Authentication Dropwizard中的Shiro不断将我重定向到登录页面
我正在将Shiro集成到我的dropwizard webapp中。我已经说到点子上了Authentication Dropwizard中的Shiro不断将我重定向到登录页面,authentication,shiro,dropwizard,Authentication,Shiro,Dropwizard,我正在将Shiro集成到我的dropwizard webapp中。我已经说到点子上了 shiro识别需要身份验证的资源,并将我发送到登录页面(/auth/login) 如果由于密码错误导致登录失败,shiro会提醒我(/auth/login?loginFailed=true) shiro仅在尝试访问受保护的资源时重定向(如/admin/**) shiro成功后重定向到已定义的页面 但是,如果我试图访问受保护的资源,shiro总是将我发送到登录页面,而不管我是否登录。我相信登录是有效的;我也相
- shiro识别需要身份验证的资源,并将我发送到登录页面(/auth/login)
- 如果由于密码错误导致登录失败,shiro会提醒我(/auth/login?loginFailed=true)
- shiro仅在尝试访问受保护的资源时重定向(如/admin/**)
- shiro成功后重定向到已定义的页面
[main]
# some other stuff
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
authc.loginUrl = /auth/login
# NOTE: URLs are evaluated in order, and the first matching pattern is accepted.
[urls]
/static/** = noSessionCreation, anon
/auth/** = authc
/admin/** = authc
/** = anon
0:0:0:0:0:0:0:1%0 - - [10/Oct/2013:18:23:54 +0000] "GET /auth/login;JSESSIONID=65e06b39-30e5-45dd-85f9-b2a1c29fc3af HTTP/1.1" 200 739 4 4
WARN [2013-10-10 18:24:08,485] com.sun.jersey.spi.container.servlet.WebComponent:
A servlet request, to the URI http://blah:8080/auth/login, contains form
parameters in the request body but the request body has been consumed by the servlet
or a servlet filter accessing the request parameters. Only resource methods using
@FormParam will work as expected. Resource methods consuming the request body by other
means will not work as expected.
shiro如何在决定是否将用户发送到登录页面之前对其进行身份验证?我发现了这个问题。下面是shiro.ini的更多内容,特别是会话管理部分:
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# NOTE: The session ID cookie seems to be required in order for authentication to work as intended.
# If the presence of cookies is a deal-breaker, further investigation will be required.
# Here we enable the Secure attribute (serve over SSL only) for this cookie;
# the HttpOnly attribute (not accessible by JavaScript) is enabled by default.
#sessionManager.sessionIdCookie.secure = true
# enabled Ehcache following advice from Shiro docs
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionManager.sessionDAO = $sessionDAO
# can optionally add session listeners here if actions need to be performed on session start/stop/expiration
# sessionManager.sessionListeners = $listener_1, $listener_2, ...
securityManager.sessionManager = $sessionManager
我已经对sessionIdCookie.secure(稍后将删除它)进行了注释。结果表明,如果未启用ssl,当该变量设置为true时,将不会存储cookie。这解释了url栏中的JSESSIONID查询参数,也解释了为什么在验证后,它立即忘记了我,并决定我需要再次登录。我发现了问题。下面是shiro.ini的更多内容,特别是会话管理部分:
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# NOTE: The session ID cookie seems to be required in order for authentication to work as intended.
# If the presence of cookies is a deal-breaker, further investigation will be required.
# Here we enable the Secure attribute (serve over SSL only) for this cookie;
# the HttpOnly attribute (not accessible by JavaScript) is enabled by default.
#sessionManager.sessionIdCookie.secure = true
# enabled Ehcache following advice from Shiro docs
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionManager.sessionDAO = $sessionDAO
# can optionally add session listeners here if actions need to be performed on session start/stop/expiration
# sessionManager.sessionListeners = $listener_1, $listener_2, ...
securityManager.sessionManager = $sessionManager