Home spring-security-shiro org.apache.shiro.authc.AccountException: Not logged in or anonymous

spring-security-shiro org.apache.shiro.authc.AccountException: Not logged in or anonymous

JJHolloway
1#
JJHolloway Published in 2018-01-05 18:25:32Z
 I am in the process of migration my app from grails 2.4.4 to grails 3.2.9. I am trying to migrate to compile 'org.grails.plugins:spring-security-shiro:3.0.1'  When I try to sign in with a user I get the following error:  org.apache.shiro.authc.AccountException: Not logged in or anonymous at grails.plugin.springsecurity.shiro.SpringSecurityRealm.getCurrentUser(SpringSecurityRealm.groovy:76) at grails.plugin.springsecurity.shiro.SpringSecurityRealm.doGetAuthenticationInfo(SpringSecurityRealm.groovy:95) at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568) at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180) at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267) at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270) at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) at org.apache.shiro.subject.Subject\$login.call(Unknown Source)  In my application rules I have: [pattern: '/login/auth/**', access: ['permitAll']],  In grails 2.4.4 I would be able to debug the dbRealm.groovy file but I cannot do that with the new plugin. I know the user is not logged in as that is what I am trying to do but why might it think my user is anonymous?
Michal_Szulc
2#
 Basing on https://grails-plugins.github.io/grails-spring-security-shiro/v3/index.html#permissions This will transitively install the Spring Security Core plugin, so you’ll need to configure that by running the s2-quickstart script. so looking at https://grails-plugins.github.io/grails-spring-security-core/ and at https://grails-plugins.github.io/grails-spring-security-core/3.1.x/index.html (cause you're using Grails 3.2.x) 3.5. Anonymous authentication In standard Spring Security and older versions of the plugin, there is support for an “anonymous” authentication. This is implemented by a filter that registers a simple Authentication in the SecurityContext to remove the need for null checks, since there will always be an Authentication available. This approach is still problematic though because the Principal of the anonymous authentication is a String, whereas it is a UserDetails instance when there is a non-anonymous authentication. Since you still have to be careful to differentiate between anonymous and non-anonymous authentications, the plugin now creates an anonymous Authentication which will be an instance of grails.plugin.springsecurity.authentication.GrailsAnonymousAuthenticationToken with a standard org.springframework.security.core.userdetails.User instance as its Principal. The authentication will have a single granted role, ROLE_ANONYMOUS. and 5.2. URLs and Authorities In each approach you configure a mapping for a URL pattern to the role(s) that are required to access those URLs, for example, /admin/user/** requires ROLE_ADMIN. In addition, you can combine the role(s) with SpEL expressions and/or tokens such as IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_REMEMBERED, and IS_AUTHENTICATED_FULLY. One or more voters (Voters) will process any tokens and enforce a rule based on them: IS_AUTHENTICATED_ANONYMOUSLY signifies that anyone can access this URL. By default the AnonymousAuthenticationFilter ensures an “anonymous” Authentication  with no roles so that every user has an authentication. The token accepts any authentication, even anonymous.  The SpEL expression permitAll is equivalent to IS_AUTHENTICATED_ANONYMOUSLY and is typically more intuitive to use