change shiro behavior on access denied

[manitas <ma...@gmail.com>]

Hi !

My project have a one entrance url /xxx for several rpc commands so
authentication is not on a per-url basis.
It means that :
 - I do not call the method "addFilterChain" in my configureShiroWeb() for
/xxx
 - security is on a per-method basis thanks to annotations

I'd like to be able to change the behavior of shiro and send a "HTTP Error
401" if the access is denied for one particular method.

I think there are 2 ways to do that : 
- catch authorization or authorization exception to manage them
- change the behavior of the default filterchain by overriding the
corresponding method

Unfortunately I'm stucked for both :

For the first one, I have tried to execute the FilterChain in a try/catch
block but it did not catch anything. The original idea was in 
http://stackoverflow.com/questions/10342213/how-to-handle-unauthenticatedexception-with-shiro
this post on stackoverflow 

For the second one, I do not know what is the default filterchain class so I
can't override it.
The only information I have in the log is :
/TRACE o.a.s.w.s.AbstractShiroFilter - No FilterChain configured for the
current request.  Using the default./


Thanks in advance for your help


--
View this message in context: http://shiro-user.582556.n2.nabble.com/change-shiro-behavior-on-access-denied-tp7577478.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: change shiro behavior on access denied

[Jared Bunting <ja...@peachjean.com>]

If you are using the authcBasic filter for authentication, then I think 
that configuring it as authcBasic[permissive] will achieve your desired 
behavior.

So, something like this:

/** = authcBasic[permissive]

This permissive feature should:

1. Check if request includes authentication info.  If so, attempt to 
authenticate.  If authentication fails, return the appropriate 
challenge (401).
2. If authentication succeeds, or request does not include 
authentication info, forward request on to the application.
3. If UnauthenticatedException is thrown (subclass of 
AuthorizationException, indicates that user, in addition to not being 
authorized, is not logged in), then return appropriate challenge (401).
4. If Any other AuthorizationException is thrown, return a 
"Unauthorized" error (403).

Hope that helps,
Jared

On Thu 07 Jun 2012 07:15:03 PM CDT, manitas wrote:
> Hi !
>
> My project have a one entrance url /xxx for several rpc commands so
> authentication is not on a per-url basis.
> It means that :
>  - I do not call the method "addFilterChain" in my configureShiroWeb() for
> /xxx
>  - security is on a per-method basis thanks to annotations
>
> I'd like to be able to change the behavior of shiro and send a "HTTP Error
> 401" if the access is denied for one particular method.
>
> I think there are 2 ways to do that :
> - catch authorization or authorization exception to manage them
> - change the behavior of the default filterchain by overriding the
> corresponding method
>
> Unfortunately I'm stucked for both :
>
> For the first one, I have tried to execute the FilterChain in a try/catch
> block but it did not catch anything. The original idea was in
> http://stackoverflow.com/questions/10342213/how-to-handle-unauthenticatedexception-with-shiro
> this post on stackoverflow
>
> For the second one, I do not know what is the default filterchain class so I
> can't override it.
> The only information I have in the log is :
> /TRACE o.a.s.w.s.AbstractShiroFilter - No FilterChain configured for the
> current request.  Using the default./
>
>
> Thanks in advance for your help
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/change-shiro-behavior-on-access-denied-tp7577478.html
> Sent from the Shiro User mailing list archive at Nabble.com.