On Fri, Mar 4, 2011 at 12:12 PM, dan <[email protected]> wrote: > I see, that's good to clarify. > > I don't quite see how I would add a second authenticator. Would it be > something like this? > > mobileauthc = MobileAutenticatingFilter > mobileauthc.errorUrl = /api/stateful/api/authError.jsp > > [urls] > /index.jsp = anon > /api/stateful/* = mobileauthc > /pages/logon.jsp = authc > /pages/** = authc > > In this new authenticator would you recommend I subclass from > AuthenticatingFilter? When it is called, how do I know if I already have an > authenticated client? > > Thanks! > Dan
Hi Dan, This looks good to me - you'd have a second 'mobileAuthc' filter. You'll probably need to subclass AuthenticatingFilter, but you could use FormAuthenticationFilter's 'onAccessDenied' implementation as a good template to use in your subclass. In that implementation, instead of calling 'saveRequestAndRedirectToLogin', you'd probably just call a 'showError' method using your configured errorUrl. As for detecting if a user is authenticated or not - the super super class (org.apache.shiro.web.filter.authc.AuthenticationFilter) will determine that already. If the current Subject.isAuthenticated() it will always let a request through. If not authenticated, the onAccessDenied method will be called (which is where you perform the login or fail the request). HTH, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com
