Hello,
We're making our Spring -MVC based web app run over Https, and use
Shiro pretty much out of the box. We're using Spring 3.2.
We've got some teething troubles getting it https set up on our
server so I'd like to 'eliminate from our enquiries' our Shiro config
- there's excellent docs on the shiro.ini file but for Spring XML
based config it's a little more sparse.
Specifically,
1) Is the setup below the correct way to add the 'ssl.enabled'
property to the config files?
2) How do we ensure that the /login URL works over HTTPS? Do we just
add it to the list of filterChainDefinitions, or does it need some
special treatment, or does Shiro automatically used ssl if possible?
E.g.,
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<!-- override these for application-specific URLs if you like:-->
<property name="loginUrl" value="/login"/>
<property name="successUrl" value="/notebook"/>
<property name="unauthorizedUrl" value="login?error=true"/>
<property name="ssl.enabled" value="false"/>
<!-- The 'filters' property is not necessary since any declared
javax.servlet.Filter bean -->
<!-- defined will be automatically acquired and available via its
beanName in chain -->
<!-- definitions, but you can perform instance overrides or name
aliases here if you like: -->
<!-- <property name="filters">
<util:map>
<entry key="anAlias" value-ref="someFilter"/>
</util:map>
</property> -->
<property name="filterChainDefinitions">
<value>
# some example chain definitions:
/images/**=anon
/videos/**=anon
/styles/**=anon
/scripts/**=anon
/admin/** = authc,ssl
/signup/** = anon
/** = authc,ssl
# more URL-to-FilterChain definitions here
</value>
</property>
</bean>
Many thanks
Richard
Richard Adams
[email protected]
