You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Brendan Le Ny <bl...@codelutin.com> on 2014/01/17 18:15:06 UTC
The actual meaning of authc.loginUrl parameter (aka how i lost 2
hours)
Hi everyone,
My shiro.ini contains (partial)
[main]
authc.loginUrl = /authentication/login!input.action
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
codeLutinRealm = com.codelutin.CodeLutinRealm
securityManager.realms = $codeLutin
[urls]
/authentication/login* = anon
/authentication/forgotten-password-* = anon
/authentication/registration* = anon
/css/** = anon
/data/** = anon
/font/** = anon
/img/** = anon
/js/** = anon
/struts/js/** = anon
/struts/themes/** = anon
/struts/bootstrap/** = anon
/** = authc
When i try to access /administration/admin.action, I'm redirected to
/authentication/login!input.action. Fine, that's what i expected.
I fill the login form (username and password field), submit and ... get
redirected to /authentication/login!input.action for not being logged in.
It took me 2 hours to understand why :-(
I use struts, and by convention, /authentication/login!input.action show
a form and the form submit to /authentication/login.action (in fact
/authentication/login!execute.action)
The documentation say:
"""
By default, the FormAuthenticationFilter will look for request
parameters named username, password and rememberMe.
"""
That's false (or partially true). FormAuthenticationFilter will look for
those request parameters ONLY IF request is on URL given in
authc.loginUrl value.
I believed that "authc.loginUrl" parameter define the page where the
user is redirected when he lacks authentication and that
FormAuthenticationFilter looked for request parameters named username,
password in all requests by unauthenticed user. I was wrong.
I was wrong because a unique configuration parameter "authc.loginUrl"
actually define TWO things:
* the page where the user is redirected when he lacks authentication
* the request url where login request (with username and password
paramaters) must be send if you want FormAuthenticationFilter to try to
login the user.
In my opinion, there should be two different configuration parameters:
* authc.loginFormUrl
* authc.loginSubmitUrl
They can be different.
Whatever, there is a big hole in the documentation to explain that.
--
Brendan Le Ny, Code Lutin
bleny@codelutin.com
(+33) 02 40 50 29 28
Re: The actual meaning of authc.loginUrl parameter (aka how i lost
2 hours)
Posted by Brendan Le Ny <bl...@codelutin.com>.
Le 30/04/2014 03:58, rejimk a écrit :
> First, I wanted to know if this is the correct approach; especially doing
> the authentication in My Action class.
That's what I do. Actually, I do the authentication in LoginAction by
ONLY to catch exception, do addActionError and return INPUT. But this
code is not called if ShiroFilter intercepted request with good credentials.
The actual authentication is by ShiroFilter not the action.
--
Brendan Le Ny, Code Lutin
bleny@codelutin.com
(+33) 02 40 50 29 28
Re: The actual meaning of authc.loginUrl parameter (aka how i lost
2 hours)
Posted by rejimk <re...@gmail.com>.
Thanks Brendan...wanted to make sure my understanding and approach is not
wrong.
Hi domfarr,
Requirement is more. But to start with, want to use struts2+shiro
Yes, you are correct that's the first requirement.
Now i have progressed more..
what i have done is,
1. Define /ShiroFilter /& /StrutsPrepareAndExecuteFilter /in web.xml
2. Define /authc /as /PassThruAuthenticationFilter /in shiro.ini
3. Define /authc.loginUrl = jsp/login.jsp/ & /authc.successUrl =
jsp/Home.jsp/
4. map/ /mydomain/**=authc/ in /[urls]/
5. In struts.xml, map action name /login / to /MyActionClass /and method
/login/
6. In login.jsp define /action="login"/ & /method="post"/
7. In MyActionClass class, do the login manually.
*/token = new UsernamePasswordToken(username, password);/
/SecurityUtils.getSubject().login(token);/*
8. If any errors, use /addActionError() /and redirect to login page
It's working with few authorization issues. (which i will post later, after
analyzing further)
First, I wanted to know if this is the correct approach; especially doing
the authentication in My Action class.
Thanks in Advance.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/The-actual-meaning-of-authc-loginUrl-parameter-aka-how-i-lost-2-hours-tp7579530p7579906.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: The actual meaning of authc.loginUrl parameter (aka how i lost 2 hours)
Posted by Dominic Farr <do...@gmail.com>.
Am I correct in thinking you want a login page that calls a login
controller? Redirect to success page when credentials are correct,
redirect back to the login page when credentials are not correct?
On 29 April 2014 09:23, Brendan Le Ny <bl...@codelutin.com> wrote:
> Le 28/04/2014 20:47, rejimk a écrit :
>
>> In the example you have provided, what page will be shown for successful
>> login?
>> Also, if you are returning INPUTm it'll go back to login page, right?
>>
>
> My answer was partial. Actually LoginAction as this annotation:
>
> @Results({
> @Result(name="success", type="redirectAction", params = {
> "actionName", "index", "namespace", "/" })
> })
>
> (I use struts2-convention-plugin)
>
> And my execute() method is:
>
> @Override
> public String execute() {
>
> if (email != null) {
>
> if (log.isDebugEnabled()) {
> log.debug("try login user " + email);
> }
>
> try {
>
> service.authenticateUser(email, password);
>
> } catch (DisabledExtranetUserException e) {
>
> addActionError("Account disabled");
>
> return ERROR;
>
> } catch (InvalidLoginException e) {
>
> addFieldError("email", "Invalid credentials");
> addFieldError("password", "");
>
> return ERROR;
>
> }
>
> return SUCCESS;
>
> } else {
>
> return INPUT;
>
> }
>
> }
>
> But I use ShiroFilter so in most of the cases in my app user will be
> redirected to the url he originally asked (he was redirected to
> authc.loginUrl by shiro filter for not being authentified).
>
> When user submit the login form (to "login.action" which is also
> authc.loginUrl) Shiro will look in request for authentication parameter and
> intercept the request to redirect it if user asked for another URL (so
> execute() is not called). If not, the user pass in execute, SUCCESS is
> returned in the guy is redirected to index.action (according to the
> annotation).
>
> It's confusing but it works fine for me.
>
> --
> Brendan Le Ny, Code Lutin
> bleny@codelutin.com
> (+33) 02 40 50 29 28
>
Re: The actual meaning of authc.loginUrl parameter (aka how i lost
2 hours)
Posted by Brendan Le Ny <bl...@codelutin.com>.
Le 28/04/2014 20:47, rejimk a écrit :
> In the example you have provided, what page will be shown for successful
> login?
> Also, if you are returning INPUTm it'll go back to login page, right?
My answer was partial. Actually LoginAction as this annotation:
@Results({
@Result(name="success", type="redirectAction", params = {
"actionName", "index", "namespace", "/" })
})
(I use struts2-convention-plugin)
And my execute() method is:
@Override
public String execute() {
if (email != null) {
if (log.isDebugEnabled()) {
log.debug("try login user " + email);
}
try {
service.authenticateUser(email, password);
} catch (DisabledExtranetUserException e) {
addActionError("Account disabled");
return ERROR;
} catch (InvalidLoginException e) {
addFieldError("email", "Invalid credentials");
addFieldError("password", "");
return ERROR;
}
return SUCCESS;
} else {
return INPUT;
}
}
But I use ShiroFilter so in most of the cases in my app user will be
redirected to the url he originally asked (he was redirected to
authc.loginUrl by shiro filter for not being authentified).
When user submit the login form (to "login.action" which is also
authc.loginUrl) Shiro will look in request for authentication parameter
and intercept the request to redirect it if user asked for another URL
(so execute() is not called). If not, the user pass in execute, SUCCESS
is returned in the guy is redirected to index.action (according to the
annotation).
It's confusing but it works fine for me.
--
Brendan Le Ny, Code Lutin
bleny@codelutin.com
(+33) 02 40 50 29 28
Re: The actual meaning of authc.loginUrl parameter (aka how i lost
2 hours)
Posted by rejimk <re...@gmail.com>.
Thanks Brendan for your quick reply..
i was referring to below and other similar posts
http://shiro-user.582556.n2.nabble.com/Redirect-after-successful-login-td7478727.html
In addition the definition of PassThruAuthenticationFilter confused me more
http://shiro.apache.org/static/1.2.1/apidocs/org/apache/shiro/web/filter/authc/PassThruAuthenticationFilter.html
If it's a normal web application, we can authenticate with shiro using
authc.loginUrl and redirect to a page based on authc.successUrl. We can
extend FormAuthenticationFilter and override setFailureAttribute method to
show the error if authentication fails.
However, in struts2+shiro environment, when i submit page for
authentication, if shiro does the authentication and pass control to struts
action, what should execute method return? For this to happen, i have to use
PassThruAuthenticationFilter, which as per the definition asks programmatic
authentication!
In the example you have provided, what page will be shown for successful
login?
Also, if you are returning INPUTm it'll go back to login page, right?
I was expecting to find a working example of struts 2 + shiro, because the
basic requirement is same.
Regards,
Reji
--
View this message in context: http://shiro-user.582556.n2.nabble.com/The-actual-meaning-of-authc-loginUrl-parameter-aka-how-i-lost-2-hours-tp7579530p7579902.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: The actual meaning of authc.loginUrl parameter (aka how i lost
2 hours)
Posted by Brendan Le Ny <bl...@codelutin.com>.
Le 28/04/2014 03:46, rejimk a écrit :
> Could you please post the excerpt of login jsp and action class?
Hi rejimk,
In my JSP, i have nothing special:
<s:form action="login" namespace="/authentication" method="post">
<s:textfield name="email" label="E-mail"/>
<s:password name="password" label="Password"/>
<s:submit value="OK" />
</s:form>
In LoginAction:
@Override
public String input() {
return INPUT;
}
@Override
public String execute() {
return INPUT;
}
The trick is execute method returns INPUT (and not SUCCESS) so i send
the user on url "/authentication/login" and NOT
"/authentication/login!input".
In shiro.ini, I have:
# login.action and NOT login!input.action as expected
authc.loginUrl = /authentication/login.action
# use email field as login
authc.usernameParam = email
Does it helps ?
--
Brendan Le Ny, Code Lutin
bleny@codelutin.com
(+33) 02 40 50 29 28
Re: The actual meaning of authc.loginUrl parameter (aka how i lost
2 hours)
Posted by rejimk <re...@gmail.com>.
Hi Brendan,
authc.successUrl need not be mentioned in shiro.in?
Could you please post the excerpt of login jsp and action class?
I am doing the /SecurityUtils.getSubject().login(token);/ inside action
class.
I think this should not be the case as shiro should have done this.
Thanks in Advance.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/The-actual-meaning-of-authc-loginUrl-parameter-aka-how-i-lost-2-hours-tp7579530p7579900.html
Sent from the Shiro User mailing list archive at Nabble.com.