[main] // is there a line missing which would look something like 'shiro = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter' ? shiro.loginUrl = /login.jsp // this line tells Shiro what to do when an unauthenticated user tries to acces a secured page: redirect the user to /login.jsp
[urls] /login.jsp = authc // defines a servlet filter of type AuthenticationFilter https://shiro.apache.org/static/1.2.3/apidocs/; this page is open to let unauthenticated users access it (shiro.loginUrl tells Shiro to excempt this page from restrictions) /logout = logout // this line maps the pseudo URL '/logout' to the Shiro logout functionality /account/** = authc // every page beneath /account is restricted to authenticated users (which may pass the authc filter) /remoting/** = authc, roles[b2bClient], perms["remote:invoke:lan,wan"] // every page beneath /remoting is restricted to authenticated users (authc) which have the role 'b2bClient' and / or (not sure which) the permission "remote:invoke:lan,wan" There is no failed login page and no 'authc.successUrl = /welcome.xhtml' , so on failed or successful logins you will stay on the login page unless that page does an explicit redirect. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Explanation-of-this-shiro-ini-tp7580693p7580699.html Sent from the Shiro User mailing list archive at Nabble.com.
