Re: HTTP method-dependent Basic authentication

Thu, 14 Oct 2010 13:24:01 -0700 

Hi Peter,

You could do that with authcBasic, but Kalle was pointing you to the
HttpMethodPermissionFilter because it is much better suited for
handling REST-based scenarios.

Remember 'authcBasic' is for handling authentication.  Once
authenticated, the HttpMethodPermissionFilter performs authorization.
You can use both in a single filter chain definition, for example:

/rest/user/** = authcBasic, rest[user]

where the 'rest' filter was defined in the ini [main] section, e.g.

[main]
...
rest = org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter

[urls]
...
/rest/user/** = authcBasic, rest[user]

(note that the 'rest' filter will be enabled by default in Shiro 1.1
and you won't need to define it in [main].  But you have to define it
manually until 1.1 is released).

This chain states that a POST requesting user must 1) first be
authenticated via the HTTP Basic protocol and if they are 2) must have
the 'user:create' permission.  That is, the 'rest' filter will execute
this automatically:

if ( subject.isPermitted("user:create") ) {
    //allow the request to continue
} else {
    //show the unauthorized page
}

That filter will automatically construct the string permission based
on the HTTP Method being used, i.e. PUT =
subject.isPermitted("user:update"), GET =
subject.isPermitted("user:read"), etc.

And the 'user' part of the string ("user:update", "user:delete", etc)
is the value specified in the brackets:  rest[user].   As another
example:

/foo/** = authcBasic, rest[customer]

will translate into PUT = subject.isPermitted("customer:update"), etc,

HTH,

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com

On Thu, Oct 14, 2010 at 10:10 AM, Peter Ledbrook <[email protected]> wrote:
>> See org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
>
> Just to double-check, all I have to do is treat the 'mappedValue'
> argument of isAccessAllowed() as the configuration options? In other
> words, with
>
>   [urls]
>   /plugin/** = authcBasic[POST,PUT,DELETE]
>
> I can add
>
>    public isAccessAllowed(ServletRequest request, ServletResponse
> response, Object mappedValue) throws IOException {
>        String[] httpMethods = (String[]) mappedValue;
>        ...
>
> Correct?
>
> Thanks,
>
> Peter
>

Reply via email to