Hi Dan, On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <[email protected]> wrote: > I have two probably basic questions. > 1) I want to allow users to do either form OR basic authentication. I can > only see how to allow one at a time or both. Is this possible?
It would be possible if you wrote a custom AuthenticatingFilter to do this. You'd essentially need to merge the logic of BasicHttpAuthenticationFilter and FormAuthenticationFilter where you 'fallback' to a form if there are no authentication headers. Could you please create a Jira issue for this? Also, if you do any work on something like this, I'd love to see it! > 2) Does Shiro have a logout filter? Just wondering if there is an out of the > box url I can hit to do a logout for a user. Now that I think about it, I'm surprised that we don't have this out of the box - it would be _incredibly_ easy to write. We'd just have to 1. Subclass PathMatchingFilter 2. Call subject.logout in the onPreHandle method implementation 3. Redirect to a configured 'redirectUrl' property. And that's it. Can you please add a Jira issue for this? Cheers, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com
