I think for most apps, onPreHandle is probably the better of the two: postHandle is called only:
1) After the filter chain executes. 2) If the chain did not throw an exception. #1 is important because if there are any Shiro cookies to be deleted as a result of calling logout() (rememberMe, principals, etc), this can only be done before HTTP response body content is committed. A postHandle logout() call would fail to remove any cookies where content was rendered. I know this doesn't matter for cookie-less REST apps, but having this logic in onPreHandle likely doesn't affect REST apps either. #2 is important because if an end-user is visiting a URL explicitly to log out, you usually want to guarantee the logout occurs. postHandle does not make this guarantee. HTH! Cheers, Les On Fri, Apr 15, 2011 at 11:30 AM, Brian Demers <[email protected]> wrote: > We use this one: > https://github.com/sonatype/security/blob/master/security-web/src/main/java/org/sonatype/security/web/filter/authc/LogoutAuthenticationFilter.java > > We also do not do any redirecting on logout, so I realize this may not > be useful for everyone, but it may help the discussion. I don't know > why it uses postHandle vs onPreHandle (without digging deeper) > > > > On Fri, Apr 15, 2011 at 2:16 PM, Les Hazlewood <[email protected]> wrote: >> Hi Dan, >> >> On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <[email protected]> wrote: >>> I have two probably basic questions. >>> 1) I want to allow users to do either form OR basic authentication. I can >>> only see how to allow one at a time or both. Is this possible? >> >> It would be possible if you wrote a custom AuthenticatingFilter to do >> this. You'd essentially need to merge the logic of >> BasicHttpAuthenticationFilter and FormAuthenticationFilter where you >> 'fallback' to a form if there are no authentication headers. Could >> you please create a Jira issue for this? Also, if you do any work on >> something like this, I'd love to see it! >> >>> 2) Does Shiro have a logout filter? Just wondering if there is an out of the >>> box url I can hit to do a logout for a user. >> >> Now that I think about it, I'm surprised that we don't have this out >> of the box - it would be _incredibly_ easy to write. We'd just have >> to >> >> 1. Subclass PathMatchingFilter >> 2. Call subject.logout in the onPreHandle method implementation >> 3. Redirect to a configured 'redirectUrl' property. >> >> And that's it. Can you please add a Jira issue for this? >> >> Cheers, >> >> -- >> Les Hazlewood >> Founder, Katasoft, Inc. >> Application Security Products & Professional Apache Shiro Support and >> Training: >> http://www.katasoft.com
