Le 16/01/2013 21:28, Jared Bunting a écrit :
I don't believe that there is an existing filter that will parse your
x509 headers. So you will need to write that yourself.
I use the following project for this :
https://github.com/eskatos/shiro-ext
and I may also propose some patchs
As far as falling through to the authcBasic filter - so long as you
don't reject requests w/o x509 headers in your custom filter,
everything should be fine so long as you specify them in your url
filter - x509, then authcBasic.
The authcBasic filter should pass the request through unmolested if the
subject is already authenticated.
Indeed, this is exactly what happens (I didn't know how auth
filters actually worked : token are checked only if subject is not
already authenticated).
Thus I have added an [optional] configuration on the first filter
(|ForwardedX509AuthenticationFilter) |so that it does nothing if
no headers are present (instead of crashing).
Note that this kind of dual auth scheme involves also a check
on the local interface which received the request : headers
can be accepted only for requests coming from a firewalled
interface, accessible only by a trusted reverse proxy.
Thank you for your quick help !
M. Maison
HTH,
Jared
On Wed 16 Jan 2013 12:28:50 PM CST, Mo Maison wrote:
Hello Shiro users,
I have a rather unusual authentication scheme, and don't
know how to handle that with Shiro for now.
Basically, I'd like to authenticate users with one of the two
following methods :
1- by a client certificate
OR
2- with basic http
Case 1 is handled by a external reverse proxy, which put client
x509 certificate into http request headers.
Thus I'd like the following logic :
- if request contains x509 headers, use that to create token
- else use standard authcBasic Shiro filter.
If a specify two filters on the same url in the ini config file,
I guess both filters will be executed ?
How can I shortcut authcBasic if first filter already returns
a token ?
I'd surprised if Shiro could not handle such a case (different
types of authentication) out of the box.
Do I have to implement a custom filter, which inherits (or better
compose) authcBasic ?
Any advice would be appreciated.
Regards,
M. Maison
