Dropwizard中的Shiro一直将我重定向到登录页面

时间:2013-10-10 18:44:31

标签: authentication shiro dropwizard

我正在将Shiro整合到我的dropwizard webapp中。我已经达到了这一点

  • shiro识别需要身份验证的资源,并将我发送到登录页面(/ auth / login)
  • shiro警告我,如果由于密码错误导致登录失败(/ auth / login?loginFailed = true)
  • shiro仅在我尝试访问受保护资源(例如/ admin / **)时重定向
  • shiro在成功时重定向到定义的页面

但是,如果我尝试访问受保护的资源,无论我是否登录,shiro总是将我发送到登录页面。我相信登录工作正常;我也相信shiro并不尊重我是否已经登录。

my shiro.ini:

[main]
# some other stuff
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
authc.loginUrl = /auth/login

# NOTE: URLs are evaluated in order, and the first matching pattern is accepted.
[urls]
/static/** = noSessionCreation, anon
/auth/** = authc
/admin/** = authc
/** = anon

另外值得注意的是:我收到的错误是

0:0:0:0:0:0:0:1%0 - - [10/Oct/2013:18:23:54 +0000] "GET /auth/login;JSESSIONID=65e06b39-30e5-45dd-85f9-b2a1c29fc3af HTTP/1.1" 200 739 4 4
WARN  [2013-10-10 18:24:08,485] com.sun.jersey.spi.container.servlet.WebComponent:
A servlet request, to the URI http://blah:8080/auth/login, contains form
parameters in the request body but the request body has been consumed by the servlet
or a servlet filter accessing the request parameters. Only resource methods using
@FormParam will work as expected. Resource methods consuming the request body by other
means will not work as expected.

并且每次访问/ admin都会导致错误302.我不知道还有什么与回答此问题相关。我已经探索了其他几个“Shiro一直重定向我登录”的问题,但大多数直接引用Jetty与web.xmls,Dropwizard不使用,也不知道正在应用什么过滤器。我的同事用同样的方法让shiro与他的dropwizard项目合作。

在决定是否将用户发送到登录页面之前,shiro如何对用户进行身份验证?

1 个答案:

答案 0 :(得分:1)

我发现了问题。这里有更多的shiro.ini,特别是会话管理部分:

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# NOTE: The session ID cookie seems to be required in order for authentication to work as intended.
# If the presence of cookies is a deal-breaker, further investigation will be required.
# Here we enable the Secure attribute (serve over SSL only) for this cookie;
# the HttpOnly attribute (not accessible by JavaScript) is enabled by default.
#sessionManager.sessionIdCookie.secure = true
# enabled Ehcache following advice from Shiro docs
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionManager.sessionDAO = $sessionDAO
# can optionally add session listeners here if actions need to be performed on session start/stop/expiration
# sessionManager.sessionListeners = $listener_1, $listener_2, ...
securityManager.sessionManager = $sessionManager

我已经评论了sessionIdCookie.secure(稍后会删除它。)事实证明,如果没有启用ssl,当该变量设置为true时,不会存储cookie。这解释了url栏中的JSESSIONID查询参数,以及为什么在进行身份验证后,它立即忘记了我,并决定我需要再次登录。

相关问题
最新问题