Re: shiro.ini, specifying http method in [urls] section - again

Fri, 12 Apr 2013 00:20:54 -0700 

I looked at the path for SHIRO-200 and created my own subclass
of BasicHttpAuthenticationFilter as follows:

public class CorsBasicHttpAuthenticationFilter extends
BasicHttpAuthenticationFilter {
  @Override
  protected boolean isAccessAllowed(ServletRequest request, ServletResponse
response, Object mappedValue) {
    HttpServletRequest httpRequest = WebUtils.toHttp(request);
    String httpMethod = httpRequest.getMethod();
    if ("OPTIONS".equalsIgnoreCase(httpMethod)) {
      return true;
    } else {
      return super.isAccessAllowed(request, response, mappedValue);
    }
  }
}

It allows lets the OPTIONS method through. I then changed my shiro.ini to
use the CorsBasicHttpAuthenticationFilter  instead of
BasicHttpAuthenticationFilter.

It works.

/Bengt


2013/4/11 Bengt Rodehav <[email protected]>

> I posted a question a few days ago but got no response. I suspect that it
> was because I wasn't detailed enough. Anyway, here is a new attempt.
>
> I'm using Shiro 1.2.1 in combination with Jersey running in Weblogic. I
> have developed a REST API that I need to access cross domain (using CORS)
> with basic authentication. The web browser sometimes need to send a
> preflight request using the HTTP method OPTIONS. Firefox requires that this
> request does not require authentication (see
> https://bugzilla.mozilla.org/show_bug.cgi?id=778548).
>
> So, using Shiro I need to require basic authentication for a certain URL
> unless the HTTP method is OPTIONS. How do I do that? I found the following
> discussion:
>
> http://www.mail-archive.com/[email protected]/msg00051.html
>
> I'm not sure what is actually implemented in Shiro 1.2.1. There seem to be
> two JIRA's regarding this:
>
> https://issues.apache.org/jira/browse/SHIRO-107
> https://issues.apache.org/jira/browse/SHIRO-200
>
> The first one is fixed in Shiro 1.0.0 but it looks like the result was the
> HttpMethodPermissionFilter. That won't help me since I want to exclude
> authentication alltogether if the HTTP method is OPTIONS. The second one
> seems more inline with my needs but it's not resolved yet.
>
> Can anyone clarify the status of this issue and perhaps suggest a
> workaround while the issue is being resolved? I think that this is really
> important. I imagine a lot of developers are using Shiro for their REST
> API's and also together with CORS which is now supported in all major
> (modern) browsers.
>
> /Bengt
>
>
>

Reply via email to