Hi Mike, Thanks for sharing!
But this seems a little dangerous to me - I mean, this will allow all requests through, even if they're not authenticated, which sort of defeats the purpose of an AuthenticationFilter. Yes, I know you said that this assumes that authentication happens downstream, but people have to be very careful about guaranteeing that - it could be easy for someone to modify something downstream without realizing it breaks the assumptions of this implementation. Only good test cases would guarantee this works correctly. Of course everyone's environment is different... For my own curiosity, have people solved this in another way that still allows the filter to enforce an authenticated state? My assumption is that they would log in via another URL first and get a session ID. Then they would send the session id with all subsequent requests to the Basic-protected URLs. Because the session will be associated with the request before the AuthenticationFilters execute, they will see the authenticated Subject and the onAccessDenied method won't even be called. Just thinking out loud... Cheers, Les On Mon, Oct 11, 2010 at 10:24 AM, Mike K <[email protected]> wrote: > > Just wanted to share a simple modification I have made by inheriting > BasicHttpAuthenticationFilter. > It is really a trivial change but can be useful to others that support a > rich client and want to make the api available via curl and other simple > clients for testing, etc.. > by overriding onAccessDenied > protected boolean onAccessDenied(ServletRequest request, ServletResponse > response) throws Exception { > if (isLoginAttempt(request, response)) { > executeLogin(request, response); > } > return true; > } > > allows the web client to perform login using forms (or whatever method you > prefer) without having the browser interpret the HTTP simple auth challenge > and present its own login entry, while allowing simple script acces in the > form of curl -u username:password ... . > Of course this assumes that authorization/authentication happens downstream. > > Mike. > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/simple-auth-hack-tp5623918p5623918.html > Sent from the Shiro User mailing list archive at Nabble.com. >
