Shiro always redirects me to login.jsp

Question

Here is the config from shiro.ini

shiro.loginUrl = /login.jsp

######### URL CONFIG ################### [urls] /login.jsp = anon /public/login/** = anon /public/app/** = authc

Stripes...

@UrlBinding("/public/app/")
public class CalculatorActionBean implements ActionBean {
.....

}

@UrlBinding("/public/login/")
public class UserAuthenticateBean implements ActionBean {

    private static final transient Logger log = LoggerFactory.getLogger(UserAuthenticateBean.class);
    private ActionBeanContext context;
    private String username;
    private String password;
    private String message;

    public ActionBeanContext getContext() {
        return context;
    }

    public void setContext(ActionBeanContext context) {
        this.context = context;
    }

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    @DefaultHandler
    @DontValidate
    public Resolution defaultHander() {
        return new ForwardResolution("/login.jsp");
    }

    public Resolution login() {

        Subject currentUser = SecurityUtils.getSubject();
        log.info("CU=" + currentUser.toString());


        if (!currentUser.isAuthenticated()) {
            TenantAuthenticationToken token = new TenantAuthenticationToken(username, password, "jdbcRealm");
            //UsernamePasswordToken token = new UsernamePasswordToken("akumar", "ash");
            token.setRememberMe(true);
            try {
                currentUser.login(token);
            } catch (UnknownAccountException uae) {
                log.info("There is no user with username of " + token.getPrincipal());
            } catch (IncorrectCredentialsException ice) {
                log.info("Password for account " + token.getPrincipal() + " was incorrect!");
            } catch (LockedAccountException lae) {
                log.info("The account for username " + token.getPrincipal() + " is locked.  "
                        + "Please contact your administrator to unlock it.");
            } // ... catch more exceptions here (maybe custom ones specific to your application?
            catch (AuthenticationException ae) {
                //unexpected condition?  error?
                ae.printStackTrace();
            }
        }

        if (currentUser.isAuthenticated()) {
            message = "Success";
        } else {
            message = "Fail";
        }

        System.out.println(message);


        message += getUsername() + getPassword();
        return new ForwardResolution("/logged_in.jsp");
    }
}

logged_in.jsp

<a href ="/oc/public/app">app</a>

Now if I remove the line /public/app/** = authc from shiro.ini, I can access /public/app for a logged in user and guest

If I keep the line, then noone can access the page and it goes back to login.jsp

Driving me nuts!

help!!

Answer 1

Change your urls config to have 'authc' filter the actual login url:

[main]
...
authc.loginUrl = /login.jsp

[urls]
/login.jsp = authc
/public/login/** = anon 
/public/app/** = authc

The authc filter is smart enough to know if a request is not authenticated to still let it go through to the underlying page so a user can log in.