Les,
Thanks so much, this helps a lot! I'll give the a
AuthenticationListener configuration a try shortly.
However, I'm still having troubles with excluding paths. Adding
filterChainDefinitions does seem to avoid calling
CookieRememberMeManager.getRememberedPrincipals() multiple times for
hits to resources on the home page. My goal for excluding these paths
is to reduce the number of times my user object is updated with a new
accessed date:
@Override
public PrincipalCollection getRememberedPrincipals(SubjectContext
subjectContext) {
PrincipalCollection principals =
super.getRememberedPrincipals(subjectContext);
if ( principals != null ) {
Long id = (Long) principals.getPrimaryPrincipal();
log.info("RememberMe Principals located for: "+id);
memberService.updateAccessed(id);
}
return principals;
}
However, when I add filterChainDefinitions, it seems to override my
Wicket configuration for what URL should be used for login. When I
don't have any filterChainDefinitions defined, and a user goes to
/dashboard, Wicket redirects them to /login. However, when I define
filterChainDefinitions, they are sent to /login.jsp which doesn't
exist.
<property name="filterChainDefinitions">
<value>
/css = anon
/img = anon
/js = anon
/signup = anon
/login = anon
/dashboard = authc
</value>
</property>
Any suggestions?
Thanks again,
Tauren
On Fri, Jul 2, 2010 at 11:52 AM, Les Hazlewood <[email protected]> wrote:
> Hi Tauren,
>
> If you'll indulge me, I'll reference how to do it both in INI and in
> Spring config - I know you're not using INI, but this could help
> others who might. Also, you can see the parallel between the two
> config mechanisms, as they achieve almost the same thing.
>
> For registering AuthenticationListeners, you would have to set them by
> traversing the SecurityManager's object graph and setting the property
> that way - the same way you would do it in INI. For example, in INI:
>
> securityManager.authenticator.authenticationListeners =
> $authcListener1, $authcListener2, ..., $authcListenerN
>
> In Spring:
>
> <bean id="securityManager" class="...">
> ...
> <property name="authenticator.authenticationListeners">
> <set>
> <bean ref="authcListener1"/>
> <bean ref="authcListener2"/>
> ...
> </bean ref="authcListenerN"/>
> </set>
> </property>
> </bean>
>
> As for excluding URLs, no coding necessary - you can do that via URL
> chain configuration. For example, in INI, you can do that by using
> [urls] section and defining a chain with the 'anon' filter (anonymous
> - allow requests to pass through without any security check):
>
> shiro.ini:
> ...
> [urls]
> /css = anon
> /js = anon
> /assets/images = anon
>
> Or, in Spring:
>
> <bean id="shiroFilter"
> class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
> ...
> <!-- the ShiroFilterFactoryBean's 'filterChainDefinitions' property is the
> same exact thing as the INI's [urls] section: -->
> <property name="filterChainDefinitions">
> <value>
> /css = anon
> /js = anon
> /asses/images = anon
> ...
> </value>
> </property>
> </bean>
>
> So technically the ShiroFilter still handles all requests (in web.xml,
> you want the <url-pattern>/*</url-pattern> to be defined), but you can
> exclude urls this way. This is far more flexible than using web.xml
> since it doesn't have the notion of exclusionary policies.
>
> Also, don't forget that in Shiro's url chain definitions, the 'first
> match wins' for url pattern matching. Make sure you define chains in
> the order that they will be successfully matched against. For
> example, this is good:
>
> /user/signup = anon
> /user/** = authc
>
> and this wouldn't be nice:
>
> /user/** = authc
> /user/signup = anon
>
> Because in the 2nd example, '/user/**' matches any request targeted at
> '/user/signup' and the 'authc' filter would be invoked (thereby
> preventing guests from signing up - clearly not the desired behavior).
>
> HTH!
>
> Les
>
> On Fri, Jul 2, 2010 at 12:24 AM, Tauren Mills <[email protected]> wrote:
>> Where can I find some sample code that illustrates the best way to
>> register an AuthenticationListener? It seems that
>> AuthenticationListenerRegistrar no longer exists. I would prefer to
>> see how to do it using Spring for configuration instead of INI. Is
>> there a sample project that illustrates how to do this?
>>
>> Also, I'm unclear on how to best customize the filter. My web.xml
>> specifies a DelegatingFilterProxy, which I believe is then utilizing a
>> ShiroFilterFactoryBean. My intent is to write a custom doFilter method
>> that excludes certain paths, such as /css, /img, and /js. Should my
>> custom filter extend some class? And how do I wire up my custom
>> filter? Do I specify something as the targetBeanName init param?
>>
>> Alternatively, is there a different, simpler, or better way to EXCLUDE
>> certain paths from being handled by the ShiroFilter? For instance, is
>> there a way to do this purely with configuration inside of the web.xml
>> alone?
>>
>> Lastly, what does the targetFilterLifecycle init param do?
>>
>> Here's the pertinent part of my spring ShiroFilter config:
>>
>> <bean id="ShiroFilter"
>> class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
>> <property name="securityManager" ref="securityManager"/>
>> </bean>
>>
>> Here are my current filter mappings:
>>
>> <filter>
>> <filter-name>HibernateFilter</filter-name>
>>
>> <filter-class>org.springframework.orm.hibernate3.support.OpenSessionInViewFilter</filter-class>
>> </filter>
>> <filter>
>> <filter-name>ShiroFilter</filter-name>
>>
>> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
>> <!--
>> <init-param>
>> <param-name>targetFilterLifecycle</param-name>
>> <param-value>true</param-value>
>> </init-param>
>> -->
>> </filter>
>> <filter>
>> <filter-name>WicketFilter</filter-name>
>>
>> <filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
>> <init-param>
>> <param-name>applicationFactoryClassName</param-name>
>>
>> <param-value>org.apache.wicket.spring.SpringWebApplicationFactory</param-value>
>> </init-param>
>> </filter>
>>
>> <filter-mapping>
>> <filter-name>HibernateFilter</filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>> <filter-mapping>
>> <filter-name>ShiroFilter</filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>> <filter-mapping>
>> <filter-name>WicketFilter</filter-name>
>> <url-pattern>/*</url-pattern>
>> <dispatcher>REQUEST</dispatcher>
>> <dispatcher>ERROR</dispatcher>
>> </filter-mapping>
>>
>> Thanks,
>> Tauren
>>
>
