Hi Jared, Any reason why this logic can't/shouldn't be in the 'afterCompletion' method - the safeguards in place for cleanup should also take care of afterCompletion calls.
In other words, afterCompletion was meant to be overridden by subclasses whereas cleanup really wasn't. Thoughts? Les On Sat, Aug 13, 2011 at 6:34 AM, <[email protected]> wrote: > Author: jbunting > Date: Sat Aug 13 13:34:44 2011 > New Revision: 1157377 > > URL: http://svn.apache.org/viewvc?rev=1157377&view=rev > Log: > SHIRO-283: adding ability to specify "permissive" for authc and authcBasic > filters. This will cause unauthenticated users to not be blocked, but will > perform appropriate login request (redirect or challenge response) when an > UnauthenticatedException is thrown. > > Modified: > > shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authc/AuthenticatingFilter.java > > shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.java > > Modified: > shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authc/AuthenticatingFilter.java > URL: > http://svn.apache.org/viewvc/shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authc/AuthenticatingFilter.java?rev=1157377&r1=1157376&r2=1157377&view=diff > ============================================================================== > --- > shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authc/AuthenticatingFilter.java > (original) > +++ > shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authc/AuthenticatingFilter.java > Sat Aug 13 13:34:44 2011 > @@ -21,10 +21,14 @@ package org.apache.shiro.web.filter.auth > import org.apache.shiro.authc.AuthenticationException; > import org.apache.shiro.authc.AuthenticationToken; > import org.apache.shiro.authc.UsernamePasswordToken; > +import org.apache.shiro.authz.UnauthenticatedException; > import org.apache.shiro.subject.Subject; > > +import javax.servlet.ServletException; > import javax.servlet.ServletRequest; > import javax.servlet.ServletResponse; > +import java.io.IOException; > +import java.util.Arrays; > > /** > * An <code>AuthenticationFilter</code> that is capable of automatically > performing an authentication attempt > @@ -33,6 +37,7 @@ import javax.servlet.ServletResponse; > * @since 0.9 > */ > public abstract class AuthenticatingFilter extends AuthenticationFilter { > + public static final String PERMISSIVE = "permissive"; > > //TODO - complete JavaDoc > > @@ -104,4 +109,50 @@ public abstract class AuthenticatingFilt > protected boolean isRememberMe(ServletRequest request) { > return false; > } > + > + /** > + * Determines whether the current subject should be allowed to make the > current request. > + * <p/> > + * The default implementation returns <code>true</code> if the user is > authenticated. Will also return > + * <code>true</code> if the {@link #isLoginRequest} returns false and > the "permissive" flag is set. > + * > + * @return <code>true</code> if request should be allowed access > + */ > + @Override > + protected boolean isAccessAllowed(ServletRequest request, > ServletResponse response, Object mappedValue) { > + return super.isAccessAllowed(request, response, mappedValue) || > + (!isLoginRequest(request, response) && > isPermissive(mappedValue)); > + } > + > + /** > + * Returns <code>true</code> if the mappedValue contains the {@link > #PERMISSIVE} qualifier. > + * > + * @return <code>true</code> if this filter should be permissive > + */ > + protected boolean isPermissive(Object mappedValue) { > + if(mappedValue != null) { > + String[] values = (String[]) mappedValue; > + return Arrays.binarySearch(values, PERMISSIVE) >= 0; > + } > + return false; > + } > + > + /** > + * Overrides the default behavior to call {@link #onAccessDenied} and > swallow the exception if the exception is > + * {@link UnauthenticatedException}. > + */ > + @Override > + protected void cleanup(ServletRequest request, ServletResponse response, > Exception existing) throws ServletException, IOException { > + if (existing instanceof UnauthenticatedException || (existing > instanceof ServletException && existing.getCause() instanceof > UnauthenticatedException)) > + { > + try { > + onAccessDenied(request, response); > + existing = null; > + } catch (Exception e) { > + existing = e; > + } > + } > + super.cleanup(request, response, existing); > + > + } > } > > Modified: > shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.java > URL: > http://svn.apache.org/viewvc/shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.java?rev=1157377&r1=1157376&r2=1157377&view=diff > ============================================================================== > --- > shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.java > (original) > +++ > shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.java > Sat Aug 13 13:34:44 2011 > @@ -212,6 +212,14 @@ public class BasicHttpAuthenticationFilt > } > > /** > + * Delegates to {@link #isLoginAttempt(javax.servlet.ServletRequest, > javax.servlet.ServletResponse) isLoginAttempt}. > + */ > + @Override > + protected final boolean isLoginRequest(ServletRequest request, > ServletResponse response) { > + return this.isLoginAttempt(request, response); > + } > + > + /** > * Returns the {@link #AUTHORIZATION_HEADER AUTHORIZATION_HEADER} from > the specified ServletRequest. > * <p/> > * This implementation merely casts the request to an > <code>HttpServletRequest</code> and returns the header:
