I do something similar to this in my company's app: after the app has been started for the very first time, no one is allowed to interact with any URLs except for the person setting up the system (their system/admin account needs to exist before anyone else can use the app). Once the system has been set up with its required 'seed' data, then all the other URLs work (login screen, our RIA app, etc).
I do this with a Shiro filter I created called InstallationFilter and it subclasses AccessControlFilter. This filter is defined in the front of all filter chains in the [urls] section of the Shiro config. Anyway, you don't need to use Shiro filters to accomplish this if you don't want to. I just found that the AccessControlFilter models my needs exactly, so I chose to use that as my implementation strategy. It worked out well. You could do the same thing: Your 'isAccessAllowed' implementation would return true if the user agreed, false otherwise. your 'onAccessDenied' implementation would redirect them to the agreement page. HTH! Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com On Wed, Mar 30, 2011 at 8:19 AM, Brian Demers <[email protected]> wrote: > You could just create another servlet filter and check some field to > see if your user has agreed or not. > I don't think this is really in the scope of Shiro, but... I have a > feeling this field is stored in the same place as your user info is. > If that is the case then it grays the water a bit, as a second filter > may require an extra query to your backend. > > > On Wed, Mar 30, 2011 at 2:00 AM, dan <[email protected]> wrote: >> Hi -- >> >> In my app, after a user logs in, I want to display a license page and have >> them click on Accept or Decline. While this page is displayed, they >> shouldn't be able to access any authc-protected pages. >> >> I thought I would extend my FormAuthenticationFilter-based class so that: >> 1. on successful login, if the license hadn't been already accepted, it >> would forward to the license page. >> 2. until the user clicks on Accept, access to the site pages would be >> denied. >> >> Do you think that this is a reasonable approach (to ask Shiro to do this) or >> .. is it really outside the realm of a security system? It's almost like I >> need a "two-stage" logon process! >> >> Thanks, >> Dan >> >> -- >> View this message in context: >> http://shiro-user.582556.n2.nabble.com/License-accept-decline-page-tp6221944p6221944.html >> Sent from the Shiro User mailing list archive at Nabble.com.
