waffle icon indicating copy to clipboard operation
waffle copied to clipboard

Published 20 hours ago verified publisher icon Waffle

waffle-shiro negotiate issue after session timeout

Open aladdin55 opened this issue 7 years ago • 1 comments

I use the waffle-shio negotiate source from https://github.com/Waffle/waffle/tree/master/Source/JNA/waffle-shiro/src/main/java/waffle/shiro/negotiate to use windows authentication as login token.

One thing I changed is replace AuthenticatingRealm with AuthorizingRealm and override getAuthorizationInfo method to get token info and do authorizing accordingly.

It works like a charm, but the problem happens when the session is timeout, I got the following exception

org.springframework.web.util.NestedServletException: Request processing

failed; nested exception is org.apache.shiro.authz.UnauthenticatedException:

This subject is anonymous - it does not have any identifying principals and

authorization operations require an identity to check against. A Subject

instance will acquire these identifying principals automatically after a

successful login is performed be executing

org.apache.shiro.subject.Subject.login(AuthenticationToken) or when 'Remember

Me' functionality is enabled by the SecurityManager. This exception can also

occur when a previously logged-in Subject has logged out which makes it

anonymous again. Because an identity is currently not known due to any of

these conditions, authorization is denied.

org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServ

let.java:982)

org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:

javax.servlet.http.HttpServlet.service(HttpServlet.java:624)

org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.jav

a:846)

javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

sdir.web.filters.SecurityFilter.doFilter(SecurityFilter.java:69)

org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFi

lter.java:449)

org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.j

ava:365)

org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:

org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83

)

org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.

java:383)

org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShi

roFilter.java:362)

org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilt

er.java:125)

org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(Delegatin

gFilterProxy.java:346)

org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilte

rProxy.java:262)

Well, is there anyway to let NegotiateAuthenticationFilter.java filter be called again when the session is invalidated?

aladdin55 avatar May 30 '17 12:05 aladdin55

@aladdin55 Is it possible you ask this same question on the user group? I don't use the shiro part and it was donated from the community. I know there were some edge case issue problems in general and that it might not even have been completely implemented. The other option is to go back to the original committer on this and ping him to see if he has similar issue and might know how to deal with it.

hazendaz avatar Jun 10 '17 22:06 hazendaz