I have created a simple JSF login page and am using Apache Shiro to provide the authentication and authorisation mechanism, however the URL filters specified in the shiro.ini do not appear to be working.
In the root WebContent directory I have two files named "test.xhtml" and "login.xhtml" which would be accessible by anyone without the need to login. I also have a subdirectory called "protected" containing a file called "success.xhtml" which should only be accessible after the user has logged in.
When the [urls] section of the shiro.ini file contains /protected/** = myFilter the user is able to access the protected/success.xhtml page without logging in. When the [urls] section of the shiro.ini file contains /** = myFilter the xhtml page is not rendered by JSF and instead the user is prompted to download the xhtml file.
Is anyone able to suggest how I can configure Shiro to allow anyone access to the pages in the WebContent root directory but only allow users who have logged in access to pages in the protected subdirectory?
I am using Apache MyFaces 2.1.5 and Shiro 1.2.1.
The full contents of the shiro.ini file is as follows:
[main]
myFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
myFilter.loginUrl = /login.xhtml
myFilter.successUrl = /protected/success.xhtml
[users]
user01 = user01, Users
user02 = user02, Users
[roles]
Users = *
[urls]
/protected/** = myFilter
The contents of the web.xml file is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>FooBarWeb</display-name>
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>resources.application</param-value>
</context-param>
<context-param>
<description>
State saving method: 'client' or 'server' (=default). See JSF Specification 2.5.2</description>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
<context-param>
<description>
This parameter tells MyFaces if javascript code should be allowed in
the rendered HTML output.
If javascript is allowed, command_link anchors will have javascript code
that submits the corresponding form.
If javascript is not allowed, the state saving info and nested parameters
will be added as url parameters.
Default is 'true'</description>
<param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<description>
If true, rendered HTML code will be formatted, so that it is 'human-readable'
i.e. additional line separators and whitespace will be written, that do not
influence the HTML code.
Default is 'true'</description>
<param-name>org.apache.myfaces.PRETTY_HTML</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<description>
If true, a javascript function will be rendered that is able to restore the
former vertical scroll on every request. Convenient feature if you have pages
with long lists and you do not want the browser page to always jump to the top
if you trigger a link or button action that stays on the same page.
Default is 'false'
</description>
<param-name>org.apache.myfaces.AUTO_SCROLL</param-name>
<param-value>true</param-value>
</context-param>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<listener>
<listener-class>org.apache.myfaces.webapp.StartupServletContextListener</listener-class>
</listener>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<enabled>true</enabled>
<async-supported>false</async-supported>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
</web-app>
After some further investigation it appears that the URLs need to be prefixed with "/faces". The shiro.ini file should look like this....
[main]
myFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
myFilter.loginUrl = /faces/login.xhtml
myFilter.successUrl = /faces/protected/success.xhtml
[users]
user01 = user01, Users
user02 = user02, Users
[roles]
Users = *
[urls]
/faces/protected/** = myFilter
With the addition of the /faces to the URLs, Shiro is now preventing unauthenticated users from accessing pages within the protected subdirectory.