Hi Bryan, > Hi everybody...I've spent the past few days trying to figure this out, and am > now finally (!) willing to admit I cannot - without somebody else's help!
It's ok - I'm sure we'll work it out. :) > I'm looking to protect specific paths of my servlet with a "token" > string...this "token" is a sort of username/password combo that is passed as > a URL parameter (over https, of course). > > I'm using shiro-all, v.1.1.0 (via maven). Side note: If you're using Maven, please use the respective/needed shiro .jars and not shiro-all. shiro-all.jar does not maintain correct Maven metadata for dependency management and is only intended to be used in non-Ivy Ant environments. If you depend on shiro-web.jar, you should get the correct dependencies for your web app automatically. > My trouble is that, no matter what URL parameters I pass (including the > desired "?token=blahblahbla...."), my request ends up in the > MyAuthenticatingFilter.onAccessDenied() method. Ah, I'm pretty sure I know what is going on: The AuthenticationFilter (the parent of AuthenticatingFilter) will always call onAccessDenied and prevent the request from continuing if the Subject is not authenticated - even if the current request represents an authentication request. The FormAuthenticationFilter for example uses this knowledge to override the onAccessDenied method where it then determines if it is a login request, go ahead and authenticate, otherwise redirect the user to the login page. That logic is here: http://shiro.apache.org/static/1.1.0/xref/org/apache/shiro/web/filter/authc/FormAuthenticationFilter.html#148 So in short, your onAccessDenied method implementation is responsible for performing this additional logic at the moment. However, I can see how this can be confusing - while both the FormAuthenticationFilter and BasicAuthenticationFilter implementations perform this logic themselves, the logic should really be consolidated in the AuthenticatingFilter so it can be leveraged by custom subclasses like yours. I've created a Jira issue to reflect this: https://issues.apache.org/jira/browse/SHIRO-321 Please vote/watch it to indicate your interest. > From what I can tell, the MyRealm.supports() method isn't getting called - > despite explicitly setting the realms property in the SecurityManager. It will be called once your AuthenticatingFilter subclass performs the login logic in the onAccessDenied method. The SecurityManager's nested Authenticator does this in the 'doSingleRealmAuthentication' method: http://shiro.apache.org/static/1.1.0/xref/org/apache/shiro/authc/pam/ModularRealmAuthenticator.html#173 > Can anybody offer insight on what might be happening here? Should I be > extending/implementing some other classes instead? (any and all suggestions > are welcome...i'm at the end of my road here...I've been starring at the > help docs for so long, they are quickly turning into visible mush). Hopefully that will get you moving again - again, please vote/watch the Jira issue I created. votes/watches are the only good way for the Shiro dev team to understand what our community wants the most. HTH! Best regards, -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com
