See below and experiment. But I think that by moving the localhostfilter up before all URLs you get your desired behavior.
The default shiro.ini file looks something like this: # Licensed under the terms of http://www.apache.org/licenses/LICENSE-2.0 [main] # Development ssl.enabled = false plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher #iniRealm=org.apache.shiro.realm.text.IniRealm iniRealm.credentialsMatcher = $plainMatcher localhostFilter=org.apache.jena.fuseki.authz.LocalhostFilter [users] # Implicitly adds "iniRealm = org.apache.shiro.realm.text.IniRealm" admin=pw [roles] [urls] ## Control functions open to anyone /$/status = anon /$/ping = anon ## and the rest are restricted to localhost. /$/** = localhostFilter ## If you want simple, basic authentication user/password ## on the operations, ## 1 - set a better password in [users] above. ## 2 - comment out the "/$/** = localhost" line and use: ## "/$/** = authcBasic,user[admin]" ## or to allow any access. ##/$/** = anon # Everything else /**=anon I believe the key is the local filter statement. My sense is something like this shold work: # Licensed under the terms of http://www.apache.org/licenses/LICENSE-2.0 [main] # Development ssl.enabled = false plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher #iniRealm=org.apache.shiro.realm.text.IniRealm iniRealm.credentialsMatcher = $plainMatcher localhostFilter=org.apache.jena.fuseki.authz.LocalhostFilter [users] # Implicitly adds "iniRealm = org.apache.shiro.realm.text.IniRealm" admin=pw [roles] [urls] ##restricted to localhost. /** = localhostFilter ## Control functions open to anyone /$/status = anon /$/ping = anon ## If you want simple, basic authentication user/password ## on the operations, ## 1 - set a better password in [users] above. ## 2 - comment out the "/$/** = localhost" line and use: ## "/$/** = authcBasic,user[admin]" ## or to allow any access. ##/$/** = anon # Everything else /**=anon On Mon, Apr 25, 2016 at 11:21 AM, Bangalore Akhilesh < [email protected]> wrote: > Hi, > > We have deployed Fuseki 2 on Tomcat and would like to limit the requests to > localhost (for security reasons). > > I am not well versed with Apache Shiro. So, can you please let me know how > to go about it? > > I would also like to know how to extend Apache Shiro to include custom > authoization schemes. > > Thanks, > Akhilesh > -- 73, AB1PH Don Rolph
