login into application without dedicated login page using shiro API

[ak <ak...@ureach.com>]

Hi All,

I have requirement where in I don't want to use a separate or dedicated
loging/logout page, but in place I want to have two fields with login and
password fields on top of all the generic pages from where a user can login
as and when he/she wants otherwise the user can navigate through the generic
pages without getting logged. After passing through shiro authentication
filter, the user can enter into his restricted page which he is allowed to,
based on his role.

Please suggest me how can I implement it using shiro API.

Many thanks.

  



--
View this message in context: http://shiro-user.582556.n2.nabble.com/login-into-application-without-dedicated-login-page-using-shiro-API-tp7577620.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: login into application without dedicated login page using shiro API

[jleleu <le...@gmail.com>]

Hi,

For the "authc.loginUrl", you have to set up something because it's the url
that will be called when a user tries to access a protected area and it's
still possible for a user to directly call a protected url. You can by
example choose a default page with the embbeded login form or create a
specific login page.

The "roles.unauthorizedUrl" configuration is dedicated to the use case where
users are authenticated but don't have the right roles. It depends on your
realm : are your sure this use case won't happen (users always granted a
default role which is checked in roles filter) ? If so, drop it; if not, you
will need to configure a specific page for this use case. 

Best regards,
Jérôme




--
View this message in context: http://shiro-user.582556.n2.nabble.com/login-into-application-without-dedicated-login-page-using-shiro-API-tp7577620p7577661.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: login into application without dedicated login page using shiro API

[ak <ak...@ureach.com>]

Hi Jerome,

Thank you very much for suggesting this approach . I have another doubt, if
I go with this approach, in shiro.ini file:

Can I remove "authc.loginUrl" entry then, as I will not have any dedicated
login page now?

and one another understanding:
I use successUrl, so I can customze this success page for that particular
user based on role.I mean, this success page would be a common page for all
type(role) of user but a user would be able to see only those items which he
is authorised for, based on the role returned by shiro jdbc realm fetched
from the database.  

Do I really need now "roles.unauthorizedUrl" mapping in the ini file?

Please correct my above understanding if I am wrong somewhere in my
approach.

Thanks again.

Regards.  



--
View this message in context: http://shiro-user.582556.n2.nabble.com/login-into-application-without-dedicated-login-page-using-shiro-API-tp7577620p7577652.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: login into application without dedicated login page using shiro API

[jleleu <le...@gmail.com>]

Hi,

I would try to add a JSP fragment with a login form on every generic (not
protected) page, form whose name is loginform, method is POST and *action
points to a protected url where your authc filter is defined*.
Your authc filter configuration should match the name of the input fields
defined in the login form (username, password, rememberMe) and have a
successUrl which is the default target protected page.
Best regards,
Jérôme



--
View this message in context: http://shiro-user.582556.n2.nabble.com/login-into-application-without-dedicated-login-page-using-shiro-API-tp7577620p7577624.html
Sent from the Shiro User mailing list archive at Nabble.com.