Allowing form or basic auth, logouts

[Dan Diephouse <da...@netzooid.com>]

I have two probably basic questions.

1) I want to allow users to do either form OR basic authentication. I can
only see how to allow one at a time or both. Is this possible?

2) Does Shiro have a logout filter? Just wondering if there is an out of the
box url I can hit to do a logout for a user.

Dan

-- 
Dan Diephouse
http://netzooid.com/blog

Re: Allowing form or basic auth, logouts

[Les Hazlewood <lh...@apache.org>]

I think for most apps, onPreHandle is probably the better of the two:

postHandle is called only:

1) After the filter chain executes.
2) If the chain did not throw an exception.

#1 is important because if there are any Shiro cookies to be deleted
as a result of calling logout() (rememberMe, principals, etc), this
can only be done before HTTP response body content is committed.  A
postHandle logout() call would fail to remove any cookies where
content was rendered.  I know this doesn't matter for cookie-less REST
apps, but having this logic in onPreHandle likely doesn't affect REST
apps either.

#2 is important because if an end-user is visiting a URL explicitly to
log out, you usually want to guarantee the logout occurs.  postHandle
does not make this guarantee.

HTH!

Cheers,

Les

On Fri, Apr 15, 2011 at 11:30 AM, Brian Demers <br...@gmail.com> wrote:
> We use this one:
> https://github.com/sonatype/security/blob/master/security-web/src/main/java/org/sonatype/security/web/filter/authc/LogoutAuthenticationFilter.java
>
> We also do not do any redirecting on logout, so I realize this may not
> be useful for everyone, but it may help the discussion.  I don't know
> why it uses postHandle vs onPreHandle (without digging deeper)
>
>
>
> On Fri, Apr 15, 2011 at 2:16 PM, Les Hazlewood <lh...@apache.org> wrote:
>> Hi Dan,
>>
>> On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <da...@netzooid.com> wrote:
>>> I have two probably basic questions.
>>> 1) I want to allow users to do either form OR basic authentication. I can
>>> only see how to allow one at a time or both. Is this possible?
>>
>> It would be possible if you wrote a custom AuthenticatingFilter to do
>> this.  You'd essentially need to merge the logic of
>> BasicHttpAuthenticationFilter and FormAuthenticationFilter where you
>> 'fallback' to a form if there are no authentication headers.  Could
>> you please create a Jira issue for this?  Also, if you do any work on
>> something like this, I'd love to see it!
>>
>>> 2) Does Shiro have a logout filter? Just wondering if there is an out of the
>>> box url I can hit to do a logout for a user.
>>
>> Now that I think about it, I'm surprised that we don't have this out
>> of the box - it would be _incredibly_ easy to write.  We'd just have
>> to
>>
>> 1. Subclass PathMatchingFilter
>> 2. Call subject.logout in the onPreHandle method implementation
>> 3. Redirect to a configured 'redirectUrl' property.
>>
>> And that's it.  Can you please add a Jira issue for this?
>>
>> Cheers,
>>
>> --
>> Les Hazlewood
>> Founder, Katasoft, Inc.
>> Application Security Products & Professional Apache Shiro Support and Training:
>> http://www.katasoft.com

unsubscribe

[Grant Genereux <gr...@shaw.ca>]

unsubscribe

Re: Allowing form or basic auth, logouts

[Brian Demers <br...@gmail.com>]

We use this one:
https://github.com/sonatype/security/blob/master/security-web/src/main/java/org/sonatype/security/web/filter/authc/LogoutAuthenticationFilter.java

We also do not do any redirecting on logout, so I realize this may not
be useful for everyone, but it may help the discussion.  I don't know
why it uses postHandle vs onPreHandle (without digging deeper)



On Fri, Apr 15, 2011 at 2:16 PM, Les Hazlewood <lh...@apache.org> wrote:
> Hi Dan,
>
> On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <da...@netzooid.com> wrote:
>> I have two probably basic questions.
>> 1) I want to allow users to do either form OR basic authentication. I can
>> only see how to allow one at a time or both. Is this possible?
>
> It would be possible if you wrote a custom AuthenticatingFilter to do
> this.  You'd essentially need to merge the logic of
> BasicHttpAuthenticationFilter and FormAuthenticationFilter where you
> 'fallback' to a form if there are no authentication headers.  Could
> you please create a Jira issue for this?  Also, if you do any work on
> something like this, I'd love to see it!
>
>> 2) Does Shiro have a logout filter? Just wondering if there is an out of the
>> box url I can hit to do a logout for a user.
>
> Now that I think about it, I'm surprised that we don't have this out
> of the box - it would be _incredibly_ easy to write.  We'd just have
> to
>
> 1. Subclass PathMatchingFilter
> 2. Call subject.logout in the onPreHandle method implementation
> 3. Redirect to a configured 'redirectUrl' property.
>
> And that's it.  Can you please add a Jira issue for this?
>
> Cheers,
>
> --
> Les Hazlewood
> Founder, Katasoft, Inc.
> Application Security Products & Professional Apache Shiro Support and Training:
> http://www.katasoft.com
>

Re: Allowing form or basic auth, logouts

[Les Hazlewood <lh...@apache.org>]

My recommendation would be to add some feature/property that triggered
allowing the request through the chain, even though the authentication
conditions haven't been met.  That way, one filter doesn't need to
know about another.

But that trigger should only ever work if we know that they're
visiting a login page - not just any request should fall through.
Maybe something like what the PassthruAuthenticationFilter and/or
FormAuthenticationFilter does with their calls to the superclass
'isLoginRequest' method.

As always, patches are appreciated :)

Les

On Wed, Apr 20, 2011 at 5:21 PM, Dan Diephouse <da...@netzooid.com> wrote:
> Any suggestions? I was just looking through the code. While it's clean and
> all, I'm trying to figure out a way to do this without ripping everything
> apart :-)
> Dan
>
> On Wed, Apr 20, 2011 at 2:39 PM, Les Hazlewood <lh...@apache.org>
> wrote:
>>
>> The trick would be to make this flow cleanly.  BASIC and Form
>> authentication are different concerns, and if you'd want to make them
>> work together, a pluggable approach would be ideal (instead of either
>> 'knowing' about the other and writing convoluted code to support
>> that).  For example, it should work just as well if you'd want to
>> enforce HTTP digest authentication + Form authentication as a
>> backup...
>>
>> On Wed, Apr 20, 2011 at 1:43 PM, Dan Diephouse <da...@netzooid.com> wrote:
>> > Yeah, this is pretty much what I'm thinking as well.
>> >
>> > On Sun, Apr 17, 2011 at 10:46 AM, Jared Bunting
>> > <ja...@digitalreasoning.com> wrote:
>> >>
>> >> I would suggest that BasicHttpAuthenticationFilter have an option to
>> >> enable the following workflow:
>> >>
>> >> If user presents authentication info, attempt to validate it, if it
>> >> fails
>> >> return authorization challenge.
>> >> If user does not present authentication info, pass the request through.
>> >> If subsequent processing throws an UnauthenticatedException, then
>> >> return
>> >> the authorization challenge.
>> >>
>> >> I would suggest something similar with the FormAuthenticationFilter
>> >> (although I am less familiar with it).  Only block access if the user
>> >> attempts to authenticate and fails, otherwise only challenge if an
>> >> UnauthenticatedException is thrown.
>> >>
>> >>
>> >> -Jared
>> >>
>> >> -----Original Message-----
>> >> From: les.hazlewood@anjinllc.com on behalf of Les Hazlewood
>> >> Sent: Sun 4/17/2011 1:08 PM
>> >> To: user@shiro.apache.org
>> >> Cc: Dan Diephouse
>> >> Subject: Re: Allowing form or basic auth, logouts
>> >>
>> >> For https://issues.apache.org/jira/browse/SHIRO-283, how do you
>> >> propose that would work?
>> >>
>> >> In the BasicHttpAuthenticationFilter, if the Subject is not
>> >> authenticated, the BASIC challenge is sent as a response and the
>> >> Filter chain is not allowed to continue.
>> >>
>> >> How would the BasicHttpAuthenticationFilter (or a variant of it) know
>> >> to let the request pass through to a form instead of send the
>> >> challenge?
>> >>
>> >> Regards,
>> >>
>> >> Les
>> >>
>> >> On Sat, Apr 16, 2011 at 10:21 PM, Dan Diephouse <da...@netzooid.com>
>> >> wrote:
>> >> > Here are the JIRAs:
>> >> > https://issues.apache.org/jira/browse/SHIRO-283
>> >> > https://issues.apache.org/jira/browse/SHIRO-284
>> >> > Thanks for the response,
>> >> > Dan
>> >> >
>> >> > On Fri, Apr 15, 2011 at 11:16 AM, Les Hazlewood
>> >> > <lh...@apache.org>
>> >> > wrote:
>> >> >>
>> >> >> Hi Dan,
>> >> >>
>> >> >> On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <da...@netzooid.com>
>> >> >> wrote:
>> >> >> > I have two probably basic questions.
>> >> >> > 1) I want to allow users to do either form OR basic
>> >> >> > authentication. I
>> >> >> > can
>> >> >> > only see how to allow one at a time or both. Is this possible?
>> >> >>
>> >> >> It would be possible if you wrote a custom AuthenticatingFilter to
>> >> >> do
>> >> >> this.  You'd essentially need to merge the logic of
>> >> >> BasicHttpAuthenticationFilter and FormAuthenticationFilter where you
>> >> >> 'fallback' to a form if there are no authentication headers.  Could
>> >> >> you please create a Jira issue for this?  Also, if you do any work
>> >> >> on
>> >> >> something like this, I'd love to see it!
>> >> >>
>> >> >> > 2) Does Shiro have a logout filter? Just wondering if there is an
>> >> >> > out
>> >> >> > of
>> >> >> > the
>> >> >> > box url I can hit to do a logout for a user.
>> >> >>
>> >> >> Now that I think about it, I'm surprised that we don't have this out
>> >> >> of the box - it would be _incredibly_ easy to write.  We'd just have
>> >> >> to
>> >> >>
>> >> >> 1. Subclass PathMatchingFilter
>> >> >> 2. Call subject.logout in the onPreHandle method implementation
>> >> >> 3. Redirect to a configured 'redirectUrl' property.
>> >> >>
>> >> >> And that's it.  Can you please add a Jira issue for this?

Re: Allowing form or basic auth, logouts

[Dan Diephouse <da...@netzooid.com>]

Any suggestions? I was just looking through the code. While it's clean and
all, I'm trying to figure out a way to do this without ripping everything
apart :-)

Dan

On Wed, Apr 20, 2011 at 2:39 PM, Les Hazlewood <lh...@apache.org>wrote:

> The trick would be to make this flow cleanly.  BASIC and Form
> authentication are different concerns, and if you'd want to make them
> work together, a pluggable approach would be ideal (instead of either
> 'knowing' about the other and writing convoluted code to support
> that).  For example, it should work just as well if you'd want to
> enforce HTTP digest authentication + Form authentication as a
> backup...
>
> On Wed, Apr 20, 2011 at 1:43 PM, Dan Diephouse <da...@netzooid.com> wrote:
> > Yeah, this is pretty much what I'm thinking as well.
> >
> > On Sun, Apr 17, 2011 at 10:46 AM, Jared Bunting
> > <ja...@digitalreasoning.com> wrote:
> >>
> >> I would suggest that BasicHttpAuthenticationFilter have an option to
> >> enable the following workflow:
> >>
> >> If user presents authentication info, attempt to validate it, if it
> fails
> >> return authorization challenge.
> >> If user does not present authentication info, pass the request through.
> >> If subsequent processing throws an UnauthenticatedException, then return
> >> the authorization challenge.
> >>
> >> I would suggest something similar with the FormAuthenticationFilter
> >> (although I am less familiar with it).  Only block access if the user
> >> attempts to authenticate and fails, otherwise only challenge if an
> >> UnauthenticatedException is thrown.
> >>
> >>
> >> -Jared
> >>
> >> -----Original Message-----
> >> From: les.hazlewood@anjinllc.com on behalf of Les Hazlewood
> >> Sent: Sun 4/17/2011 1:08 PM
> >> To: user@shiro.apache.org
> >> Cc: Dan Diephouse
> >> Subject: Re: Allowing form or basic auth, logouts
> >>
> >> For https://issues.apache.org/jira/browse/SHIRO-283, how do you
> >> propose that would work?
> >>
> >> In the BasicHttpAuthenticationFilter, if the Subject is not
> >> authenticated, the BASIC challenge is sent as a response and the
> >> Filter chain is not allowed to continue.
> >>
> >> How would the BasicHttpAuthenticationFilter (or a variant of it) know
> >> to let the request pass through to a form instead of send the
> >> challenge?
> >>
> >> Regards,
> >>
> >> Les
> >>
> >> On Sat, Apr 16, 2011 at 10:21 PM, Dan Diephouse <da...@netzooid.com>
> wrote:
> >> > Here are the JIRAs:
> >> > https://issues.apache.org/jira/browse/SHIRO-283
> >> > https://issues.apache.org/jira/browse/SHIRO-284
> >> > Thanks for the response,
> >> > Dan
> >> >
> >> > On Fri, Apr 15, 2011 at 11:16 AM, Les Hazlewood <
> lhazlewood@apache.org>
> >> > wrote:
> >> >>
> >> >> Hi Dan,
> >> >>
> >> >> On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <da...@netzooid.com>
> >> >> wrote:
> >> >> > I have two probably basic questions.
> >> >> > 1) I want to allow users to do either form OR basic authentication.
> I
> >> >> > can
> >> >> > only see how to allow one at a time or both. Is this possible?
> >> >>
> >> >> It would be possible if you wrote a custom AuthenticatingFilter to do
> >> >> this.  You'd essentially need to merge the logic of
> >> >> BasicHttpAuthenticationFilter and FormAuthenticationFilter where you
> >> >> 'fallback' to a form if there are no authentication headers.  Could
> >> >> you please create a Jira issue for this?  Also, if you do any work on
> >> >> something like this, I'd love to see it!
> >> >>
> >> >> > 2) Does Shiro have a logout filter? Just wondering if there is an
> out
> >> >> > of
> >> >> > the
> >> >> > box url I can hit to do a logout for a user.
> >> >>
> >> >> Now that I think about it, I'm surprised that we don't have this out
> >> >> of the box - it would be _incredibly_ easy to write.  We'd just have
> >> >> to
> >> >>
> >> >> 1. Subclass PathMatchingFilter
> >> >> 2. Call subject.logout in the onPreHandle method implementation
> >> >> 3. Redirect to a configured 'redirectUrl' property.
> >> >>
> >> >> And that's it.  Can you please add a Jira issue for this?
> >>
> >
> >
> >
> > --
> > Dan Diephouse
> > http://netzooid.com/blog
>



-- 
Dan Diephouse
http://netzooid.com/blog

Re: Allowing form or basic auth, logouts

[Les Hazlewood <lh...@apache.org>]

The trick would be to make this flow cleanly.  BASIC and Form
authentication are different concerns, and if you'd want to make them
work together, a pluggable approach would be ideal (instead of either
'knowing' about the other and writing convoluted code to support
that).  For example, it should work just as well if you'd want to
enforce HTTP digest authentication + Form authentication as a
backup...

On Wed, Apr 20, 2011 at 1:43 PM, Dan Diephouse <da...@netzooid.com> wrote:
> Yeah, this is pretty much what I'm thinking as well.
>
> On Sun, Apr 17, 2011 at 10:46 AM, Jared Bunting
> <ja...@digitalreasoning.com> wrote:
>>
>> I would suggest that BasicHttpAuthenticationFilter have an option to
>> enable the following workflow:
>>
>> If user presents authentication info, attempt to validate it, if it fails
>> return authorization challenge.
>> If user does not present authentication info, pass the request through.
>> If subsequent processing throws an UnauthenticatedException, then return
>> the authorization challenge.
>>
>> I would suggest something similar with the FormAuthenticationFilter
>> (although I am less familiar with it).  Only block access if the user
>> attempts to authenticate and fails, otherwise only challenge if an
>> UnauthenticatedException is thrown.
>>
>>
>> -Jared
>>
>> -----Original Message-----
>> From: les.hazlewood@anjinllc.com on behalf of Les Hazlewood
>> Sent: Sun 4/17/2011 1:08 PM
>> To: user@shiro.apache.org
>> Cc: Dan Diephouse
>> Subject: Re: Allowing form or basic auth, logouts
>>
>> For https://issues.apache.org/jira/browse/SHIRO-283, how do you
>> propose that would work?
>>
>> In the BasicHttpAuthenticationFilter, if the Subject is not
>> authenticated, the BASIC challenge is sent as a response and the
>> Filter chain is not allowed to continue.
>>
>> How would the BasicHttpAuthenticationFilter (or a variant of it) know
>> to let the request pass through to a form instead of send the
>> challenge?
>>
>> Regards,
>>
>> Les
>>
>> On Sat, Apr 16, 2011 at 10:21 PM, Dan Diephouse <da...@netzooid.com> wrote:
>> > Here are the JIRAs:
>> > https://issues.apache.org/jira/browse/SHIRO-283
>> > https://issues.apache.org/jira/browse/SHIRO-284
>> > Thanks for the response,
>> > Dan
>> >
>> > On Fri, Apr 15, 2011 at 11:16 AM, Les Hazlewood <lh...@apache.org>
>> > wrote:
>> >>
>> >> Hi Dan,
>> >>
>> >> On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <da...@netzooid.com>
>> >> wrote:
>> >> > I have two probably basic questions.
>> >> > 1) I want to allow users to do either form OR basic authentication. I
>> >> > can
>> >> > only see how to allow one at a time or both. Is this possible?
>> >>
>> >> It would be possible if you wrote a custom AuthenticatingFilter to do
>> >> this.  You'd essentially need to merge the logic of
>> >> BasicHttpAuthenticationFilter and FormAuthenticationFilter where you
>> >> 'fallback' to a form if there are no authentication headers.  Could
>> >> you please create a Jira issue for this?  Also, if you do any work on
>> >> something like this, I'd love to see it!
>> >>
>> >> > 2) Does Shiro have a logout filter? Just wondering if there is an out
>> >> > of
>> >> > the
>> >> > box url I can hit to do a logout for a user.
>> >>
>> >> Now that I think about it, I'm surprised that we don't have this out
>> >> of the box - it would be _incredibly_ easy to write.  We'd just have
>> >> to
>> >>
>> >> 1. Subclass PathMatchingFilter
>> >> 2. Call subject.logout in the onPreHandle method implementation
>> >> 3. Redirect to a configured 'redirectUrl' property.
>> >>
>> >> And that's it.  Can you please add a Jira issue for this?
>>
>
>
>
> --
> Dan Diephouse
> http://netzooid.com/blog

Re: Allowing form or basic auth, logouts

[Dan Diephouse <da...@netzooid.com>]

Yeah, this is pretty much what I'm thinking as well.

On Sun, Apr 17, 2011 at 10:46 AM, Jared Bunting <
jared.bunting@digitalreasoning.com> wrote:

> I would suggest that BasicHttpAuthenticationFilter have an option to enable
> the following workflow:
>
> If user presents authentication info, attempt to validate it, if it fails
> return authorization challenge.
> If user does not present authentication info, pass the request through.
> If subsequent processing throws an UnauthenticatedException, then return
> the authorization challenge.
>
> I would suggest something similar with the FormAuthenticationFilter
> (although I am less familiar with it).  Only block access if the user
> attempts to authenticate and fails, otherwise only challenge if an
> UnauthenticatedException is thrown.
>
>
> -Jared
>
> -----Original Message-----
> From: les.hazlewood@anjinllc.com on behalf of Les Hazlewood
> Sent: Sun 4/17/2011 1:08 PM
> To: user@shiro.apache.org
> Cc: Dan Diephouse
> Subject: Re: Allowing form or basic auth, logouts
>
> For https://issues.apache.org/jira/browse/SHIRO-283, how do you
> propose that would work?
>
> In the BasicHttpAuthenticationFilter, if the Subject is not
> authenticated, the BASIC challenge is sent as a response and the
> Filter chain is not allowed to continue.
>
> How would the BasicHttpAuthenticationFilter (or a variant of it) know
> to let the request pass through to a form instead of send the
> challenge?
>
> Regards,
>
> Les
>
> On Sat, Apr 16, 2011 at 10:21 PM, Dan Diephouse <da...@netzooid.com> wrote:
> > Here are the JIRAs:
> > https://issues.apache.org/jira/browse/SHIRO-283
> > https://issues.apache.org/jira/browse/SHIRO-284
> > Thanks for the response,
> > Dan
> >
> > On Fri, Apr 15, 2011 at 11:16 AM, Les Hazlewood <lh...@apache.org>
> > wrote:
> >>
> >> Hi Dan,
> >>
> >> On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <da...@netzooid.com>
> wrote:
> >> > I have two probably basic questions.
> >> > 1) I want to allow users to do either form OR basic authentication. I
> >> > can
> >> > only see how to allow one at a time or both. Is this possible?
> >>
> >> It would be possible if you wrote a custom AuthenticatingFilter to do
> >> this.  You'd essentially need to merge the logic of
> >> BasicHttpAuthenticationFilter and FormAuthenticationFilter where you
> >> 'fallback' to a form if there are no authentication headers.  Could
> >> you please create a Jira issue for this?  Also, if you do any work on
> >> something like this, I'd love to see it!
> >>
> >> > 2) Does Shiro have a logout filter? Just wondering if there is an out
> of
> >> > the
> >> > box url I can hit to do a logout for a user.
> >>
> >> Now that I think about it, I'm surprised that we don't have this out
> >> of the box - it would be _incredibly_ easy to write.  We'd just have
> >> to
> >>
> >> 1. Subclass PathMatchingFilter
> >> 2. Call subject.logout in the onPreHandle method implementation
> >> 3. Redirect to a configured 'redirectUrl' property.
> >>
> >> And that's it.  Can you please add a Jira issue for this?
>
>


-- 
Dan Diephouse
http://netzooid.com/blog

RE: Allowing form or basic auth, logouts

[Jared Bunting <ja...@digitalreasoning.com>]

I would suggest that BasicHttpAuthenticationFilter have an option to enable the following workflow:

If user presents authentication info, attempt to validate it, if it fails return authorization challenge.
If user does not present authentication info, pass the request through.  
If subsequent processing throws an UnauthenticatedException, then return the authorization challenge.

I would suggest something similar with the FormAuthenticationFilter (although I am less familiar with it).  Only block access if the user attempts to authenticate and fails, otherwise only challenge if an UnauthenticatedException is thrown.


-Jared

-----Original Message-----
From: les.hazlewood@anjinllc.com on behalf of Les Hazlewood
Sent: Sun 4/17/2011 1:08 PM
To: user@shiro.apache.org
Cc: Dan Diephouse
Subject: Re: Allowing form or basic auth, logouts
 
For https://issues.apache.org/jira/browse/SHIRO-283, how do you
propose that would work?

In the BasicHttpAuthenticationFilter, if the Subject is not
authenticated, the BASIC challenge is sent as a response and the
Filter chain is not allowed to continue.

How would the BasicHttpAuthenticationFilter (or a variant of it) know
to let the request pass through to a form instead of send the
challenge?

Regards,

Les

On Sat, Apr 16, 2011 at 10:21 PM, Dan Diephouse <da...@netzooid.com> wrote:
> Here are the JIRAs:
> https://issues.apache.org/jira/browse/SHIRO-283
> https://issues.apache.org/jira/browse/SHIRO-284
> Thanks for the response,
> Dan
>
> On Fri, Apr 15, 2011 at 11:16 AM, Les Hazlewood <lh...@apache.org>
> wrote:
>>
>> Hi Dan,
>>
>> On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <da...@netzooid.com> wrote:
>> > I have two probably basic questions.
>> > 1) I want to allow users to do either form OR basic authentication. I
>> > can
>> > only see how to allow one at a time or both. Is this possible?
>>
>> It would be possible if you wrote a custom AuthenticatingFilter to do
>> this.  You'd essentially need to merge the logic of
>> BasicHttpAuthenticationFilter and FormAuthenticationFilter where you
>> 'fallback' to a form if there are no authentication headers.  Could
>> you please create a Jira issue for this?  Also, if you do any work on
>> something like this, I'd love to see it!
>>
>> > 2) Does Shiro have a logout filter? Just wondering if there is an out of
>> > the
>> > box url I can hit to do a logout for a user.
>>
>> Now that I think about it, I'm surprised that we don't have this out
>> of the box - it would be _incredibly_ easy to write.  We'd just have
>> to
>>
>> 1. Subclass PathMatchingFilter
>> 2. Call subject.logout in the onPreHandle method implementation
>> 3. Redirect to a configured 'redirectUrl' property.
>>
>> And that's it.  Can you please add a Jira issue for this?

Re: Allowing form or basic auth, logouts

[Les Hazlewood <lh...@apache.org>]

For https://issues.apache.org/jira/browse/SHIRO-283, how do you
propose that would work?

In the BasicHttpAuthenticationFilter, if the Subject is not
authenticated, the BASIC challenge is sent as a response and the
Filter chain is not allowed to continue.

How would the BasicHttpAuthenticationFilter (or a variant of it) know
to let the request pass through to a form instead of send the
challenge?

Regards,

Les

On Sat, Apr 16, 2011 at 10:21 PM, Dan Diephouse <da...@netzooid.com> wrote:
> Here are the JIRAs:
> https://issues.apache.org/jira/browse/SHIRO-283
> https://issues.apache.org/jira/browse/SHIRO-284
> Thanks for the response,
> Dan
>
> On Fri, Apr 15, 2011 at 11:16 AM, Les Hazlewood <lh...@apache.org>
> wrote:
>>
>> Hi Dan,
>>
>> On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <da...@netzooid.com> wrote:
>> > I have two probably basic questions.
>> > 1) I want to allow users to do either form OR basic authentication. I
>> > can
>> > only see how to allow one at a time or both. Is this possible?
>>
>> It would be possible if you wrote a custom AuthenticatingFilter to do
>> this.  You'd essentially need to merge the logic of
>> BasicHttpAuthenticationFilter and FormAuthenticationFilter where you
>> 'fallback' to a form if there are no authentication headers.  Could
>> you please create a Jira issue for this?  Also, if you do any work on
>> something like this, I'd love to see it!
>>
>> > 2) Does Shiro have a logout filter? Just wondering if there is an out of
>> > the
>> > box url I can hit to do a logout for a user.
>>
>> Now that I think about it, I'm surprised that we don't have this out
>> of the box - it would be _incredibly_ easy to write.  We'd just have
>> to
>>
>> 1. Subclass PathMatchingFilter
>> 2. Call subject.logout in the onPreHandle method implementation
>> 3. Redirect to a configured 'redirectUrl' property.
>>
>> And that's it.  Can you please add a Jira issue for this?

Re: Allowing form or basic auth, logouts

[Les Hazlewood <lh...@apache.org>]

Hi Dan,

On Thu, Apr 14, 2011 at 4:30 PM, Dan Diephouse <da...@netzooid.com> wrote:
> I have two probably basic questions.
> 1) I want to allow users to do either form OR basic authentication. I can
> only see how to allow one at a time or both. Is this possible?

It would be possible if you wrote a custom AuthenticatingFilter to do
this.  You'd essentially need to merge the logic of
BasicHttpAuthenticationFilter and FormAuthenticationFilter where you
'fallback' to a form if there are no authentication headers.  Could
you please create a Jira issue for this?  Also, if you do any work on
something like this, I'd love to see it!

> 2) Does Shiro have a logout filter? Just wondering if there is an out of the
> box url I can hit to do a logout for a user.

Now that I think about it, I'm surprised that we don't have this out
of the box - it would be _incredibly_ easy to write.  We'd just have
to

1. Subclass PathMatchingFilter
2. Call subject.logout in the onPreHandle method implementation
3. Redirect to a configured 'redirectUrl' property.

And that's it.  Can you please add a Jira issue for this?

Cheers,

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com