Apache shiro 2.1 does not work properly in Tomcat 8 RC 5

StackOverflow https://stackoverflow.com/questions/19561304

  •  01-07-2022
  •  | 
  •  

Question

The application works fine in tomcat 7.x but not in tomcat 8 RC5

I have an Apache wicket application where I have configured Apache Shiro 2.1 with JDBC realm. After the application logs in, on the home page i access the the username from the Shiro API with this 

SecurityUtils.getSubject().getPrincipal().toString();

this gives an null pointer exception in Apache 8 RC5. Also it seems the application bypasses the apache shiro servlet all together and directly goes to the Homepage, whereas it should go to the login page.

The same works fine in Apache 7.x.

I have tried various configuration options in Shiro INI to fix this , but none of them worked.

my Web.xml looks like this

<?xml version="1.0" encoding="UTF-8"?>

http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> Customeric

<welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
</welcome-file-list>
  <listener>
    <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
    <filter>
    <filter-name>ShiroFilter</filter-name>
    <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
    <init-param>
     <param-name>staticSecurityManagerEnabled</param-name>
     <param-value>true</param-value>
 </init-param>



</filter>


<filter>
    <filter-name>ExpiresFilter</filter-name>
    <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
    <init-param>
        <param-name>ExpiresByType image</param-name>
        <param-value>access plus 1 years</param-value>
    </init-param>
    <init-param>
        <param-name>ExpiresByType text/css</param-name>
        <param-value>access plus 1 years</param-value>
    </init-param>
    <init-param>
        <param-name>ExpiresByType application/javascript</param-name>
        <param-value>access plus 10 years</param-value>
    </init-param>
</filter>

<!--    <filter>
    <filter-name>CacheControl</filter-name>
    <filter-class>com.filter.cache.CacheControl</filter-class>
</filter>-->

<!--    <filter-mapping>
    <filter-name>CacheControl</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>-->
<filter-mapping>
    <filter-name>ShiroFilter</filter-name>
    <url-pattern>/app/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>ExpiresFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>
<resource-ref>
    <description>DB Connection</description>
    <res-ref-name>jdbc/CUSTOMERIC_DS</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
</resource-ref>
<servlet>
    <servlet-name>ServletAdaptor</servlet-name>
    <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
    <init-param>
        <param-name>javax.ws.rs.Application</param-name>
        <param-value>com.test.rest.MyApplication</param-value>
    </init-param>
</servlet>
<servlet-mapping>
    <servlet-name>ServletAdaptor</servlet-name>
    <url-pattern>/app/rest/*</url-pattern>
</servlet-mapping>




<servlet>
    <description>Atmospherefilter</description>
    <servlet-name>Atmospherefilter</servlet-name>
    <servlet-class>org.atmosphere.cpr.AtmosphereServlet</servlet-class>
    <init-param>
        <param-name>applicationClassName</param-name>
        <param-value>com.test.testWicketApplication</param-value>
    </init-param>
    <init-param>
        <param-name>configuration</param-name>
        <param-value>development</param-value>
    </init-param>
    <init-param>
        <param-name>org.atmosphere.useWebSocket</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>org.atmosphere.useNative</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>org.atmosphere.cpr.sessionSupport</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>filterMappingUrlPattern</param-name>
        <param-value>/app/w/*</param-value>
    </init-param>
    <init-param>
        <param-name>org.atmosphere.websocket.WebSocketProtocol</param-name>
        <param-value>org.atmosphere.websocket.protocol.EchoProtocol</param-value>
    </init-param>
    <init-param>
        <param-name>org.atmosphere.cpr.broadcastFilterClasses</param-name>
        <param-value>org.apache.wicket.atmosphere.TrackMessageSizeFilter</param-value>
    </init-param>

    <load-on-startup>0</load-on-startup>
    <async-supported>true</async-supported>
</servlet>
<servlet-mapping>
    <servlet-name>Atmospherefilter</servlet-name>
    <url-pattern>/app/w/*</url-pattern>
</servlet-mapping>

<session-config>
    <session-timeout>30</session-timeout>

</session-config>

and my apache shiro ini looks like this

             [main]

            jdbcRealm=com.test.JNDIAndSaltAwareJdbcRealm
            jdbcRealm.authenticationQuery = select password, salt from users where username = ?
            jdbcRealm.userRolesQuery = select rolename from roles left outer join users_roles on roles.id = users_roles.roles_id left outer join users on users.id = users_roles.users_id where users.username = ?
            jdbcRealm.permissionsQuery = select permission from permissions left outer join roles_permissions on permissions.id = roles_permissions.permissions_id left outer join roles on roles.id = roles_permissions.roles_id where roles.rolename = ?
            jdbcRealm.permissionsLookupEnabled=true
            #jdbcRealm.authorizationCache=true             



            securityManager.realms = $jdbcRealm

            authc.loginUrl = /app/login.jsp



            ds =  org.apache.tomcat.jdbc.pool.DataSource
            ds.driverClassName = org.apache.derby.jdbc.ClientDriver
            ds.username = test
            ds.password = test                
            ds.url = jdbc:derby://localhost:1527/testdb
            ds.maxActive = 20
            ds.minIdle = 10
            ds.minEvictableIdleTimeMillis = 1000 * 60 * 8
            ds.timeBetweenEvictionRunsMillis  = 1000 * 60 * 10
            ds.removeAbandoned = true
            ds.removeAbandonedTimeout = 600
            jdbcRealm.dataSource = $ds          

            # password hashing specification, put something big for hasIterations
            sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
            sha256Matcher.hashAlgorithmName=SHA-256
            sha256Matcher.hashIterations=1

            jdbcRealm.credentialsMatcher = $sha256Matcher

            # *** ENABLE IN PRODUCTION ****               
            #cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
            #securityManager.cacheManager = $cacheManager

            [urls]
            /app/rest/mobile/** = authcBasic
            /app/rest/web/** = authc
            /app/** = authc

            #/* = authc,ssl[8181]
Was it helpful?

Solution

Looks like it's been resolved with the latest Tomcat RC8

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top