For https://issues.apache.org/jira/browse/SHIRO-283, how do you propose that would work?
In the BasicHttpAuthenticationFilter, if the Subject is not authenticated, the BASIC challenge is sent as a response and the Filter chain is not allowed to continue. How would the BasicHttpAuthenticationFilter (or a variant of it) know to let the request pass through to a form instead of send the challenge? Regards, Les On Sat, Apr 16, 2011 at 10:21 PM, Dan Diephouse <[email protected]> wrote: > Here are the JIRAs: > https://issues.apache.org/jira/browse/SHIRO-283 > https://issues.apache.org/jira/browse/SHIRO-284 > Thanks for the response, > Dan > > On Fri, Apr 15, 2011 at 11:16 AM, Les Hazlewood <[email protected]> > wrote: >> >> Hi Dan, >> >> On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <[email protected]> wrote: >> > I have two probably basic questions. >> > 1) I want to allow users to do either form OR basic authentication. I >> > can >> > only see how to allow one at a time or both. Is this possible? >> >> It would be possible if you wrote a custom AuthenticatingFilter to do >> this. You'd essentially need to merge the logic of >> BasicHttpAuthenticationFilter and FormAuthenticationFilter where you >> 'fallback' to a form if there are no authentication headers. Could >> you please create a Jira issue for this? Also, if you do any work on >> something like this, I'd love to see it! >> >> > 2) Does Shiro have a logout filter? Just wondering if there is an out of >> > the >> > box url I can hit to do a logout for a user. >> >> Now that I think about it, I'm surprised that we don't have this out >> of the box - it would be _incredibly_ easy to write. We'd just have >> to >> >> 1. Subclass PathMatchingFilter >> 2. Call subject.logout in the onPreHandle method implementation >> 3. Redirect to a configured 'redirectUrl' property. >> >> And that's it. Can you please add a Jira issue for this?
