From 6142e86c1aea434fdb1ad0d32eadc2de6b293880 Mon Sep 17 00:00:00 2001
From: mck <mick@thelastpickle.com>
Date: Mon, 21 Jan 2019 06:44:19 +1100
Subject: [PATCH] Full Shiro protection.  - Authentication is now enabled by
 default. Default is the dummy admin/admin credentials, see shiro.ini  -
 shiro.ini now embedded in app. can still be configured/overridden  - REST
 endpoints are protected, requiring JWT specified in a request header
 ('Authorization: Bearer <jwt>')  - The JWT for a user can be gained at the
 /jwt URL  - add 'remember me' to login page

 ref: https://github.com/thelastpickle/cassandra-reaper/pull/604
---
 .../cassandra-reaper-cassandra-ssl.yaml       | 13 ++--
 .../resource/cassandra-reaper-cassandra.yaml  | 13 ++--
 .../resource/cassandra-reaper-h2.yaml         | 13 ++--
 .../resource/cassandra-reaper-memory.yaml     | 13 ++--
 .../resource/cassandra-reaper-postgres.yaml   | 13 ++--
 src/packaging/resource/cassandra-reaper.yaml  | 13 ++--
 src/server/pom.xml                            |  7 +-
 .../io/cassandrareaper/ReaperApplication.java |  6 +-
 .../resources/auth/LoginResource.java         | 32 ++-------
 .../resources/auth/ShiroJwtProvider.java      | 65 +++++++++++++++++++
 .../auth/ShiroJwtVerifyingFilter.java         | 52 +++++++++++++++
 .../storage/CassandraStorage.java             |  4 ++
 .../src/main/resources}/shiro.ini             | 21 ++++--
 .../acceptance/BasicSteps.java                |  3 +-
 .../resources/auth/LoginResourceTest.java     | 50 ++++++++++++++
 src/server/src/test/resources/shiro.ini       | 31 ---------
 src/ui/app/jsx/login-form.jsx                 | 14 +++-
 17 files changed, 250 insertions(+), 113 deletions(-)
 create mode 100644 src/server/src/main/java/io/cassandrareaper/resources/auth/ShiroJwtProvider.java
 create mode 100644 src/server/src/main/java/io/cassandrareaper/resources/auth/ShiroJwtVerifyingFilter.java
 rename src/{packaging/resource => server/src/main/resources}/shiro.ini (62%)
 create mode 100644 src/server/src/test/java/io/cassandrareaper/resources/auth/LoginResourceTest.java
 delete mode 100644 src/server/src/test/resources/shiro.ini

diff --git a/src/packaging/resource/cassandra-reaper-cassandra-ssl.yaml b/src/packaging/resource/cassandra-reaper-cassandra-ssl.yaml
index 09896d422..71c04a6fb 100644
--- a/src/packaging/resource/cassandra-reaper-cassandra-ssl.yaml
+++ b/src/packaging/resource/cassandra-reaper-cassandra-ssl.yaml
@@ -1,5 +1,5 @@
 # Copyright 2015-2017 Spotify AB
-# Copyright 2016-2018 The Last Pickle Ltd
+# Copyright 2016-2019 The Last Pickle Ltd
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -134,9 +134,8 @@ autoScheduling:
 #    - type: log
 #      logger: metrics
 
-# Uncomment the following block to enable authentication
-
-#accessControl:
-#  sessionTimeout: PT10M
-#  shiro:
-#    iniConfigs: ["file:/path/to/shiro.ini"]
+# Authentication is enabled by default
+accessControl:
+  sessionTimeout: PT10M
+  shiro:
+    iniConfigs: ["classpath:shiro.ini"]
diff --git a/src/packaging/resource/cassandra-reaper-cassandra.yaml b/src/packaging/resource/cassandra-reaper-cassandra.yaml
index f39b76307..365d83082 100644
--- a/src/packaging/resource/cassandra-reaper-cassandra.yaml
+++ b/src/packaging/resource/cassandra-reaper-cassandra.yaml
@@ -1,5 +1,5 @@
 # Copyright 2015-2017 Spotify AB
-# Copyright 2016-2018 The Last Pickle Ltd
+# Copyright 2016-2019 The Last Pickle Ltd
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -128,9 +128,8 @@ autoScheduling:
 #    - type: log
 #      logger: metrics
 
-# Uncomment the following block to enable authentication
-
-#accessControl:
-#  sessionTimeout: PT10M
-#  shiro:
-#    iniConfigs: ["file:/path/to/shiro.ini"]
+# Authentication is enabled by default
+accessControl:
+  sessionTimeout: PT10M
+  shiro:
+    iniConfigs: ["classpath:shiro.ini"]
diff --git a/src/packaging/resource/cassandra-reaper-h2.yaml b/src/packaging/resource/cassandra-reaper-h2.yaml
index aea1c8ce4..bc0dfd514 100644
--- a/src/packaging/resource/cassandra-reaper-h2.yaml
+++ b/src/packaging/resource/cassandra-reaper-h2.yaml
@@ -1,5 +1,5 @@
 # Copyright 2015-2017 Spotify AB
-# Copyright 2016-2018 The Last Pickle Ltd
+# Copyright 2016-2019 The Last Pickle Ltd
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -112,9 +112,8 @@ autoScheduling:
 #    - type: log
 #      logger: metrics
 
-# Uncomment the following block to enable authentication
-
-#accessControl:
-#  sessionTimeout: PT10M
-#  shiro:
-#    iniConfigs: ["file:/path/to/shiro.ini"]
+# Authentication is enabled by default
+accessControl:
+  sessionTimeout: PT10M
+  shiro:
+    iniConfigs: ["classpath:shiro.ini"]
diff --git a/src/packaging/resource/cassandra-reaper-memory.yaml b/src/packaging/resource/cassandra-reaper-memory.yaml
index b2f0d8497..addc78633 100644
--- a/src/packaging/resource/cassandra-reaper-memory.yaml
+++ b/src/packaging/resource/cassandra-reaper-memory.yaml
@@ -1,5 +1,5 @@
 # Copyright 2015-2017 Spotify AB
-# Copyright 2016-2018 The Last Pickle Ltd
+# Copyright 2016-2019 The Last Pickle Ltd
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -107,9 +107,8 @@ autoScheduling:
 #    - type: log
 #      logger: metrics
 
-# Uncomment the following block to enable authentication
-
-#accessControl:
-#  sessionTimeout: PT10M
-#  shiro:
-#    iniConfigs: ["file:/path/to/shiro.ini"]
+# Authentication is enabled by default
+accessControl:
+  sessionTimeout: PT10M
+  shiro:
+    iniConfigs: ["classpath:shiro.ini"]
diff --git a/src/packaging/resource/cassandra-reaper-postgres.yaml b/src/packaging/resource/cassandra-reaper-postgres.yaml
index 907210e95..5638f29fa 100644
--- a/src/packaging/resource/cassandra-reaper-postgres.yaml
+++ b/src/packaging/resource/cassandra-reaper-postgres.yaml
@@ -1,5 +1,5 @@
 # Copyright 2015-2017 Spotify AB
-# Copyright 2016-2018 The Last Pickle Ltd
+# Copyright 2016-2019 The Last Pickle Ltd
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -112,9 +112,8 @@ autoScheduling:
 #    - type: log
 #      logger: metrics
 
-# Uncomment the following block to enable authentication
-
-#accessControl:
-#  sessionTimeout: PT10M
-#  shiro:
-#    iniConfigs: ["file:/path/to/shiro.ini"]
+# Authentication is enabled by default
+accessControl:
+  sessionTimeout: PT10M
+  shiro:
+    iniConfigs: ["classpath:shiro.ini"]
diff --git a/src/packaging/resource/cassandra-reaper.yaml b/src/packaging/resource/cassandra-reaper.yaml
index afaf35efd..c8d715f92 100644
--- a/src/packaging/resource/cassandra-reaper.yaml
+++ b/src/packaging/resource/cassandra-reaper.yaml
@@ -1,5 +1,5 @@
 # Copyright 2015-2017 Spotify AB
-# Copyright 2016-2018 The Last Pickle Ltd
+# Copyright 2016-2019 The Last Pickle Ltd
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -107,9 +107,8 @@ autoScheduling:
 #    - type: log
 #      logger: metrics
 
-# Uncomment the following block to enable authentication
-
-#accessControl:
-#  sessionTimeout: PT10M
-#  shiro:
-#    iniConfigs: ["file:/path/to/shiro.ini"]
+# Authentication is enabled by default
+accessControl:
+  sessionTimeout: PT10M
+  shiro:
+    iniConfigs: ["classpath:shiro.ini"]
diff --git a/src/server/pom.xml b/src/server/pom.xml
index 4bd902472..6efb5c72e 100755
--- a/src/server/pom.xml
+++ b/src/server/pom.xml
@@ -29,7 +29,7 @@
     <packaging>jar</packaging>
 
     <properties>
-        <dropwizard.version>1.1.8</dropwizard.version>
+        <dropwizard.version>1.3.8</dropwizard.version>
         <docker.directory>src/main/docker</docker.directory>
         <timestamp>${maven.build.timestamp}</timestamp>
         <maven.build.timestamp.format>yyyy-MM-dd HH:mm:ss</maven.build.timestamp.format>
@@ -181,6 +181,11 @@
             <artifactId>dropwizard-shiro</artifactId>
             <version>0.2.0</version>
         </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt</artifactId>
+            <version>0.9.1</version>
+        </dependency>
         <dependency>
             <!-- fixes bug around duplicate requests
               - https://stackoverflow.com/questions/37956741/jersey-resource-receiving-duplicate-requests-from-jersey-client#39377403
diff --git a/src/server/src/main/java/io/cassandrareaper/ReaperApplication.java b/src/server/src/main/java/io/cassandrareaper/ReaperApplication.java
index 4b2b95623..ebb1d3750 100644
--- a/src/server/src/main/java/io/cassandrareaper/ReaperApplication.java
+++ b/src/server/src/main/java/io/cassandrareaper/ReaperApplication.java
@@ -1,6 +1,6 @@
 /*
  * Copyright 2014-2017 Spotify AB
- * Copyright 2016-2018 The Last Pickle Ltd
+ * Copyright 2016-2019 The Last Pickle Ltd
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,6 +30,7 @@
 import io.cassandrareaper.resources.SnapshotResource;
 import io.cassandrareaper.resources.auth.LoginResource;
 import io.cassandrareaper.resources.auth.ShiroExceptionMapper;
+import io.cassandrareaper.resources.auth.ShiroJwtProvider;
 import io.cassandrareaper.service.AutoSchedulingManager;
 import io.cassandrareaper.service.PurgeService;
 import io.cassandrareaper.service.RepairManager;
@@ -243,7 +244,8 @@ public void run(ReaperApplicationConfiguration config, Environment environment)
       environment.getApplicationContext().setSessionHandler(sessionHandler);
       environment.servlets().setSessionHandler(sessionHandler);
       environment.jersey().register(new ShiroExceptionMapper());
-      environment.jersey().register(new LoginResource(context));
+      environment.jersey().register(new LoginResource());
+      environment.jersey().register(new ShiroJwtProvider(context));
     }
 
     Thread.sleep(1000);
diff --git a/src/server/src/main/java/io/cassandrareaper/resources/auth/LoginResource.java b/src/server/src/main/java/io/cassandrareaper/resources/auth/LoginResource.java
index 30fd67dab..62de358fe 100644
--- a/src/server/src/main/java/io/cassandrareaper/resources/auth/LoginResource.java
+++ b/src/server/src/main/java/io/cassandrareaper/resources/auth/LoginResource.java
@@ -17,20 +17,13 @@
 
 package io.cassandrareaper.resources.auth;
 
-import io.cassandrareaper.AppContext;
 
 import java.io.IOException;
-import java.util.Map;
 
 import javax.ws.rs.FormParam;
-import javax.ws.rs.GET;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
 
-import com.google.common.collect.Maps;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.IncorrectCredentialsException;
@@ -40,27 +33,22 @@
 
 @Path("/")
 public class LoginResource {
-  private final AppContext context;
-
-  public LoginResource(AppContext context) {
-    this.context = context;
-  }
 
   @Path("/login")
   @POST
   public void login(
       @FormParam("username") String username,
       @FormParam("password") String password,
-      @Auth Subject subject)
-      throws IOException {
+      @FormParam("rememberMe") boolean rememberMe,
+      @Auth Subject subject) throws IOException {
+
     ensurePresent(username, "Invalid credentials: missing username.");
     ensurePresent(password, "Invalid credentials: missing password.");
 
     try {
-      subject.login(new UsernamePasswordToken(username, password));
+      subject.login(new UsernamePasswordToken(username, password, rememberMe));
     } catch (AuthenticationException e) {
-      throw new IncorrectCredentialsException(
-          "Invalid credentials combination for user: " + username);
+      throw new IncorrectCredentialsException("Invalid credentials combination for user: " + username);
     }
   }
 
@@ -75,14 +63,4 @@ private void ensurePresent(String value, String message) {
       throw new IncorrectCredentialsException(message);
     }
   }
-
-  @Produces(MediaType.APPLICATION_JSON)
-  @Path("/loginRequired")
-  @GET
-  public Response loginRequired() {
-    Map<String, Boolean> authRequired = Maps.newHashMap();
-    authRequired.put("auth", context.config.isAccessControlEnabled());
-
-    return Response.ok().entity(authRequired).build();
-  }
 }
diff --git a/src/server/src/main/java/io/cassandrareaper/resources/auth/ShiroJwtProvider.java b/src/server/src/main/java/io/cassandrareaper/resources/auth/ShiroJwtProvider.java
new file mode 100644
index 000000000..7071d9c87
--- /dev/null
+++ b/src/server/src/main/java/io/cassandrareaper/resources/auth/ShiroJwtProvider.java
@@ -0,0 +1,65 @@
+/*
+ *
+ * Copyright 2019-2019 The Last Pickle Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.cassandrareaper.resources.auth;
+
+import io.cassandrareaper.AppContext;
+import io.cassandrareaper.storage.IDistributedStorage;
+
+import java.io.IOException;
+import java.security.Key;
+
+import javax.crypto.spec.SecretKeySpec;
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
+import javax.xml.bind.DatatypeConverter;
+
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+
+@Path("/jwt")
+public final class ShiroJwtProvider {
+
+  static volatile Key SIGNING_KEY;
+  private static final SignatureAlgorithm SIG_ALG = SignatureAlgorithm.HS256;
+
+  public ShiroJwtProvider(AppContext cxt) {
+    SIGNING_KEY = getSigningKey(cxt);
+  }
+
+  @GET
+  public Response get(@Context HttpServletRequest request) throws IOException {
+    return Response
+        .ok()
+        .entity(
+            Jwts.builder().setSubject(request.getUserPrincipal().getName()).signWith(SIG_ALG, SIGNING_KEY).compact())
+        .build();
+  }
+
+  private static Key getSigningKey(AppContext cxt) {
+    String txt = System.getenv("JWT_SECRET");
+    if (null == txt) {
+      txt = cxt.storage instanceof IDistributedStorage
+          ? cxt.config.getCassandraFactory().getClusterName()
+          : AppContext.REAPER_INSTANCE_ADDRESS;
+    }
+    return new SecretKeySpec(DatatypeConverter.parseBase64Binary(txt), SIG_ALG.getJcaName());
+  }
+}
diff --git a/src/server/src/main/java/io/cassandrareaper/resources/auth/ShiroJwtVerifyingFilter.java b/src/server/src/main/java/io/cassandrareaper/resources/auth/ShiroJwtVerifyingFilter.java
new file mode 100644
index 000000000..4b24c66bc
--- /dev/null
+++ b/src/server/src/main/java/io/cassandrareaper/resources/auth/ShiroJwtVerifyingFilter.java
@@ -0,0 +1,52 @@
+/*
+ *
+ * Copyright 2019-2019 The Last Pickle Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.cassandrareaper.resources.auth;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import io.jsonwebtoken.Jwts;
+import org.apache.shiro.web.filter.AccessControlFilter;
+
+public final class ShiroJwtVerifyingFilter extends AccessControlFilter {
+
+  public ShiroJwtVerifyingFilter() {}
+
+  @Override
+  protected boolean isAccessAllowed(ServletRequest req, ServletResponse res, Object mappedValue) throws Exception {
+    if (getSubject(req, res).isRemembered() || getSubject(req, res).isAuthenticated()) {
+      return true;
+    }
+    HttpServletRequest httpRequest = (HttpServletRequest) req;
+    String jwt = httpRequest.getHeader("Authorization");
+    if (null == jwt || !jwt.startsWith("Bearer ")) {
+      return false;
+    }
+    jwt = jwt.substring(jwt.indexOf(' ') + 1);
+    return Jwts.parser().setSigningKey(ShiroJwtProvider.SIGNING_KEY).isSigned(jwt);
+  }
+
+  @Override
+  protected boolean onAccessDenied(ServletRequest req, ServletResponse res) throws Exception {
+    HttpServletResponse response = (HttpServletResponse) res;
+    response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+    return false;
+  }
+}
diff --git a/src/server/src/main/java/io/cassandrareaper/storage/CassandraStorage.java b/src/server/src/main/java/io/cassandrareaper/storage/CassandraStorage.java
index fa9d1f8fd..fbfe9640d 100644
--- a/src/server/src/main/java/io/cassandrareaper/storage/CassandraStorage.java
+++ b/src/server/src/main/java/io/cassandrareaper/storage/CassandraStorage.java
@@ -176,6 +176,10 @@ public CassandraStorage(ReaperApplicationConfiguration config, Environment envir
     overrideQueryOptions(cassandraFactory);
     overrideRetryPolicy(cassandraFactory);
     overridePoolingOptions(cassandraFactory);
+
+    // https://docs.datastax.com/en/developer/java-driver/3.5/manual/metrics/#metrics-4-compatibility
+    cassandraFactory.setJmxEnabled(false);
+
     cassandra = cassandraFactory.build(environment);
     if (config.getActivateQueryLogger()) {
       cassandra.register(QueryLogger.builder().build());
diff --git a/src/packaging/resource/shiro.ini b/src/server/src/main/resources/shiro.ini
similarity index 62%
rename from src/packaging/resource/shiro.ini
rename to src/server/src/main/resources/shiro.ini
index b054c9575..cb590bdff 100644
--- a/src/packaging/resource/shiro.ini
+++ b/src/server/src/main/resources/shiro.ini
@@ -1,4 +1,4 @@
-# Copyright 2018-2018 The Last Pickle Ltd
+# Copyright 2019-2019 The Last Pickle Ltd
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,16 +16,25 @@
 authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
 authc.loginUrl = /webui/login.html
 
+# Java Web Token authentication for REST endpoints
+jwtv = io.cassandrareaper.resources.auth.ShiroJwtVerifyingFilter
+
+# default authentication is the following hardcoded admin user
 [users]
-myuser = mypassword
+admin = admin
 
 [urls]
-# Allow anonynous access to login page (and dependencies), but no other pages
+# Web UI requires manual authentication and session cookie
 /webui/ = authc
 /webui = authc
-/webui/login.html = anon
+/jwt = authc
 /webui/*.html* = authc
-/webui/*.js* = anon
+
+# login page and all js and css resources do not require authentication
+/webui/login.html = anon
+/webui/** = anon
 /ping = anon
 /login = anon
-/** = anon
+
+# REST endpoints require a Java Web Token
+/** = noSessionCreation,jwtv
\ No newline at end of file
diff --git a/src/server/src/test/java/io/cassandrareaper/acceptance/BasicSteps.java b/src/server/src/test/java/io/cassandrareaper/acceptance/BasicSteps.java
index 9b3b4794e..649cb01a4 100644
--- a/src/server/src/test/java/io/cassandrareaper/acceptance/BasicSteps.java
+++ b/src/server/src/test/java/io/cassandrareaper/acceptance/BasicSteps.java
@@ -1,6 +1,6 @@
 /*
  * Copyright 2015-2017 Spotify AB
- * Copyright 2016-2018 The Last Pickle Ltd
+ * Copyright 2016-2019 The Last Pickle Ltd
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -70,6 +70,7 @@
 /**
  * Basic acceptance test (Cucumber) steps.
  */
+@SuppressWarnings("ResultOfMethodCallIgnored")
 public final class BasicSteps {
 
   private static final Logger LOG = LoggerFactory.getLogger(BasicSteps.class);
diff --git a/src/server/src/test/java/io/cassandrareaper/resources/auth/LoginResourceTest.java b/src/server/src/test/java/io/cassandrareaper/resources/auth/LoginResourceTest.java
new file mode 100644
index 000000000..f542c07b8
--- /dev/null
+++ b/src/server/src/test/java/io/cassandrareaper/resources/auth/LoginResourceTest.java
@@ -0,0 +1,50 @@
+/*
+ *
+ * Copyright 2019-2019 The Last Pickle Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.cassandrareaper.resources.auth;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.config.Ini;
+import org.apache.shiro.io.ResourceUtils;
+import org.apache.shiro.web.config.WebIniSecurityManagerFactory;
+import org.junit.Test;
+
+
+public final class LoginResourceTest {
+
+  @Test
+  public void testShiroConfig() throws IOException {
+    try (InputStream is = ResourceUtils.getInputStreamForPath("classpath:shiro.ini")) {
+      Ini ini = new Ini();
+      ini.load(is);
+      new WebIniSecurityManagerFactory(ini).getInstance();
+    }
+  }
+
+  @Test
+  public void testLogin() throws IOException {
+    try (InputStream is = ResourceUtils.getInputStreamForPath("classpath:shiro.ini")) {
+      Ini ini = new Ini();
+      ini.load(is);
+      new WebIniSecurityManagerFactory(ini).getInstance().authenticate(new UsernamePasswordToken("admin", "admin"));
+    }
+  }
+
+}
diff --git a/src/server/src/test/resources/shiro.ini b/src/server/src/test/resources/shiro.ini
deleted file mode 100644
index b054c9575..000000000
--- a/src/server/src/test/resources/shiro.ini
+++ /dev/null
@@ -1,31 +0,0 @@
-# Copyright 2018-2018 The Last Pickle Ltd
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-[main]
-authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
-authc.loginUrl = /webui/login.html
-
-[users]
-myuser = mypassword
-
-[urls]
-# Allow anonynous access to login page (and dependencies), but no other pages
-/webui/ = authc
-/webui = authc
-/webui/login.html = anon
-/webui/*.html* = authc
-/webui/*.js* = anon
-/ping = anon
-/login = anon
-/** = anon
diff --git a/src/ui/app/jsx/login-form.jsx b/src/ui/app/jsx/login-form.jsx
index c6deacc34..b4f4a9487 100644
--- a/src/ui/app/jsx/login-form.jsx
+++ b/src/ui/app/jsx/login-form.jsx
@@ -1,5 +1,5 @@
 //
-//  Copyright 2018-2018 The Last Pickle Ltd
+//  Copyright 2018-2019 The Last Pickle Ltd
 //
 //  Licensed under the Apache License, Version 2.0 (the "License");
 //  you may not use this file except in compliance with the License.
@@ -49,7 +49,8 @@ const loginForm = React.createClass({
   _onLogin: function (e) {
     const login = {
       username: ReactDOM.findDOMNode(this.refs.in_username).value,
-      password: ReactDOM.findDOMNode(this.refs.in_password).value
+      password: ReactDOM.findDOMNode(this.refs.in_password).value,
+      rememberMe: ReactDOM.findDOMNode(this.refs.in_rememberMe).value
     };
     this.props.loginSubject.onNext(login);
   },
@@ -76,10 +77,17 @@ const loginForm = React.createClass({
                     placeholder="Username"></input>
             </div>
             <div className="form-group">
-              <label htmlFor="in_username">Password:</label>
+              <label htmlFor="in_password">Password:</label>
               <input type="password" className="form-control" ref="in_password" id="in_password"
                     placeholder="Password"></input>
             </div>
+            <br/>
+            <div className="form-group">
+              <label htmlFor="in_rememberMe">Remember Me</label>
+              <input type="checkbox" className="form-control" ref="in_rememberMe" value="true"
+                    placeholder="RememberMe"/>
+            </div>
+            <br/>
             <button type="button" className="btn btn-success" onClick={this._onLogin}>Login</button>
           </div>
         </div>