Explanation of this shiro.ini

[Sreyan Chakravarty <sr...@gmail.com>]

Can someone explain this shiro.ini components to me-:
https://svn.apache.org/repos/asf/shiro/tags/shiro-root-1.2.0/samples/web/src/main/webapp/WEB-INF/shiro.ini

First of all why use something like shiro.loginUrl ?

Also where is the success URL? That is the default landing page ? For
example if the user logs in at the first go where does he land up ?

Where is the failed login page ?

And if I were to use a JDBC Realm here how would I do it ?

Re: Explanation of this shiro.ini

[Sreyan Chakravarty <sr...@gmail.com>]

I beg to differ there is a authc.successUrl

Look at the following shiro.ini-:

[main]
authc.loginUrl = /login.jsp
authc.successUrl = /home.jsp

This was found in one of Lez Hazelwood's authored posts from

https://github.com/pires/simple-shiro-web-app


On Wed, Sep 9, 2015 at 12:44 PM, scSynergy <ro...@scsynergy.de>
wrote:

> [main]
> // is there a line missing which would look something like 'shiro =
> org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter' ?
> shiro.loginUrl = /login.jsp // this line tells Shiro what to do when an
> unauthenticated user tries to acces a secured page: redirect the user to
> /login.jsp
>
> [urls]
> /login.jsp = authc // defines a servlet filter of type AuthenticationFilter
> https://shiro.apache.org/static/1.2.3/apidocs/; this page is open to let
> unauthenticated users access it (shiro.loginUrl tells Shiro to excempt this
> page from restrictions)
> /logout = logout // this line maps the pseudo URL '/logout' to the Shiro
> logout functionality
> /account/** = authc // every page beneath /account is restricted to
> authenticated users (which may pass the authc filter)
> /remoting/** = authc, roles[b2bClient], perms["remote:invoke:lan,wan"] //
> every page beneath /remoting is restricted to authenticated users (authc)
> which have the role 'b2bClient' and / or (not sure which) the permission
> "remote:invoke:lan,wan"
>
> There is no failed login page and no 'authc.successUrl = /welcome.xhtml' ,
> so on failed or successful logins you will stay on the login page unless
> that page does an explicit redirect.
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Explanation-of-this-shiro-ini-tp7580693p7580699.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Re: Explanation of this shiro.ini

[Sreyan Chakravarty <sr...@gmail.com>]

Correct me if I am wrong.

If I were to use the *Shiro FormAuthenticator* then all the things that I
want to do in my servlet will be automatically done for me. Now what
boggles my mind is that how does the FormAuthenticator handle the "Remember
Me" option.

See if I am writing my own servlet then I can programmatically check if the
user selected the  "Remember Me" option. But how is that handled in the
FormAuthenticator ?

Do I need to have a specific field in my form with a specific name that
denotes the "Remember Me" option ? If so what should it be named ?

On Wed, Sep 9, 2015 at 7:50 PM, scSynergy <ro...@scsynergy.de>
wrote:

> Yes - concerning the servlet
> Yes - concerning question 1.
> Yes - concerning question 2.
> No, instead you should use authc.loginUrl = /login.xhtml which tells Shiro
> to exempt '/login.xhtml' from permission checks.
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Explanation-of-this-shiro-ini-tp7580693p7580705.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Re: Explanation of this shiro.ini

[scSynergy <ro...@scsynergy.de>]

Yes - concerning the servlet
Yes - concerning question 1.
Yes - concerning question 2.
No, instead you should use authc.loginUrl = /login.xhtml which tells Shiro
to exempt '/login.xhtml' from permission checks.



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Explanation-of-this-shiro-ini-tp7580693p7580705.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Explanation of this shiro.ini

[Sreyan Chakravarty <sr...@gmail.com>]

Can I implement my own Servlet to habdle authentication through Shiro ?

For example

<form action="/login" method="POST">
<input type = "text" name = "username" />
<br />
 <input type = "password" name = "password" />
<br />
<input type = "Submit" name = "submit" value="Login" />
</form>

And in the servlet can i do something like-:

doPost(HttpServletRequest req, HttpServletResponse res) {
String userid = req.getParameter("username");
String password = req.getParameter("password");

Subject currentUser = SecurityUtils.getSubject();

UsernamePasswordToken token = new UsernamePasswordToken(userid, password);
    //this is all you have to do to support 'remember me' (no config -
built in!):    token.setRememberMe(true);
    currentUser.login(token);



}

Now for this I have two questions-:


   1. Will this use the Realm defined in the shiro.ini ?
   2. Will this use the appropriate password matcher defined in shiro.ini ?


Also does the login servlet need to have a user role of anon ? ie.
anonymous user ? Since when the user reaches it for the first time he/she
will be unauthenticated.

On Wed, Sep 9, 2015 at 12:44 PM, scSynergy <ro...@scsynergy.de>
wrote:

> [main]
> // is there a line missing which would look something like 'shiro =
> org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter' ?
> shiro.loginUrl = /login.jsp // this line tells Shiro what to do when an
> unauthenticated user tries to acces a secured page: redirect the user to
> /login.jsp
>
> [urls]
> /login.jsp = authc // defines a servlet filter of type AuthenticationFilter
> https://shiro.apache.org/static/1.2.3/apidocs/; this page is open to let
> unauthenticated users access it (shiro.loginUrl tells Shiro to excempt this
> page from restrictions)
> /logout = logout // this line maps the pseudo URL '/logout' to the Shiro
> logout functionality
> /account/** = authc // every page beneath /account is restricted to
> authenticated users (which may pass the authc filter)
> /remoting/** = authc, roles[b2bClient], perms["remote:invoke:lan,wan"] //
> every page beneath /remoting is restricted to authenticated users (authc)
> which have the role 'b2bClient' and / or (not sure which) the permission
> "remote:invoke:lan,wan"
>
> There is no failed login page and no 'authc.successUrl = /welcome.xhtml' ,
> so on failed or successful logins you will stay on the login page unless
> that page does an explicit redirect.
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Explanation-of-this-shiro-ini-tp7580693p7580699.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Re: Explanation of this shiro.ini

[scSynergy <ro...@scsynergy.de>]

[main]
// is there a line missing which would look something like 'shiro =
org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter' ?
shiro.loginUrl = /login.jsp // this line tells Shiro what to do when an
unauthenticated user tries to acces a secured page: redirect the user to
/login.jsp

[urls]
/login.jsp = authc // defines a servlet filter of type AuthenticationFilter
https://shiro.apache.org/static/1.2.3/apidocs/; this page is open to let
unauthenticated users access it (shiro.loginUrl tells Shiro to excempt this
page from restrictions)
/logout = logout // this line maps the pseudo URL '/logout' to the Shiro
logout functionality
/account/** = authc // every page beneath /account is restricted to
authenticated users (which may pass the authc filter)
/remoting/** = authc, roles[b2bClient], perms["remote:invoke:lan,wan"] //
every page beneath /remoting is restricted to authenticated users (authc)
which have the role 'b2bClient' and / or (not sure which) the permission
"remote:invoke:lan,wan"

There is no failed login page and no 'authc.successUrl = /welcome.xhtml' ,
so on failed or successful logins you will stay on the login page unless
that page does an explicit redirect.



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Explanation-of-this-shiro-ini-tp7580693p7580699.html
Sent from the Shiro User mailing list archive at Nabble.com.