4 Replies Latest reply on Aug 2, 2014 3:49 AM by emresimtay

    Problems with Apache Shiro Sessions after Migrating from 8.0 to 8.1 final (Wildfly)

    emresimtay Newbie

      I have migrated my application from Wildfly server 8.0 final to 8.1 final and Apache Shiro started having problems with creating user sessions.

      The exact same application runs without any problem on 8.0 final but when I deploy it to 8.1 users cannot establish sessions and every time they log in they are redirected to the login page even tho the user was authenticated previously. I cannot figure out what has changed since 8.0 that would cause this issue.

       

      Thanks so much

        • 1. Re: Problems with Apache Shiro Sessions after Migrating from 8.0 to 8.1 final (Wildfly)
          jaikiran pai Master

          Please provide more information like the relevant code, the web.xml configurations, the URL you use to access the application and any exception stacktraces.

          • 2. Re: Problems with Apache Shiro Sessions after Migrating from 8.0 to 8.1 final (Wildfly)
            emresimtay Newbie

            No error or exception stack-traces. User can log-in without any problem and shiro can create a session but then next time the user tries to login Shiro cannot bind to the session and authenticates the user again so creates another session where this (currentUser.isAuthenticated()) should return true. I can see the sessions are getting invalidated after an hour later.

             

            The exact same application with the same server configurations without any changes and the same database instance runs perfectly on 8.0 final. Here, I copy-pasted the relevant config and the code. Thanks so much for your help, looking forward to your reply. Cheers

             

            Shiro.ini

             

            [main]

            jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm

            jdbcRealm.authenticationQuery=SELECT password FROM Person WHERE username = ?

            jdbcRealm.userRolesQuery=select rolename from role r left join person p on p.USERNAME = ? left join person_roles pr on pr.Person_personid = p.ID where pr.Role_roleid = r.ID

             

            ds=com.mysql.jdbc.jdbc2.optional.MysqlDataSource

            ds.serverName=localhost

            ds.user=******

            ds.password=******

            ds.databaseName=******

            jdbcRealm.dataSource=$ds

             

            sha256Matcher=org.apache.shiro.authc.credential.Sha256CredentialsMatcher

            jdbcRealm.credentialsMatcher=$sha256Matcher

             

            sessionManager=org.apache.shiro.web.session.mgt.DefaultWebSessionManager

            securityManager.sessionManager=$sessionManager

             

            authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter

            authc.loginUrl = /admin/login.html

             

            [urls]

            /rest/authentication/login/** = anon

            /admin/css/** = anon

            /admin/js/** = anon

            /** = authc

             

            Web.xml

             

                <listener>

                    <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>

                </listener>

              

                <filter>

                    <filter-name>ShiroFilter</filter-name>

                    <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

                </filter>

             

                <filter-mapping>

                    <filter-name>ShiroFilter</filter-name>

                    <url-pattern>/*</url-pattern>

                    <dispatcher>REQUEST</dispatcher>

                    <dispatcher>FORWARD</dispatcher>

                    <dispatcher>INCLUDE</dispatcher>

                    <dispatcher>ERROR</dispatcher>

                </filter-mapping>

             

            login code

             

                    Subject currentUser = SecurityUtils.getSubject();

                    if (!currentUser.isAuthenticated()) {

                        UsernamePasswordToken token = new UsernamePasswordToken(username, password, true);

                        try {

                            currentUser.login(token);

                            currentUser.getSession(true);

                            log.info("User: " + username + " logged in succcessfuly.");

                            return "Successfuly Authenticated ";

                        } catch (UnknownAccountException e) {

                            log.info("Unknown Account Exception");

                            return "Authentication Failed";

                        } catch (IncorrectCredentialsException e) {

                            log.info("Incorrect Credentials Exception");

                            return "Authentication Failed";

                        } catch (LockedAccountException e) {

                            log.info("Locked Account Exception");

                            return "Authentication Failed";

                        } catch (AuthenticationException e) {

                            log.info("Authentication Exception");

                            return "Authentication Failed";

                        }

                    }

                    return "Already Authenticated";

            • 3. Re: Problems with Apache Shiro Sessions after Migrating from 8.0 to 8.1 final (Wildfly)
              Tomaz Cerar Master

              You might be hit by https://issues.jboss.org/browse/WFLY-3448

               

              can you try with nightly build that has this fixed?

              1 of 1 people found this helpful
              • 4. Re: Problems with Apache Shiro Sessions after Migrating from 8.0 to 8.1 final (Wildfly)
                emresimtay Newbie

                Hey Tomaz, thanks for your reply, I did have a look at the jira and it might be related to my issue but still couldn't get it working with the workarounds that worked for their applications.

                 

                I have noticed that when I run my web application on  8.0, after in the login page response header I can see this cookie


                1. Set-Cookie:JSESSIONID=4f65f700-151b-4852-9b47-cc2678343e17.pinchy; path=


                But 8.1 login page response header doesn't set this cookie so I don't really understand what happening here but changing name JSESSIONID to something else fixed the issue.

                 

                here what I have added to my shiro.ini

                 

                cookie = org.apache.shiro.web.servlet.SimpleCookie
                cookie.name = shiro.session.id
                sessionManager.sessionIdCookie = $cookie