never ever ever store plaintext passwords in
>>> your data store. Ever. :)
>>>
>>> [1] http://shiro.apache.org/command-line-hasher.html
>>>
>>> HTH,
>>>
>>> --
>>> Les Hazlewood
>>> CTO, Stormpath | http://stormpath.com | 888.391.5282
>>> twitter: @lhazlewood | http://twitter.com/lhazlewood
>>> blog: http://leshazlewood.com
>>> stormpath blog: http://www.stormpath.com/blog
>>>
>>> On Fri, May 18, 2012 at 10:02 AM, Jared Bunting
>>> <ja...@peachjean.com> wrote:
>>>> Since those are trace messages from beanutils, and you explicitly set
>>>> org.apache to warn in log4j.properties, I'm still thinking that your logging
>>>> configuration isn't getting picked up. You might try Googling for logging
>>>> in glassfish.
>>>>
>>>> On May 18, 2012 10:20 AM, "Paulo Pires" <pj...@ubiwhere.com> wrote:
>>>>> Hi all,
>>>>>
>>>>> First of all, thanks to the project contributors for putting such an
>>>>> effort in this project.
>>>>>
>>>>> Now, I'm struggling to get a simple Web application (just JSP 'stolen'
>>>>> from Shiro samples code) to authenticate against a JDBC realm backed by
>>>>> MySQL. Everytime I try to log-in the page just reloads again and doesn't
>>>>> throw any kind of error.
>>>>>
>>>>> I've made the project source-code public, so that anyone can look at it,
>>>>> and eventually it may become the basis for a tutorial on this. You can
>>>>> check it at https://github.com/pires/simple-shiro-web-app
>>>>>
>>>>> I've tried to debug it, but somehow, my log4j configuration is not
>>>>> working properly. I can see a 'shiro.log' file being generated and with
>>>>> some output from commons.beanutils, but nothing about Shiro. I only get
>>>>> error messages in Glassfish 'server.log' when some property in
>>>>> 'shiro.ini' is wrongly configured.
>>>>>
>>>>> Any help will be highly appreciated.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> --
>>>>> Paulo Pires
>>>>>
>>
>> --
>> Paulo Pires
>>
Re: Can't get a simple Web app to authenticate with JDBC Realm (MySQL)
Posted by Les Hazlewood <lh...@apache.org>.
Glad to help!
--
Les Hazlewood
CTO, Stormpath | http://stormpath.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
blog: http://leshazlewood.com
stormpath blog: http://www.stormpath.com/blog
On Fri, May 18, 2012 at 12:02 PM, Paulo Pires <pj...@ubiwhere.com> wrote:
> Les,
>
> You rock!! It works. I've already pulled and pushed your changes. Thank
> you so much.
>
> PP
>
> On 18/05/12 18:52, Les Hazlewood wrote:
>> Hi Paulo,
>>
>> I made some adjustments to the project to use hashed passwords
>> correctly in the database, but I discovered that there is a bug in the
>> PasswordMatcher implementation. I created an issue for this:
>>
>> https://issues.apache.org/jira/browse/SHIRO-363
>>
>> In the meantime, I've created a JdbcRealm subclass in your project to
>> work around the issue. I'll commit the fix to Shiro shortly.
>>
>> The project with my fixes applied:
>> https://github.com/lhazlewood/simple-shiro-web-app
>>
>> I've issued a pull request to you so you can incorporate those changes
>> in your project if you like:
>> https://github.com/pires/simple-shiro-web-app/pull/1
>>
>> HTH!
>>
>> Best,
>>
>> --
>> Les Hazlewood
>> CTO, Stormpath | http://stormpath.com | 888.391.5282
>> twitter: @lhazlewood | http://twitter.com/lhazlewood
>> blog: http://leshazlewood.com
>> stormpath blog: http://www.stormpath.com/blog
>>
>> On Fri, May 18, 2012 at 10:22 AM, Paulo Pires <pj...@ubiwhere.com> wrote:
>>> Hi Les,
>>>
>>> Thank you for taking time into helping me.
>>>
>>> I'll drop the ALTER statements. I use them for redeployments
>>> automatically but you're right, they're no good in this project.
>>>
>>> Now, regarding the hashing, I've done it before. I even cloned your
>>> trunk and built the hasher-cli.jar myself. But authentication wasn't
>>> working as well, so I got back to cleartext passwords. I got confused
>>> with 'salt' and the number of iterations as something I may have to pass
>>> in shiro.ini to the passwordMatcher (HashedCredentialsMatcher). Or is it
>>> the initial part of the value stored in the database?
>>>
>>> Isn't PasswordMatcher different from HashedCredentialsMatcher? I have it
>>> in my shiro.in but it's commented.
>>>
>>> Cheers,
>>> PP
>>>
>>> On 18/05/12 18:10, Les Hazlewood wrote:
>>>> I just forked the project and tried to set up the DB - the pop_db.sql
>>>> script was failing for me because of the alter statements at the top
>>>> (there was nothing to alter since it was my first time creating the
>>>> DB).
>>>>
>>>> Then I looked further down the script and noticed that you were
>>>> populating the user table with raw (plaintext) password values for the
>>>> password column. This is probably why your logins always fail:
>>>>
>>>> Because you've configured a PasswordService and PasswordMatcher, Shiro
>>>> expects the passwords returned from the database to be in a recognized
>>>> hash format. Because the column values are plaintext, the credentials
>>>> comparison under the current configuration will always fail.
>>>>
>>>> You can use the Shiro command-line Hasher [1] to hash your test
>>>> passwords. Take the output from that command and use that as your
>>>> password column value.
>>>>
>>>> I know this is just a test/sample web app, but in the interest of
>>>> clarity for others that might read this in the future, I should
>>>> stress, very strongly, to never ever ever store plaintext passwords in
>>>> your data store. Ever. :)
>>>>
>>>> [1] http://shiro.apache.org/command-line-hasher.html
>>>>
>>>> HTH,
>>>>
>>>> --
>>>> Les Hazlewood
>>>> CTO, Stormpath | http://stormpath.com | 888.391.5282
>>>> twitter: @lhazlewood | http://twitter.com/lhazlewood
>>>> blog: http://leshazlewood.com
>>>> stormpath blog: http://www.stormpath.com/blog
>>>>
>>>> On Fri, May 18, 2012 at 10:02 AM, Jared Bunting
>>>> <ja...@peachjean.com> wrote:
>>>>> Since those are trace messages from beanutils, and you explicitly set
>>>>> org.apache to warn in log4j.properties, I'm still thinking that your logging
>>>>> configuration isn't getting picked up. You might try Googling for logging
>>>>> in glassfish.
>>>>>
>>>>> On May 18, 2012 10:20 AM, "Paulo Pires" <pj...@ubiwhere.com> wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> First of all, thanks to the project contributors for putting such an
>>>>>> effort in this project.
>>>>>>
>>>>>> Now, I'm struggling to get a simple Web application (just JSP 'stolen'
>>>>>> from Shiro samples code) to authenticate against a JDBC realm backed by
>>>>>> MySQL. Everytime I try to log-in the page just reloads again and doesn't
>>>>>> throw any kind of error.
>>>>>>
>>>>>> I've made the project source-code public, so that anyone can look at it,
>>>>>> and eventually it may become the basis for a tutorial on this. You can
>>>>>> check it at https://github.com/pires/simple-shiro-web-app
>>>>>>
>>>>>> I've tried to debug it, but somehow, my log4j configuration is not
>>>>>> working properly. I can see a 'shiro.log' file being generated and with
>>>>>> some output from commons.beanutils, but nothing about Shiro. I only get
>>>>>> error messages in Glassfish 'server.log' when some property in
>>>>>> 'shiro.ini' is wrongly configured.
>>>>>>
>>>>>> Any help will be highly appreciated.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> --
>>>>>> Paulo Pires
>>>>>>
>>> --
>>> Paulo Pires
>>>
>
> --
> Paulo Pires
>
Re: Can't get a simple Web app to authenticate with JDBC Realm (MySQL)
Posted by Paulo Pires <pj...@ubiwhere.com>.
Les,
You rock!! It works. I've already pulled and pushed your changes. Thank
you so much.
PP
On 18/05/12 18:52, Les Hazlewood wrote:
> Hi Paulo,
>
> I made some adjustments to the project to use hashed passwords
> correctly in the database, but I discovered that there is a bug in the
> PasswordMatcher implementation. I created an issue for this:
>
> https://issues.apache.org/jira/browse/SHIRO-363
>
> In the meantime, I've created a JdbcRealm subclass in your project to
> work around the issue. I'll commit the fix to Shiro shortly.
>
> The project with my fixes applied:
> https://github.com/lhazlewood/simple-shiro-web-app
>
> I've issued a pull request to you so you can incorporate those changes
> in your project if you like:
> https://github.com/pires/simple-shiro-web-app/pull/1
>
> HTH!
>
> Best,
>
> --
> Les Hazlewood
> CTO, Stormpath | http://stormpath.com | 888.391.5282
> twitter: @lhazlewood | http://twitter.com/lhazlewood
> blog: http://leshazlewood.com
> stormpath blog: http://www.stormpath.com/blog
>
> On Fri, May 18, 2012 at 10:22 AM, Paulo Pires <pj...@ubiwhere.com> wrote:
>> Hi Les,
>>
>> Thank you for taking time into helping me.
>>
>> I'll drop the ALTER statements. I use them for redeployments
>> automatically but you're right, they're no good in this project.
>>
>> Now, regarding the hashing, I've done it before. I even cloned your
>> trunk and built the hasher-cli.jar myself. But authentication wasn't
>> working as well, so I got back to cleartext passwords. I got confused
>> with 'salt' and the number of iterations as something I may have to pass
>> in shiro.ini to the passwordMatcher (HashedCredentialsMatcher). Or is it
>> the initial part of the value stored in the database?
>>
>> Isn't PasswordMatcher different from HashedCredentialsMatcher? I have it
>> in my shiro.in but it's commented.
>>
>> Cheers,
>> PP
>>
>> On 18/05/12 18:10, Les Hazlewood wrote:
>>> I just forked the project and tried to set up the DB - the pop_db.sql
>>> script was failing for me because of the alter statements at the top
>>> (there was nothing to alter since it was my first time creating the
>>> DB).
>>>
>>> Then I looked further down the script and noticed that you were
>>> populating the user table with raw (plaintext) password values for the
>>> password column. This is probably why your logins always fail:
>>>
>>> Because you've configured a PasswordService and PasswordMatcher, Shiro
>>> expects the passwords returned from the database to be in a recognized
>>> hash format. Because the column values are plaintext, the credentials
>>> comparison under the current configuration will always fail.
>>>
>>> You can use the Shiro command-line Hasher [1] to hash your test
>>> passwords. Take the output from that command and use that as your
>>> password column value.
>>>
>>> I know this is just a test/sample web app, but in the interest of
>>> clarity for others that might read this in the future, I should
>>> stress, very strongly, to never ever ever store plaintext passwords in
>>> your data store. Ever. :)
>>>
>>> [1] http://shiro.apache.org/command-line-hasher.html
>>>
>>> HTH,
>>>
>>> --
>>> Les Hazlewood
>>> CTO, Stormpath | http://stormpath.com | 888.391.5282
>>> twitter: @lhazlewood | http://twitter.com/lhazlewood
>>> blog: http://leshazlewood.com
>>> stormpath blog: http://www.stormpath.com/blog
>>>
>>> On Fri, May 18, 2012 at 10:02 AM, Jared Bunting
>>> <ja...@peachjean.com> wrote:
>>>> Since those are trace messages from beanutils, and you explicitly set
>>>> org.apache to warn in log4j.properties, I'm still thinking that your logging
>>>> configuration isn't getting picked up. You might try Googling for logging
>>>> in glassfish.
>>>>
>>>> On May 18, 2012 10:20 AM, "Paulo Pires" <pj...@ubiwhere.com> wrote:
>>>>> Hi all,
>>>>>
>>>>> First of all, thanks to the project contributors for putting such an
>>>>> effort in this project.
>>>>>
>>>>> Now, I'm struggling to get a simple Web application (just JSP 'stolen'
>>>>> from Shiro samples code) to authenticate against a JDBC realm backed by
>>>>> MySQL. Everytime I try to log-in the page just reloads again and doesn't
>>>>> throw any kind of error.
>>>>>
>>>>> I've made the project source-code public, so that anyone can look at it,
>>>>> and eventually it may become the basis for a tutorial on this. You can
>>>>> check it at https://github.com/pires/simple-shiro-web-app
>>>>>
>>>>> I've tried to debug it, but somehow, my log4j configuration is not
>>>>> working properly. I can see a 'shiro.log' file being generated and with
>>>>> some output from commons.beanutils, but nothing about Shiro. I only get
>>>>> error messages in Glassfish 'server.log' when some property in
>>>>> 'shiro.ini' is wrongly configured.
>>>>>
>>>>> Any help will be highly appreciated.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> --
>>>>> Paulo Pires
>>>>>
>> --
>> Paulo Pires
>>
--
Paulo Pires
Re: Can't get a simple Web app to authenticate with JDBC Realm (MySQL)
Posted by Les Hazlewood <lh...@apache.org>.
Hi Paulo,
I made some adjustments to the project to use hashed passwords
correctly in the database, but I discovered that there is a bug in the
PasswordMatcher implementation. I created an issue for this:
https://issues.apache.org/jira/browse/SHIRO-363
In the meantime, I've created a JdbcRealm subclass in your project to
work around the issue. I'll commit the fix to Shiro shortly.
The project with my fixes applied:
https://github.com/lhazlewood/simple-shiro-web-app
I've issued a pull request to you so you can incorporate those changes
in your project if you like:
https://github.com/pires/simple-shiro-web-app/pull/1
HTH!
Best,
--
Les Hazlewood
CTO, Stormpath | http://stormpath.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
blog: http://leshazlewood.com
stormpath blog: http://www.stormpath.com/blog
On Fri, May 18, 2012 at 10:22 AM, Paulo Pires <pj...@ubiwhere.com> wrote:
> Hi Les,
>
> Thank you for taking time into helping me.
>
> I'll drop the ALTER statements. I use them for redeployments
> automatically but you're right, they're no good in this project.
>
> Now, regarding the hashing, I've done it before. I even cloned your
> trunk and built the hasher-cli.jar myself. But authentication wasn't
> working as well, so I got back to cleartext passwords. I got confused
> with 'salt' and the number of iterations as something I may have to pass
> in shiro.ini to the passwordMatcher (HashedCredentialsMatcher). Or is it
> the initial part of the value stored in the database?
>
> Isn't PasswordMatcher different from HashedCredentialsMatcher? I have it
> in my shiro.in but it's commented.
>
> Cheers,
> PP
>
> On 18/05/12 18:10, Les Hazlewood wrote:
>> I just forked the project and tried to set up the DB - the pop_db.sql
>> script was failing for me because of the alter statements at the top
>> (there was nothing to alter since it was my first time creating the
>> DB).
>>
>> Then I looked further down the script and noticed that you were
>> populating the user table with raw (plaintext) password values for the
>> password column. This is probably why your logins always fail:
>>
>> Because you've configured a PasswordService and PasswordMatcher, Shiro
>> expects the passwords returned from the database to be in a recognized
>> hash format. Because the column values are plaintext, the credentials
>> comparison under the current configuration will always fail.
>>
>> You can use the Shiro command-line Hasher [1] to hash your test
>> passwords. Take the output from that command and use that as your
>> password column value.
>>
>> I know this is just a test/sample web app, but in the interest of
>> clarity for others that might read this in the future, I should
>> stress, very strongly, to never ever ever store plaintext passwords in
>> your data store. Ever. :)
>>
>> [1] http://shiro.apache.org/command-line-hasher.html
>>
>> HTH,
>>
>> --
>> Les Hazlewood
>> CTO, Stormpath | http://stormpath.com | 888.391.5282
>> twitter: @lhazlewood | http://twitter.com/lhazlewood
>> blog: http://leshazlewood.com
>> stormpath blog: http://www.stormpath.com/blog
>>
>> On Fri, May 18, 2012 at 10:02 AM, Jared Bunting
>> <ja...@peachjean.com> wrote:
>>> Since those are trace messages from beanutils, and you explicitly set
>>> org.apache to warn in log4j.properties, I'm still thinking that your logging
>>> configuration isn't getting picked up. You might try Googling for logging
>>> in glassfish.
>>>
>>> On May 18, 2012 10:20 AM, "Paulo Pires" <pj...@ubiwhere.com> wrote:
>>>> Hi all,
>>>>
>>>> First of all, thanks to the project contributors for putting such an
>>>> effort in this project.
>>>>
>>>> Now, I'm struggling to get a simple Web application (just JSP 'stolen'
>>>> from Shiro samples code) to authenticate against a JDBC realm backed by
>>>> MySQL. Everytime I try to log-in the page just reloads again and doesn't
>>>> throw any kind of error.
>>>>
>>>> I've made the project source-code public, so that anyone can look at it,
>>>> and eventually it may become the basis for a tutorial on this. You can
>>>> check it at https://github.com/pires/simple-shiro-web-app
>>>>
>>>> I've tried to debug it, but somehow, my log4j configuration is not
>>>> working properly. I can see a 'shiro.log' file being generated and with
>>>> some output from commons.beanutils, but nothing about Shiro. I only get
>>>> error messages in Glassfish 'server.log' when some property in
>>>> 'shiro.ini' is wrongly configured.
>>>>
>>>> Any help will be highly appreciated.
>>>>
>>>> Thanks!
>>>>
>>>> --
>>>> Paulo Pires
>>>>
>
> --
> Paulo Pires
>
Re: Can't get a simple Web app to authenticate with JDBC Realm (MySQL)
Posted by Paulo Pires <pj...@ubiwhere.com>.
Hi Les,
Thank you for taking time into helping me.
I'll drop the ALTER statements. I use them for redeployments
automatically but you're right, they're no good in this project.
Now, regarding the hashing, I've done it before. I even cloned your
trunk and built the hasher-cli.jar myself. But authentication wasn't
working as well, so I got back to cleartext passwords. I got confused
with 'salt' and the number of iterations as something I may have to pass
in shiro.ini to the passwordMatcher (HashedCredentialsMatcher). Or is it
the initial part of the value stored in the database?
Isn't PasswordMatcher different from HashedCredentialsMatcher? I have it
in my shiro.in but it's commented.
Cheers,
PP
On 18/05/12 18:10, Les Hazlewood wrote:
> I just forked the project and tried to set up the DB - the pop_db.sql
> script was failing for me because of the alter statements at the top
> (there was nothing to alter since it was my first time creating the
> DB).
>
> Then I looked further down the script and noticed that you were
> populating the user table with raw (plaintext) password values for the
> password column. This is probably why your logins always fail:
>
> Because you've configured a PasswordService and PasswordMatcher, Shiro
> expects the passwords returned from the database to be in a recognized
> hash format. Because the column values are plaintext, the credentials
> comparison under the current configuration will always fail.
>
> You can use the Shiro command-line Hasher [1] to hash your test
> passwords. Take the output from that command and use that as your
> password column value.
>
> I know this is just a test/sample web app, but in the interest of
> clarity for others that might read this in the future, I should
> stress, very strongly, to never ever ever store plaintext passwords in
> your data store. Ever. :)
>
> [1] http://shiro.apache.org/command-line-hasher.html
>
> HTH,
>
> --
> Les Hazlewood
> CTO, Stormpath | http://stormpath.com | 888.391.5282
> twitter: @lhazlewood | http://twitter.com/lhazlewood
> blog: http://leshazlewood.com
> stormpath blog: http://www.stormpath.com/blog
>
> On Fri, May 18, 2012 at 10:02 AM, Jared Bunting
> <ja...@peachjean.com> wrote:
>> Since those are trace messages from beanutils, and you explicitly set
>> org.apache to warn in log4j.properties, I'm still thinking that your logging
>> configuration isn't getting picked up. You might try Googling for logging
>> in glassfish.
>>
>> On May 18, 2012 10:20 AM, "Paulo Pires" <pj...@ubiwhere.com> wrote:
>>> Hi all,
>>>
>>> First of all, thanks to the project contributors for putting such an
>>> effort in this project.
>>>
>>> Now, I'm struggling to get a simple Web application (just JSP 'stolen'
>>> from Shiro samples code) to authenticate against a JDBC realm backed by
>>> MySQL. Everytime I try to log-in the page just reloads again and doesn't
>>> throw any kind of error.
>>>
>>> I've made the project source-code public, so that anyone can look at it,
>>> and eventually it may become the basis for a tutorial on this. You can
>>> check it at https://github.com/pires/simple-shiro-web-app
>>>
>>> I've tried to debug it, but somehow, my log4j configuration is not
>>> working properly. I can see a 'shiro.log' file being generated and with
>>> some output from commons.beanutils, but nothing about Shiro. I only get
>>> error messages in Glassfish 'server.log' when some property in
>>> 'shiro.ini' is wrongly configured.
>>>
>>> Any help will be highly appreciated.
>>>
>>> Thanks!
>>>
>>> --
>>> Paulo Pires
>>>
--
Paulo Pires
Re: Can't get a simple Web app to authenticate with JDBC Realm (MySQL)
Posted by Les Hazlewood <lh...@apache.org>.
I just forked the project and tried to set up the DB - the pop_db.sql
script was failing for me because of the alter statements at the top
(there was nothing to alter since it was my first time creating the
DB).
Then I looked further down the script and noticed that you were
populating the user table with raw (plaintext) password values for the
password column. This is probably why your logins always fail:
Because you've configured a PasswordService and PasswordMatcher, Shiro
expects the passwords returned from the database to be in a recognized
hash format. Because the column values are plaintext, the credentials
comparison under the current configuration will always fail.
You can use the Shiro command-line Hasher [1] to hash your test
passwords. Take the output from that command and use that as your
password column value.
I know this is just a test/sample web app, but in the interest of
clarity for others that might read this in the future, I should
stress, very strongly, to never ever ever store plaintext passwords in
your data store. Ever. :)
[1] http://shiro.apache.org/command-line-hasher.html
HTH,
--
Les Hazlewood
CTO, Stormpath | http://stormpath.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
blog: http://leshazlewood.com
stormpath blog: http://www.stormpath.com/blog
On Fri, May 18, 2012 at 10:02 AM, Jared Bunting
<ja...@peachjean.com> wrote:
> Since those are trace messages from beanutils, and you explicitly set
> org.apache to warn in log4j.properties, I'm still thinking that your logging
> configuration isn't getting picked up. You might try Googling for logging
> in glassfish.
>
> On May 18, 2012 10:20 AM, "Paulo Pires" <pj...@ubiwhere.com> wrote:
>>
>> Hi all,
>>
>> First of all, thanks to the project contributors for putting such an
>> effort in this project.
>>
>> Now, I'm struggling to get a simple Web application (just JSP 'stolen'
>> from Shiro samples code) to authenticate against a JDBC realm backed by
>> MySQL. Everytime I try to log-in the page just reloads again and doesn't
>> throw any kind of error.
>>
>> I've made the project source-code public, so that anyone can look at it,
>> and eventually it may become the basis for a tutorial on this. You can
>> check it at https://github.com/pires/simple-shiro-web-app
>>
>> I've tried to debug it, but somehow, my log4j configuration is not
>> working properly. I can see a 'shiro.log' file being generated and with
>> some output from commons.beanutils, but nothing about Shiro. I only get
>> error messages in Glassfish 'server.log' when some property in
>> 'shiro.ini' is wrongly configured.
>>
>> Any help will be highly appreciated.
>>
>> Thanks!
>>
>> --
>> Paulo Pires
>>
>
Re: Can't get a simple Web app to authenticate with JDBC Realm (MySQL)
Posted by Jared Bunting <ja...@peachjean.com>.
Since those are trace messages from beanutils, and you explicitly set
org.apache to warn in log4j.properties, I'm still thinking that your
logging configuration isn't getting picked up. You might try Googling for
logging in glassfish.
On May 18, 2012 10:20 AM, "Paulo Pires" <pj...@ubiwhere.com> wrote:
> Hi all,
>
> First of all, thanks to the project contributors for putting such an
> effort in this project.
>
> Now, I'm struggling to get a simple Web application (just JSP 'stolen'
> from Shiro samples code) to authenticate against a JDBC realm backed by
> MySQL. Everytime I try to log-in the page just reloads again and doesn't
> throw any kind of error.
>
> I've made the project source-code public, so that anyone can look at it,
> and eventually it may become the basis for a tutorial on this. You can
> check it at https://github.com/pires/simple-shiro-web-app
>
> I've tried to debug it, but somehow, my log4j configuration is not
> working properly. I can see a 'shiro.log' file being generated and with
> some output from commons.beanutils, but nothing about Shiro. I only get
> error messages in Glassfish 'server.log' when some property in
> 'shiro.ini' is wrongly configured.
>
> Any help will be highly appreciated.
>
> Thanks!
>
> --
> Paulo Pires
>
>
Re: Can't get a simple Web app to authenticate with JDBC Realm (MySQL)
Posted by Paulo Pires <pj...@ubiwhere.com>.
The only log I see in my shiro.log is just Shiro configuration stuff.
Check this snippet:
2012-05-18 16:59:57,277 TRACE
[org.apache.commons.beanutils.BeanUtils]: Target name = dataSource
2012-05-18 16:59:57,278 TRACE
[org.apache.commons.beanutils.PropertyUtils]: setSimpleProperty:
Invoking method public void
org.apache.shiro.realm.jdbc.JdbcRealm.setDataSource(javax.sql.DataSource) with
value JDBC URL = jdbc:mysql://localhost:3306/simple_shiro_web_app,
Username = root, partitions = 1, max (per partition) = 0, min (per
partition) = 0, helper threads = 3, idle max age = 60 min, idle test
period = 240 min (class com.jolbox.bonecp.BoneCPDataSource)
2012-05-18 16:59:57,304 TRACE
[org.apache.commons.beanutils.BeanUtils]:
setProperty(org.apache.shiro.web.mgt.DefaultWebSecurityManager@76e4000d,
realms, [org.apache.shiro.realm.jdbc.JdbcRealm@7c7c86ed])
2012-05-18 16:59:57,305 TRACE
[org.apache.commons.beanutils.BeanUtils]: Target bean =
org.apache.shiro.web.mgt.DefaultWebSecurityManager@76e4000d
2012-05-18 16:59:57,305 TRACE
[org.apache.commons.beanutils.BeanUtils]: Target name = realms
2012-05-18 16:59:57,305 TRACE
[org.apache.commons.beanutils.PropertyUtils]: setSimpleProperty:
Invoking method public void
org.apache.shiro.mgt.RealmSecurityManager.setRealms(java.util.Collection) with
value [org.apache.shiro.realm.jdbc.JdbcRealm@7c7c86ed] (class
java.util.ArrayList)
After this and while using the applications, nothing shows up.
I've been googling about Shiro in applications servers like Glassfish,
but so far, nothing interesting came up.
PP
On 18/05/12 17:05, Jared Bunting wrote:
> Still not seeing anything in the log?
>
> Are you running in Glassfish? I'm not overly familiar with it, but I
> wouldn't be surprised if it sets logging configuration itself, and
> therefore ignoring your local log4j.properties. Maybe there is
> somewhere else that you need to configure logging in Glassfish?
>
> Nothing about your shiro configuration jumps out at me, but hooking a
> debugger in and putting breakpoints in FormAuthenticationFilter and
> JdbcRealm may be enlightening.
>
> -Jared
>
>
> On Fri 18 May 2012 10:51:00 AM CDT, Paulo Pires wrote:
>> I added to the POM properties the following:
>> <slf4j.version>1.6.4</slf4j.version>
>>
>> Then I added two more dependencies:
>> <dependency>
>> <groupId>org.slf4j</groupId>
>> <artifactId>slf4j-api</artifactId>
>> <version>${slf4j.version}</version>
>> </dependency>
>> <dependency>
>> <groupId>org.slf4j</groupId>
>> <artifactId>slf4j-log4j12</artifactId>
>> <version>${slf4j.version}</version>
>> </dependency>
>>
>> I rebuilt and redeployed the WAR but there were no changes.
>> I also haven't removed any other dependencies.
>>
>> Any hints?
>>
>> Cheers,
>> PP
>>
>> On 18/05/12 16:37, Jared Bunting wrote:
>>> My first thought after looking at your pom - shiro uses slf4j, which
>>> means you will probably want slf4j-log4j12 to bridge between slf4j and
>>> log4j. (http://www.slf4j.org/manual.html#binding)
>>>
>>> On Fri 18 May 2012 10:19:56 AM CDT, Paulo Pires wrote:
>>>> Hi all,
>>>>
>>>> First of all, thanks to the project contributors for putting such an
>>>> effort in this project.
>>>>
>>>> Now, I'm struggling to get a simple Web application (just JSP 'stolen'
>>>> from Shiro samples code) to authenticate against a JDBC realm backed by
>>>> MySQL. Everytime I try to log-in the page just reloads again and doesn't
>>>> throw any kind of error.
>>>>
>>>> I've made the project source-code public, so that anyone can look at it,
>>>> and eventually it may become the basis for a tutorial on this. You can
>>>> check it at https://github.com/pires/simple-shiro-web-app
>>>>
>>>> I've tried to debug it, but somehow, my log4j configuration is not
>>>> working properly. I can see a 'shiro.log' file being generated and with
>>>> some output from commons.beanutils, but nothing about Shiro. I only get
>>>> error messages in Glassfish 'server.log' when some property in
>>>> 'shiro.ini' is wrongly configured.
>>>>
>>>> Any help will be highly appreciated.
>>>>
>>>> Thanks!
>>>>
>
--
Paulo Pires
Re: Can't get a simple Web app to authenticate with JDBC Realm (MySQL)
Posted by Jared Bunting <ja...@peachjean.com>.
Still not seeing anything in the log?
Are you running in Glassfish? I'm not overly familiar with it, but I
wouldn't be surprised if it sets logging configuration itself, and
therefore ignoring your local log4j.properties. Maybe there is
somewhere else that you need to configure logging in Glassfish?
Nothing about your shiro configuration jumps out at me, but hooking a
debugger in and putting breakpoints in FormAuthenticationFilter and
JdbcRealm may be enlightening.
-Jared
On Fri 18 May 2012 10:51:00 AM CDT, Paulo Pires wrote:
> I added to the POM properties the following:
> <slf4j.version>1.6.4</slf4j.version>
>
> Then I added two more dependencies:
> <dependency>
> <groupId>org.slf4j</groupId>
> <artifactId>slf4j-api</artifactId>
> <version>${slf4j.version}</version>
> </dependency>
> <dependency>
> <groupId>org.slf4j</groupId>
> <artifactId>slf4j-log4j12</artifactId>
> <version>${slf4j.version}</version>
> </dependency>
>
> I rebuilt and redeployed the WAR but there were no changes.
> I also haven't removed any other dependencies.
>
> Any hints?
>
> Cheers,
> PP
>
> On 18/05/12 16:37, Jared Bunting wrote:
>> My first thought after looking at your pom - shiro uses slf4j, which
>> means you will probably want slf4j-log4j12 to bridge between slf4j and
>> log4j. (http://www.slf4j.org/manual.html#binding)
>>
>> On Fri 18 May 2012 10:19:56 AM CDT, Paulo Pires wrote:
>>> Hi all,
>>>
>>> First of all, thanks to the project contributors for putting such an
>>> effort in this project.
>>>
>>> Now, I'm struggling to get a simple Web application (just JSP 'stolen'
>>> from Shiro samples code) to authenticate against a JDBC realm backed by
>>> MySQL. Everytime I try to log-in the page just reloads again and doesn't
>>> throw any kind of error.
>>>
>>> I've made the project source-code public, so that anyone can look at it,
>>> and eventually it may become the basis for a tutorial on this. You can
>>> check it at https://github.com/pires/simple-shiro-web-app
>>>
>>> I've tried to debug it, but somehow, my log4j configuration is not
>>> working properly. I can see a 'shiro.log' file being generated and with
>>> some output from commons.beanutils, but nothing about Shiro. I only get
>>> error messages in Glassfish 'server.log' when some property in
>>> 'shiro.ini' is wrongly configured.
>>>
>>> Any help will be highly appreciated.
>>>
>>> Thanks!
>>>
>>
>
Re: Can't get a simple Web app to authenticate with JDBC Realm (MySQL)
Posted by Paulo Pires <pj...@ubiwhere.com>.
I added to the POM properties the following:
<slf4j.version>1.6.4</slf4j.version>
Then I added two more dependencies:
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${slf4j.version}</version>
</dependency>
I rebuilt and redeployed the WAR but there were no changes.
I also haven't removed any other dependencies.
Any hints?
Cheers,
PP
On 18/05/12 16:37, Jared Bunting wrote:
> My first thought after looking at your pom - shiro uses slf4j, which
> means you will probably want slf4j-log4j12 to bridge between slf4j and
> log4j. (http://www.slf4j.org/manual.html#binding)
>
> On Fri 18 May 2012 10:19:56 AM CDT, Paulo Pires wrote:
>> Hi all,
>>
>> First of all, thanks to the project contributors for putting such an
>> effort in this project.
>>
>> Now, I'm struggling to get a simple Web application (just JSP 'stolen'
>> from Shiro samples code) to authenticate against a JDBC realm backed by
>> MySQL. Everytime I try to log-in the page just reloads again and doesn't
>> throw any kind of error.
>>
>> I've made the project source-code public, so that anyone can look at it,
>> and eventually it may become the basis for a tutorial on this. You can
>> check it at https://github.com/pires/simple-shiro-web-app
>>
>> I've tried to debug it, but somehow, my log4j configuration is not
>> working properly. I can see a 'shiro.log' file being generated and with
>> some output from commons.beanutils, but nothing about Shiro. I only get
>> error messages in Glassfish 'server.log' when some property in
>> 'shiro.ini' is wrongly configured.
>>
>> Any help will be highly appreciated.
>>
>> Thanks!
>>
>
--
Paulo Pires
Re: Can't get a simple Web app to authenticate with JDBC Realm (MySQL)
Posted by Jared Bunting <ja...@peachjean.com>.
My first thought after looking at your pom - shiro uses slf4j, which
means you will probably want slf4j-log4j12 to bridge between slf4j and
log4j. (http://www.slf4j.org/manual.html#binding)
On Fri 18 May 2012 10:19:56 AM CDT, Paulo Pires wrote:
> Hi all,
>
> First of all, thanks to the project contributors for putting such an
> effort in this project.
>
> Now, I'm struggling to get a simple Web application (just JSP 'stolen'
> from Shiro samples code) to authenticate against a JDBC realm backed by
> MySQL. Everytime I try to log-in the page just reloads again and doesn't
> throw any kind of error.
>
> I've made the project source-code public, so that anyone can look at it,
> and eventually it may become the basis for a tutorial on this. You can
> check it at https://github.com/pires/simple-shiro-web-app
>
> I've tried to debug it, but somehow, my log4j configuration is not
> working properly. I can see a 'shiro.log' file being generated and with
> some output from commons.beanutils, but nothing about Shiro. I only get
> error messages in Glassfish 'server.log' when some property in
> 'shiro.ini' is wrongly configured.
>
> Any help will be highly appreciated.
>
> Thanks!
>