You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Charles Syperski <cs...@dupage88.net> on 2012/08/28 17:46:16 UTC

Problem with Session Replication and ShiroFilter

Hello and thanks for an awesome project!

Here is my problem, I am attempting to do the poor mans SSO by using 
domain level cookies (so multiple web apps/contexts can use the same 
session) with terracotta.  I think I have everything working with the 
exception that when I add ShiroFilter to my web.xml:

<filter>
         <filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
     </filter>

<filter-mapping>
         <filter-name>ShiroFilter</filter-name>
         <url-pattern>/*</url-pattern>
         <dispatcher>REQUEST</dispatcher>
         <dispatcher>FORWARD</dispatcher>
         <dispatcher>INCLUDE</dispatcher>
         <dispatcher>ERROR</dispatcher>
     </filter-mapping>

I can no longer use sessionCookieDomain= and sessionCookiePath= in my 
applications context.xml to allow the cookie to be set at the domain 
level.  It seems that the Shiro filter is setting the JSESSIONID cookie 
and not obeying the settings in the context tag. Is this correct, can I 
get the Shiro Filter not set the context path or the sub domain?

I am running:

Tomcat 7.0.27, shiro-core-1.2.0.jar, shiro-ehcache-1.2.0.jar and 
shiro-web-1.2.0.jar with openjdk 1.7 on Ubuntu 12.04

Any help would be greatly appreciated!

Thanks,
Chuck

Re: Problem with Session Replication and ShiroFilter

Posted by Les Hazlewood <lh...@apache.org>.

Hi Charles,

Yep, configuring the sessionIdCookie to be shared (via subdomains) is
the easiest way to share the session id across apps.  Thanks for
posting a clear/clean solution!

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk

Re: Problem with Session Replication and ShiroFilter

Posted by Charles Syperski <cs...@dupage88.net>.

I think I figured it out, with:

securityManager.sessionManager.sessionIdCookie.domain = yourdomain.tld
securityManager.sessionManager.sessionIdCookie.path = /
securityManager.sessionManager.sessionIdCookie.httpOnly = true

Thanks

On 08/28/2012 10:46 AM, Charles Syperski wrote:
> Hello and thanks for an awesome project!
>
> Here is my problem, I am attempting to do the poor mans SSO by using 
> domain level cookies (so multiple web apps/contexts can use the same 
> session) with terracotta.  I think I have everything working with the 
> exception that when I add ShiroFilter to my web.xml:
>
> <filter>
>         <filter-name>ShiroFilter</filter-name>
> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
>     </filter>
>
> <filter-mapping>
>         <filter-name>ShiroFilter</filter-name>
>         <url-pattern>/*</url-pattern>
>         <dispatcher>REQUEST</dispatcher>
>         <dispatcher>FORWARD</dispatcher>
>         <dispatcher>INCLUDE</dispatcher>
>         <dispatcher>ERROR</dispatcher>
>     </filter-mapping>
>
> I can no longer use sessionCookieDomain= and sessionCookiePath= in my 
> applications context.xml to allow the cookie to be set at the domain 
> level.  It seems that the Shiro filter is setting the JSESSIONID 
> cookie and not obeying the settings in the context tag. Is this 
> correct, can I get the Shiro Filter not set the context path or the 
> sub domain?
>
> I am running:
>
> Tomcat 7.0.27, shiro-core-1.2.0.jar, shiro-ehcache-1.2.0.jar and 
> shiro-web-1.2.0.jar with openjdk 1.7 on Ubuntu 12.04
>
> Any help would be greatly appreciated!
>
> Thanks,
> Chuck