Search code examples
javasessionnginxproxyshiro

Apache Shiro session invalid when accessing application through nginx proxy_pass

I have application secured with Apache Shiro. When I'm accessing my application through localhost:8080/MyApp I'm being successfully redirected to localhost:8080/MyApp/login. I authenticate with credentials and all is good - I'm being redirected to home page which requires authentication.

I've configured nginx proxy to access the application with 'nicely' looking url so:

server { 
    server_name www.example.com example.com;
    listen 80;
location / {
     proxy_pass http://localhost:8080/MyApp/;
}

}

When I access my application through www.example.com, i'm being again successfully redirected to www.example.com/login, I fill in the credentials but then instead of going to my home page I'm again being redirected to login page as if I wasn't authenticated.

I've tried few things, first - I've checked whether my request reaches the url responsible for authentication and whether i'm actually authenticated, I have two mappings in my controllers:

  • /login - which redirects to shiro login page
  • /login.do - which actually does the authentication

When either is invoked i'm displaying in the console if i'm authenticated through:

System.out.println("is auth:" + SecurityUtils.getSubject().isAuthenticated());

When I go to www.example.com this is what happens:

  1. I'm not authenticated hence shiro redirects to login url, /login is invoked and i see in the console that indeed i'm not authenticated
  2. I fill in my username and passwd and I'm posting data to /login.do, in the console I see that I'm successfully authenticated, the login.do tries to redirect to home page but instead I end up on the login scree, hence /login is invoked and in the console I see that i'm not authenticated anymore

I wasn't sure whether it was Shiro's fault or maybe wrong nginx configuration so I've changed the nginx config to the following:

  server { 
        server_name www.example.com example.com;
        listen 80;
    location /MyApp {
         proxy_pass http://localhost:8080;
    }
}

With the above nginx config and accessing the application through www.example.com/MyApp, everything works like a charm, I'm being redirected to login page, I authenticate successfully and I'm being redirected to the home page.

Can anyone explain that behavior? Is that nginx or shiro's issue, or am I missing something else?

//EDIT: I think I know what's the problem, however I don't know how to solve it yet:

I think Shiro uses application name to save cookies, www.example.com and www.example.com/MyApp saved the cookies under the same path - /MyApp, hence www.example.com can't find the correct cookie - again this is just a suspicion at this point

//EDIT: I start to think that this is due to Sprinv MVC redirect (I think it's not accouning for the servlet context)

Solution

  • Yep Indeed it was Spring redirection problem. Instead of returning:

    return "redirect:/some/path";

    I'm returning the following:

    return new RedirectView("/some/path", true);