You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Mo Maison <mo...@yahoo.fr> on 2013/01/16 19:28:50 UTC
Parallel authentication filters ?
Hello Shiro users,
I have a rather unusual authentication scheme, and don't
know how to handle that with Shiro for now.
Basically, I'd like to authenticate users with one of the two
following methods :
1- by a client certificate
OR
2- with basic http
Case 1 is handled by a external reverse proxy, which put client
x509 certificate into http request headers.
Thus I'd like the following logic :
- if request contains x509 headers, use that to create token
- else use standard authcBasic Shiro filter.
If a specify two filters on the same url in the ini config file,
I guess both filters will be executed ?
How can I shortcut authcBasic if first filter already returns
a token ?
I'd surprised if Shiro could not handle such a case (different
types of authentication) out of the box.
Do I have to implement a custom filter, which inherits (or better
compose) authcBasic ?
Any advice would be appreciated.
Regards,
M. Maison
Re: Parallel authentication filters ?
Posted by Les Hazlewood <lh...@apache.org>.
I have a solution for this that I use on one of my projects - pretty clean
too, assuming your authc mechanisms adhere to the HTTP Spec for HTTP
Authentication. I.e. Authorization: <schemeName> <schemeValue>.
I've created https://issues.apache.org/jira/browse/SHIRO-414 to add this
in. It is probably a more 'correct' way of supporting HTTP Authentication
than the per-filter implementation technique we use now.
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
On Wed, Jan 16, 2013 at 12:28 PM, Jared Bunting <jared.bunting@peachjean.com
> wrote:
> I don't believe that there is an existing filter that will parse your
> x509 headers. So you will need to write that yourself.
>
> As far as falling through to the authcBasic filter - so long as you
> don't reject requests w/o x509 headers in your custom filter,
> everything should be fine so long as you specify them in your url
> filter - x509, then authcBasic.
>
> The authcBasic filter should pass the request through unmolested if the
> subject is already authenticated.
>
> HTH,
> Jared
>
> On Wed 16 Jan 2013 12:28:50 PM CST, Mo Maison wrote:
> > Hello Shiro users,
> >
> > I have a rather unusual authentication scheme, and don't
> > know how to handle that with Shiro for now.
> >
> > Basically, I'd like to authenticate users with one of the two
> > following methods :
> > 1- by a client certificate
> > OR
> > 2- with basic http
> >
> > Case 1 is handled by a external reverse proxy, which put client
> > x509 certificate into http request headers.
> >
> > Thus I'd like the following logic :
> > - if request contains x509 headers, use that to create token
> > - else use standard authcBasic Shiro filter.
> >
> > If a specify two filters on the same url in the ini config file,
> > I guess both filters will be executed ?
> > How can I shortcut authcBasic if first filter already returns
> > a token ?
> > I'd surprised if Shiro could not handle such a case (different
> > types of authentication) out of the box.
> > Do I have to implement a custom filter, which inherits (or better
> > compose) authcBasic ?
> >
> > Any advice would be appreciated.
> >
> > Regards,
> >
> > M. Maison
>
>
>
Re: Parallel authentication filters ?
Posted by Mo Maison <mo...@yahoo.fr>.
Le 16/01/2013 21:28, Jared Bunting a écrit :
> I don't believe that there is an existing filter that will parse your
> x509 headers. So you will need to write that yourself.
I use the following project for this :
https://github.com/eskatos/shiro-ext
and I may also propose some patchs
>
> As far as falling through to the authcBasic filter - so long as you
> don't reject requests w/o x509 headers in your custom filter,
> everything should be fine so long as you specify them in your url
> filter - x509, then authcBasic.
>
> The authcBasic filter should pass the request through unmolested if the
> subject is already authenticated.
Indeed, this is exactly what happens (I didn't know how auth
filters actually worked : token are checked only if subject is not
already authenticated).
Thus I have added an [optional] configuration on the first filter
(|ForwardedX509AuthenticationFilter) |so that it does nothing if
no headers are present (instead of crashing).
Note that this kind of dual auth scheme involves also a check
on the local interface which received the request : headers
can be accepted only for requests coming from a firewalled
interface, accessible only by a trusted reverse proxy.
Thank you for your quick help !
M. Maison
>
> HTH,
> Jared
>
> On Wed 16 Jan 2013 12:28:50 PM CST, Mo Maison wrote:
>> Hello Shiro users,
>>
>> I have a rather unusual authentication scheme, and don't
>> know how to handle that with Shiro for now.
>>
>> Basically, I'd like to authenticate users with one of the two
>> following methods :
>> 1- by a client certificate
>> OR
>> 2- with basic http
>>
>> Case 1 is handled by a external reverse proxy, which put client
>> x509 certificate into http request headers.
>>
>> Thus I'd like the following logic :
>> - if request contains x509 headers, use that to create token
>> - else use standard authcBasic Shiro filter.
>>
>> If a specify two filters on the same url in the ini config file,
>> I guess both filters will be executed ?
>> How can I shortcut authcBasic if first filter already returns
>> a token ?
>> I'd surprised if Shiro could not handle such a case (different
>> types of authentication) out of the box.
>> Do I have to implement a custom filter, which inherits (or better
>> compose) authcBasic ?
>>
>> Any advice would be appreciated.
>>
>> Regards,
>>
>> M. Maison
>
>
Re: Parallel authentication filters ?
Posted by Jared Bunting <ja...@peachjean.com>.
I don't believe that there is an existing filter that will parse your
x509 headers. So you will need to write that yourself.
As far as falling through to the authcBasic filter - so long as you
don't reject requests w/o x509 headers in your custom filter,
everything should be fine so long as you specify them in your url
filter - x509, then authcBasic.
The authcBasic filter should pass the request through unmolested if the
subject is already authenticated.
HTH,
Jared
On Wed 16 Jan 2013 12:28:50 PM CST, Mo Maison wrote:
> Hello Shiro users,
>
> I have a rather unusual authentication scheme, and don't
> know how to handle that with Shiro for now.
>
> Basically, I'd like to authenticate users with one of the two
> following methods :
> 1- by a client certificate
> OR
> 2- with basic http
>
> Case 1 is handled by a external reverse proxy, which put client
> x509 certificate into http request headers.
>
> Thus I'd like the following logic :
> - if request contains x509 headers, use that to create token
> - else use standard authcBasic Shiro filter.
>
> If a specify two filters on the same url in the ini config file,
> I guess both filters will be executed ?
> How can I shortcut authcBasic if first filter already returns
> a token ?
> I'd surprised if Shiro could not handle such a case (different
> types of authentication) out of the box.
> Do I have to implement a custom filter, which inherits (or better
> compose) authcBasic ?
>
> Any advice would be appreciated.
>
> Regards,
>
> M. Maison