apache
[Authentication failed] Authentication failed and success login
Search before asking
- [x] I had searched in the issues and found no similar issues.
Environment
if inside the method queryBeanByPhone has exception, It will still log in successfully,It should at least report a login failure error.
Shiro version
1.8.0
What was the actual outcome?
login successful
What was the expected outcome?
login failed
How to reproduce
Like my code
Debug logs
No response
Hi,
There are many tests in Shiro for use case such as this. If you feel that your use case is not tested and/or supported, we would need the following:
- A true reproducer: Short, Self Contained, Correct (Compilable) https://www.sscce.org
- Same reproducer should work with Shiro 2.0.4, as 1.8 is very old and no longer supported.
Thank you
Also, your code above makes no sense to me. Here is an example code for a working realm:
https://github.com/lprimak/apps/blob/736a30ed4a9517ef667959031024634c86a7e983/emailmanager/src/main/java/com/flowlogix/website/security/UnixRealm.java#L66
OK This is my recurrence case,use Shiro 2.0.4 and jdk17
ShiroConfig:
CustomRealm:
UserService:
User:
Controller:
finally, Post url result is "login success",This shouldn't happen.
The description information is in the comments
Thank you
Or do you need the java file instead of a screenshot?
package com.cw.shiro;
import jakarta.annotation.PostConstruct;
import jakarta.annotation.Resource;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.util.ThreadContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.ApplicationContext;
/**
* @author thisdcw
*/
@SpringBootApplication
public class CwShiroApplication {
@Resource
private ApplicationContext applicationContext;
public static void main(String[] args) {
SpringApplication.run(CwShiroApplication.class, args);
}
@PostConstruct
public void setSecurityManager() {
SecurityManager securityManager = ThreadContext.getSecurityManager();
if (securityManager == null) {
SecurityUtils.setSecurityManager(applicationContext.getBean(SecurityManager.class));
}
}
}
package com.cw.shiro.config;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
/**
* @author thisdcw
*/
@Configuration
public class ShiroConfig {
@Bean
public Realm realm() {
return new CustomRealm();
}
@Bean
public SecurityManager securityManager(Realm realm) {
DefaultSecurityManager securityManager = new DefaultSecurityManager();
securityManager.setRealm(realm);
return securityManager;
}
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition chain = new DefaultShiroFilterChainDefinition();
chain.addPathDefinition("/login", "anon");
chain.addPathDefinition("/**", "authc");
return chain;
}
}
package com.cw.shiro.config;
import com.cw.shiro.service.UserService;
import jakarta.annotation.Resource;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
/**
* @author thisdcw
*/
public class CustomRealm extends AuthorizingRealm {
@Resource
private UserService userService;
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//mock get user from database
//has exception but doesn't have throw
userService.mockException();
return new SimpleAuthenticationInfo("admin", "123456", getName());
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
return new SimpleAuthorizationInfo();
}
}
package com.cw.shiro.service;
import com.cw.shiro.User;
import org.springframework.beans.BeanUtils;
import org.springframework.stereotype.Service;
/**
* @author thisdcw
*/
@Service
public class UserService {
public void mockException() {
User user = new User();
User user1 = new User();
//has exception: Source must not be null
BeanUtils.copyProperties(user, user1);
}
}
package com.cw.shiro;
import lombok.Data;
/**
* @author thisdcw
*/
@Data
public class User {
private String name;
private String password;
}
package com.cw.shiro.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
/**
* @author thisdcw
*/
@RestController
public class LoginController {
@PostMapping("/login")
public String login(@RequestParam String username, @RequestParam String password) {
Subject subject = SecurityUtils.getSubject();
if (!subject.isAuthenticated()) {
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
subject.login(token);
}
// Because there is an exception in the authenticator, success should not be returned here, but it is returned
return "login success";
}
}
Hi,
I am once again going to point you to https://www.sscce.org/ It's not realistic to ask to put together a project from screenshots or code snippets.
Something with a failing unit test or some simple instruction to run.
Best would be a project on GitHub that includes everything needed to run. I would guess that the work that's needed to provide that example will be enough to solve your issue.
Ok, thanks, now we are getting somewhere. Can you please post the detailed instructions how to reproduce? Perhaps in the README file?
OK I just uploaded the README.md file with the steps to reproduce the issue. If you need anything else, please let me know.
Can you double-check that doGetAuthenticationInfo() is actually getting called, and exception is actually being thrown?
My guess is it's not.
You can add a log in the doGetAuthenticationInfo method, which is called, and userService.mockException() is used to simulate the exception. It stands to reason that an exception occurs here and the authentication should not be successful.
Please forgive me if I am mistaken (or harsh), but...
What you are implying here is that Shiro doesn't work at all, since this is basic functionality that's used in 1000s of other applications. Can you do some more digging / investigation why your particular application is not working? Can you come back with some more details why you think basic functionality is not working?
I feel like you want the Shiro team to debug your code for you... If I am totally off-base please forgive me... but I really feel like much more work needs to be done on your side instead of "throwing this issue" for the Shiro team to work on.
I guess what you mean is that I should catch the exception in the business instead of handing it over to Shiro... But I think this is a mishandling, because it will eat the exception and cause trouble to the developers. I think at least throw the exception
No, that's not what I mean. I believe that what's actually happening in your code is not what you think is happening. You are suggesting an issue that is "so basic" to how Shiro works, which makes it an extraordinary claim. Extraordinary claim deserves an extraordinary proof. This means that you have to find the bug, and if it's in Shiro code, show exactly where it is.
I will point you to https://www.sscce.org/ for the third time. The example project that you supplied is nowhere compatible with https://www.sscce.org/
- It requires Spring Boot, which adds a huge layer of complexity. Unless the issue is with SpringBoot integration, which I don't believe you are not claiming, your use of SpringBoot is incompatible with https://www.sscce.org/
- You mention "just use Postman" which is also incompatible with https://www.sscce.org/ A simple
curlcommand is what you need to figure out exactly what that is and put it in the README. Or better yet, no Rest API at all, just a unit test.
Your fundamental expectation that everybody understands your infrastructure is flawed.
Sorry, I didn't express it clearly. This is indeed a springboot project. You need to use the API request tool to access the interface to reproduce the problem, so I mentioned postman.
And again, for the fourth time, I will refer you to https://www.sscce.org/ Your communication is quite clear. It's the effort you are expecting from the Shiro team is unreasonable. You need to simplify the problem, and debug your code until you figure out what's the problem. If it's in Shiro (doubtful), you need to find it and point it out. If it's in your code (likely) you need to debug and figure it out, and not expect this Shiro team to do it for you.