Seconday authentication without a form

[dan <da...@bamlabs.com>]

Hi --

In my web application, I have the normal form-based login for users, which
is working fine -- I'm using authc.

I also have requests from a mobile device that arrive in a particular
directory, such as /api/getStatus.jsp and /api/getPosition.jsp.  These
requests might have parameters j_username and j_password.  From a particular
mobile device, I want authentication to occur using the j_ parameters the
first time they are seen and then have it use the JSESSIONID cookie after
that (ignoring any passed j_ parameters).  Also, if access is denied, I wish
to return a jsp page, AuthError.jsp.

If authentication succeeds, I then wish to return to the /api/xxx.jsp
routine to run.

I have tried a few things, but would be very interested if you could steer
me in the right direction!  I think I need a second AutenticatingFilter but
one problem I have is I don't know how the shiro configuration should look
or exactly what it should do...  Also, I don't want a form to be displayed
but for the j_ parameters to be plucked from the passed in routine and
processed.

Thanks,
Dan



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Seconday-authentication-without-a-form-tp6089493p6089493.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Seconday authentication without a form

[Les Hazlewood <lh...@apache.org>]

Glad to see it was helpful :)

Cheers,

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com

On Mon, Mar 7, 2011 at 10:26 AM, dan <da...@bamlabs.com> wrote:
> Hi Les,
>
> It works great!  Thanks for your great suggestions -- it's really cool to
> see how Shiro was able to easily handle the various authentication points.
>
> Thanks again!
> Dan
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Seconday-authentication-without-a-form-tp6089493p6098416.html
> Sent from the Shiro User mailing list archive at Nabble.com.

Re: Seconday authentication without a form

[dan <da...@bamlabs.com>]

Hi Les,

It works great!  Thanks for your great suggestions -- it's really cool to
see how Shiro was able to easily handle the various authentication points.

Thanks again!
Dan

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Seconday-authentication-without-a-form-tp6089493p6098416.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Seconday authentication without a form

[Les Hazlewood <lh...@apache.org>]

On Fri, Mar 4, 2011 at 12:12 PM, dan <da...@bamlabs.com> wrote:
> I see, that's good to clarify.
>
> I don't quite see how I would add a second authenticator.  Would it be
> something like this?
>
> mobileauthc = MobileAutenticatingFilter
> mobileauthc.errorUrl  = /api/stateful/api/authError.jsp
>
> [urls]
> /index.jsp = anon
> /api/stateful/* = mobileauthc
> /pages/logon.jsp = authc
> /pages/** = authc
>
> In this new authenticator would you recommend I subclass from
> AuthenticatingFilter? When it is called, how do I know if I already have an
> authenticated client?
>
> Thanks!
> Dan

Hi Dan,

This looks good to me - you'd have a second 'mobileAuthc' filter.
You'll probably need to subclass AuthenticatingFilter, but you could
use FormAuthenticationFilter's 'onAccessDenied' implementation as a
good template to use in your subclass.  In that implementation,
instead of calling 'saveRequestAndRedirectToLogin', you'd probably
just call a 'showError' method using your configured errorUrl.

As for detecting if a user is authenticated or not - the super super
class (org.apache.shiro.web.filter.authc.AuthenticationFilter) will
determine that already.  If the current Subject.isAuthenticated() it
will always let a request through.  If not authenticated, the
onAccessDenied method will be called (which is where you perform the
login or fail the request).

HTH,

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com

Re: Seconday authentication without a form

[dan <da...@bamlabs.com>]

I see, that's good to clarify.

I don't quite see how I would add a second authenticator.  Would it be
something like this?

mobileauthc = MobileAutenticatingFilter
mobileauthc.errorUrl  = /api/stateful/api/authError.jsp

[urls]
/index.jsp = anon
/api/stateful/* = mobileauthc
/pages/logon.jsp = authc
/pages/** = authc

In this new authenticator would you recommend I subclass from
AuthenticatingFilter? When it is called, how do I know if I already have an
authenticated client?

Thanks!
Dan


--
View this message in context: http://shiro-user.582556.n2.nabble.com/Seconday-authentication-without-a-form-tp6089493p6089888.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Seconday authentication without a form

[Les Hazlewood <lh...@apache.org>]

Hi Dan,

All of Shiro's authentication filters will only execute a login if the
Subject is not already authenticated.  If your mobile device logs in
once, it won't be required to log in again unless its session id
becomes invalid.

Are your j_* params sent via a POST request or a GET request?

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com


On Fri, Mar 4, 2011 at 10:18 AM, dan <da...@bamlabs.com> wrote:
> Hi --
>
> In my web application, I have the normal form-based login for users, which
> is working fine -- I'm using authc.
>
> I also have requests from a mobile device that arrive in a particular
> directory, such as /api/getStatus.jsp and /api/getPosition.jsp.  These
> requests might have parameters j_username and j_password.  From a particular
> mobile device, I want authentication to occur using the j_ parameters the
> first time they are seen and then have it use the JSESSIONID cookie after
> that (ignoring any passed j_ parameters).  Also, if access is denied, I wish
> to return a jsp page, AuthError.jsp.
>
> If authentication succeeds, I then wish to return to the /api/xxx.jsp
> routine to run.
>
> I have tried a few things, but would be very interested if you could steer
> me in the right direction!  I think I need a second AutenticatingFilter but
> one problem I have is I don't know how the shiro configuration should look
> or exactly what it should do...  Also, I don't want a form to be displayed
> but for the j_ parameters to be plucked from the passed in routine and
> processed.
>
> Thanks,
> Dan
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Seconday-authentication-without-a-form-tp6089493p6089493.html
> Sent from the Shiro User mailing list archive at Nabble.com.