You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by H Wang <jw...@gmail.com> on 2010/11/24 10:30:03 UTC

redirect: 302 Found:

Hello there, 
We use Shiro for our security in a web app.  Our web UI uses Ajax ext-js. 
Redirect in Shiro.ini does not work with Ajax (302 Found:）。 

Does anyone encountered this same issue? any solutions? 

Here is the business requirement:
1) app assumes a guest user (so there is no login when a user browses the
site)
2) when user accesses certain functionality, security needs to be checked,
i.e., 
    a)app needs to offer the user a login page for the user to enter
username/password
    b) authentication needs to be conducted and then authorization 

thanks
-- 
View this message in context: http://shiro-user.582556.n2.nabble.com/redirect-302-Found-tp5769710p5769710.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: redirect: 302 Found:

Posted by Les Hazlewood <lh...@apache.org>.

Hello,

Shiro's default FormAuthenticationFilter ('authc') will attempt to
redirect the user to the login page if they access a page that
requires authentication.  That is why you're seeing the 302 (HTTP
redirect).

There are two ways to solve this problem that I can think of at the moment:

1) Have the ajax handler interpret the 302 and then have the UI
reflect that the user must login (e.g. maybe tell the browser to go to
that login page), or show a login dialog.  This can almost always be
done in the ajax framework's result handler function.

2) Don't use the default FormAuthenticationFilter and use your own.
The BasicHttpAuthenticationFilter is one example of a filter that does
not issue 302 redirects because it handles the authentication
challenge/response protocol of the HTTP Basic authentication
specification.

#2 is probably a little better since you will be able to control
exactly the response that goes out if the user isn't authenticated.
For example, maybe it sends a specific ajax response that explicitly
tells the UI to do something special.

HTH,

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com

On Wed, Nov 24, 2010 at 1:30 AM, H Wang <jw...@gmail.com> wrote:
>
> Hello there,
> We use Shiro for our security in a web app.  Our web UI uses Ajax ext-js.
> Redirect in Shiro.ini does not work with Ajax (302 Found:）。
>
> Does anyone encountered this same issue? any solutions?
>
> Here is the business requirement:
> 1) app assumes a guest user (so there is no login when a user browses the
> site)
> 2) when user accesses certain functionality, security needs to be checked,
> i.e.,
>    a)app needs to offer the user a login page for the user to enter
> username/password
>    b) authentication needs to be conducted and then authorization
>
> thanks
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/redirect-302-Found-tp5769710p5769710.html
> Sent from the Shiro User mailing list archive at Nabble.com.