Shiro FormAuthenticationFilter basics question

I can find plenty of examples that show how to configure a URL to use the authc filter, but I cannot find any examples of a simple login page that would be appropriate. I am using Spring integration to Shiro, but I don't think that has anything to do with my problem.

From reading the documentation, I set up my filter factory like this:

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="loginUrl" value="/login.jsp" />
        <property name="successUrl" value="/Reports.jsp" />
        <property name="securityManager" ref="securityManager" />
        <property name="filterChainDefinitionMap">
                <map>
                        <entry key="/ws/**" value="authc" />
               开发者_高级运维         <entry key="/Reports.jsp" value="authc" />
                        <entry key="/**" value="anon" />
                </map>
        </property>
</bean>

I'll spare you the entire xml file. I can tell that it's picking up the right filter, because when I do this:

> curl -v localhost:8080/factorlab-web/Reports.jsp

I get this response:

< HTTP/1.1 302 Found
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: JSESSIONID=19gdgnmukynb3;Path=/factorlab-web
< Location: http://localhost:8080/factorlab-web/login.jsp;jsessionid=19gdgnmukynb3
< Content-Length: 0
< Server: Jetty(6.1.21)
<

So far, so good, right? However, if I submit the username and password, I should get the content of Reports.jsp, right? I don't. If I do this: * curl -v -d "username=demo&password=demo&rememberMe=false" http://localhost:8080/factorlab-web/Reports.jsp

I get the same response as before:

< HTTP/1.1 302 Found
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: JSESSIONID=qnidg37bqo9f;Path=/factorlab-web
< Location: http://localhost:8080/factorlab-web/login.jsp;jsessionid=qnidg37bqo9f
< Content-Length: 0
< Server: Jetty(6.1.21)
<

Clearly I'm confused either about configuration or about how it's supposed to work. First, can anyone tell me just what I should expect from the second curl command, or why I don't see what I'm expecting?

Second, is there a small sample with a login.jsp (or similar) where I could see what happens when a user: * Goes explicitly to the login page * Is automatically directed to the login page (e.g. logging in takes you back to the original attempted page). * Submits bad username and password from the login page.

Here was my confusion: Don't submit your credentials to anything other than loginUrl. So, in my case, the form post in my login.jsp should not name a different endpoint. In the example above, rather than

curl -v -d "username=demo&password=demo&rememberMe=false" http://localhost:8080/factorlab-web/Reports.jsp

I should have tested

curl -v -d "username=demo&password=demo&rememberMe=false" http://localhost:8080/factorlab-web/login.jsp

which will return:

< HTTP/1.1 302 Found
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: JSESSIONID=1bug6rem2iecb;Path=/factorlab
< Set-Cookie: rememberMe=deleteMe; Path=/factorlab; Expires=Mon, 16-May-2011 00:32:27 GMT
< Location: http://localhost:8080/factorlab/Reports.jsp;jsessionid=1bug6rem2iecb
< Content-Length: 0
< Server: Jetty(6.1.21)
<