Well, you could look at FormAuthenticationFilter and mimic its
behavior. The AccessControlFilter (a superclass of
FormAuthenticationFilter) has some fairly straightforward
"saveRequestAndRedirect" and "redirectToLogin" methods. Also the
"issueSuccessRedirect" in AuthenticationFilter.
However, it sounds to me like what you want is a
FormAuthenticationFilter that only redirects you to the login page if an
UnauthenticatedException is thrown, rather than anytime you're not
logged in?
if that's the case, here's some code where I added the same sort of
behavior to the BasicHttpAuthenticationFilter. You should probably be
able to do something similar with FormAuthenticationFilter. Note that
the behavior here is attempting to retain the behavior of
BasicHttpAuthenticationFilter if permissive = false.
public class BasicHttpPermissiveAuthenticationFilter extends
BasicHttpAuthenticationFilter
{
private boolean permissive = true;
public void setPermissive(boolean permissive)
{
this.permissive = permissive;
}
@Override
protected boolean isAccessAllowed(ServletRequest request,
ServletResponse response, Object mappedValue)
{
return super.isAccessAllowed(request, response, mappedValue) ||
(!isLoginAttempt(request, response) && permissive);
}
@Override
protected boolean onAccessDenied(ServletRequest request,
ServletResponse response) throws Exception
{
return executeLogin(request, response) || sendChallenge(request,
response);
}
@Override
protected void cleanup(ServletRequest request, ServletResponse
response, Exception existing) throws ServletException, IOException
{
if (existing instanceof UnauthenticatedException || (existing
instanceof ServletException && existing.getCause() instanceof
UnauthenticatedException))
{
sendChallenge(request, response);
existing = null;
}
super.cleanup(request, response, existing);
}
}
-Jared
On 08/10/2011 03:21 PM, ryannelsonaz wrote:
> I need a little help understanding how to intercept Exceptions thrown when a
> @Requires* annotation fails on a given business method. Jared made the
> suggestion of adding a filter that catches the Exception and does the
> redirect. I implemented it like so (using Guice).
>
> In subclassed ServletModule:
>
> @Override
> protected void configureServlets() {
> filter( "/*" ).through( AuthorizationFailureFilter.class );
> filter( "/*" ).through( GuiceShiroFilter.class );
> ...
> }
>
> In new auth filter (AuthorizationFailureFilter):
>
> @Override
> public void doFilter( ServletRequest request, ServletResponse response,
> FilterChain chain ) throws IOException, ServletException {
> try {
> chain.doFilter( request, response );
> } catch ( ServletException e ) {
> if ( e.getCause() instanceof UnauthenticatedException ) {
> // what to do here? redirect to login.jsp?
> } else {
> throw e;
> }
> }
> }
>
> The problem I'm running into here is I get none of the automatic redirection
> provided by the FormAuthenticationFilter. I'd like my program to function
> exactly as if I'd secured the URL with a path-based filter instead of an
> annotation. I.e., redirect to the login page, and after authentication,
> redirect back to the SavedRequest.
>
> Any suggestions on this?
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Handling-exceptions-thrown-by-Requires-annotations-tp6673997p6673997.html
> Sent from the Shiro User mailing list archive at Nabble.com.
