I would suggest that BasicHttpAuthenticationFilter have an option to enable the following workflow:
If user presents authentication info, attempt to validate it, if it fails return authorization challenge. If user does not present authentication info, pass the request through. If subsequent processing throws an UnauthenticatedException, then return the authorization challenge. I would suggest something similar with the FormAuthenticationFilter (although I am less familiar with it). Only block access if the user attempts to authenticate and fails, otherwise only challenge if an UnauthenticatedException is thrown. -Jared -----Original Message----- From: [email protected] on behalf of Les Hazlewood Sent: Sun 4/17/2011 1:08 PM To: [email protected] Cc: Dan Diephouse Subject: Re: Allowing form or basic auth, logouts For https://issues.apache.org/jira/browse/SHIRO-283, how do you propose that would work? In the BasicHttpAuthenticationFilter, if the Subject is not authenticated, the BASIC challenge is sent as a response and the Filter chain is not allowed to continue. How would the BasicHttpAuthenticationFilter (or a variant of it) know to let the request pass through to a form instead of send the challenge? Regards, Les On Sat, Apr 16, 2011 at 10:21 PM, Dan Diephouse <[email protected]> wrote: > Here are the JIRAs: > https://issues.apache.org/jira/browse/SHIRO-283 > https://issues.apache.org/jira/browse/SHIRO-284 > Thanks for the response, > Dan > > On Fri, Apr 15, 2011 at 11:16 AM, Les Hazlewood <[email protected]> > wrote: >> >> Hi Dan, >> >> On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <[email protected]> wrote: >> > I have two probably basic questions. >> > 1) I want to allow users to do either form OR basic authentication. I >> > can >> > only see how to allow one at a time or both. Is this possible? >> >> It would be possible if you wrote a custom AuthenticatingFilter to do >> this. You'd essentially need to merge the logic of >> BasicHttpAuthenticationFilter and FormAuthenticationFilter where you >> 'fallback' to a form if there are no authentication headers. Could >> you please create a Jira issue for this? Also, if you do any work on >> something like this, I'd love to see it! >> >> > 2) Does Shiro have a logout filter? Just wondering if there is an out of >> > the >> > box url I can hit to do a logout for a user. >> >> Now that I think about it, I'm surprised that we don't have this out >> of the box - it would be _incredibly_ easy to write. We'd just have >> to >> >> 1. Subclass PathMatchingFilter >> 2. Call subject.logout in the onPreHandle method implementation >> 3. Redirect to a configured 'redirectUrl' property. >> >> And that's it. Can you please add a Jira issue for this?
<<winmail.dat>>
