Yeah, that's probably a good idea. In the interest of full disclosure, I actually do very little url filtering. Most of what I write are http apis, so I typically use AOP to restrict access to high level service methods and write a "optional authcBasic" filter that I apply to everything. If a service method is unrestricted, the user can get to it w/o authenticating no matter what the URL is, otherwise the user can use basic auth to get in. I don't have a strong opinion on if this is "right" but it works well for me - the functionality is protected no matter what url is used to get to it.
-Jared On Fri, May 24, 2013 at 12:23 PM, Onur Gunduru <[email protected]>wrote: > Thanks for the tip! The PathMatchingFilterChainResolver constructors just > create an AntPathMatcher (this could actually be injected) anyway it is > still possible to set the matcher. I've no idea how to do this in > shiro.ini, > but i'll check it out. > > However this still feels like coupling SEO (the whole point of pretty urls) > and security. I think i need to find a way to reset the ".FILTERED" > parameter without interfering shiro internals? > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Using-urlrewritefilter-forward-with-Shiro-tp7578765p7578774.html > Sent from the Shiro User mailing list archive at Nabble.com. >
