Alkahna Alkahna - 5 months ago 41
Java Question

Apache Shiro + Authentication issues

I'm using Apache Shiro for my Web Application and I have troubles getting it to work as intended.

What I need is the Authorization part of the Shiro Framework but I can not follow any of those guide as they are all different and I just cant get it to work in my application.

Here is what I want to use the Shiro Framework for:

  • define the existing login.jsp as my login-page

  • define a *.jsp page that is displayed when the login attempt was successfull

  • when the login was not successfull, the user stays at login.jsp but is shown an Error-Message about his failed login attempt

  • all other *.jsp pages exect login.jsp should not be accessible when the user is not logged in

Right now my application does it this way:

  • login form
    parameter calles (servlet)

  • on successfull login -> the page portal.jsp is displayed

  • the page .../portal.jsp can be called without logging in -> This should not be possible in the final version of my application

the following things I figured out so far:


# define login page
authc.loginUrl = /SSP/login.jsp

# name of request parameter with username;
authc.usernameParam = username

# name of request parameter with password;
authc.passwordParam = password

# redirect after successful login
authc.successUrl = /SSP/portal.jsp

# enable authc filter for all application pages

shiro part of my web.xml looks like this:


shiro part of my pom.xml:


The error I get:

java.lang.IllegalArgumentException: Configuration error.
Specified object [authc] with property [loginUrl] without first defining that object's class.
Please first specify the class property first, e.g. myObject = fully_qualified_class_name and then define additional properties.


It seems this line in shiro.ini did the trick:

authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter

But now I have the problem, that the application doesn't use my own login class

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String url = "/login.jsp";

// Get Login credentials from Login form
username = request.getParameter("username");
password = request.getParameter("password");

//SecurityManager securityManager = Startup.getSecurityManager();

//2. Get the current Subject:
Subject currentUser = SecurityUtils.getSubject();

//3. Login:
if (!currentUser.isAuthenticated()) {
// create UsernamePasswordToken
UsernamePasswordToken token = new UsernamePasswordToken("cn=" + username + ",ou=People,dc=maxcrc,dc=com", password);
try {

url = "/portal.jsp";

System.out.println("User [" + currentUser.getPrincipal() +"] logged succesfully");

//4. Create User Session
Session session = currentUser.getSession();

// get user_id
user_id = get_users_id(username);

// create new object of User class
User new_user = new User(user_id, username);

// Set HTTP Session Parameters
session.setAttribute("user", username);
session.setAttribute("user_id", user_id);
session.setAttribute("obj_user", new_user);
session.setAttribute("currentUser", currentUser);

} catch (UnknownAccountException uae) {
System.out.println("There is no user with username of " + token.getPrincipal());
} catch (IncorrectCredentialsException ice) {
System.out.println("Password for account " + token.getPrincipal() + " was incorrect!");
} catch (LockedAccountException lae) {
System.out.println("The account for username " + token.getPrincipal() + " is locked. " + "Please contact your administrator to unlock it.");
// ... catch more exceptions here (maybe custom ones specific to your application?
catch (AuthenticationException ae) {
System.out.println("ERROR: " + ae);
// Done, redirect User to applications main page
request.getRequestDispatcher(url).forward(request, response);

How can I use my own class (see snippet above) for authentication?


Can anyone provide an example on how to:

  • enable authorization

  • enable page redirection after successful login attempt

  • enable staying at login page but showing error message after failed login attempt

  • make all other pages of the application only accessible if a user is logged in


I ended up using the code of AuthenticatingFilter and created my own Filter so I can write authc = com.mycompany.ssp.my_own_authFilter dont know if that is how its supposed to be but it seems to work for now