We use this one: https://github.com/sonatype/security/blob/master/security-web/src/main/java/org/sonatype/security/web/filter/authc/LogoutAuthenticationFilter.java
We also do not do any redirecting on logout, so I realize this may not be useful for everyone, but it may help the discussion. I don't know why it uses postHandle vs onPreHandle (without digging deeper) On Fri, Apr 15, 2011 at 2:16 PM, Les Hazlewood <[email protected]> wrote: > Hi Dan, > > On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <[email protected]> wrote: >> I have two probably basic questions. >> 1) I want to allow users to do either form OR basic authentication. I can >> only see how to allow one at a time or both. Is this possible? > > It would be possible if you wrote a custom AuthenticatingFilter to do > this. You'd essentially need to merge the logic of > BasicHttpAuthenticationFilter and FormAuthenticationFilter where you > 'fallback' to a form if there are no authentication headers. Could > you please create a Jira issue for this? Also, if you do any work on > something like this, I'd love to see it! > >> 2) Does Shiro have a logout filter? Just wondering if there is an out of the >> box url I can hit to do a logout for a user. > > Now that I think about it, I'm surprised that we don't have this out > of the box - it would be _incredibly_ easy to write. We'd just have > to > > 1. Subclass PathMatchingFilter > 2. Call subject.logout in the onPreHandle method implementation > 3. Redirect to a configured 'redirectUrl' property. > > And that's it. Can you please add a Jira issue for this? > > Cheers, > > -- > Les Hazlewood > Founder, Katasoft, Inc. > Application Security Products & Professional Apache Shiro Support and > Training: > http://www.katasoft.com >
