Platform: debian 9.7 "stretch", amd64
openjdk8 8u181-b13-2~deb9u1
nginx-extras 1.10.3-1+deb9u2
karaf 4.1.7
shiro 1.3.1
I'm trying to use a web whiteboard webapp based on shiro running in
karaf as the authentication check mechanism for the nginx auth module:
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
My setup if failing right now, because the check login URL returns 302
with a redirect to a URL including jsessionid, and the nginx auth module
only accepts the status codes 200 (for a successful authentication), 401
or 403 from the auth stat checker. Receiving a 302 status code causes
the auth module to return a 500 internal server error.
I have tried to disable this redirect by setting sessionIdUrlRewritingEnabled
to false, but the shiro filter still keeps returning 302 redirects:
@Activate
public void activate() {
WebIniSecurityManagerFactory securityManagerFactory = new
WebIniSecurityManagerFactory(INI_FILE);
DefaultWebSecurityManager securityManager = (DefaultWebSecurityManager)
securityManagerFactory.createInstance();
DefaultWebSessionManager sessionmanager = new
DefaultWebSessionManager();
sessionmanager.setSessionDAO(session);
sessionmanager.setSessionIdUrlRewritingEnabled(false);
securityManager.setSessionManager(sessionmanager);
setSecurityManager(securityManager);
securityManager.setRealm(realm);
IniFilterChainResolverFactory filterChainResolverFactory = new
IniFilterChainResolverFactory(INI_FILE, securityManagerFactory.getBeans());
FilterChainResolver resolver =
filterChainResolverFactory.createInstance();
setFilterChainResolver(resolver);
}
Is there a way to *completely* disable adding JSESSIONID to the URL?
Thanks!
- Steinar
