You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by armandoxxx <ar...@dropchop.com> on 2017/07/07 08:39:24 UTC
Multiple auth filters and onAccessDenied() method logic question
Hey guys ...
I've got a little logical problem with filters ...
Our use case:
we export rest services and our end points are protected by Shiro.
on our end points we have different types or filter spceified.
terminateFilter code is as follows
Explanation:
All previous filters (before terminateFilter) execute login if they are
supposed to execute it (meaning .. if formAuthFilter resolves it is login
request, then login will execute and return true or false depending on the
credentials)
All previous filters will return true in case request is not meant it to
execute login.
if none of the previous filters succeeded in isAccessAllowed and all
onAccessDenied() methods return true this terminateFilter filter will
definetly throw unauthorized response.
So unless we have terminateFilter in configuration and all fitlers skip
execute login, shiro does not block user ... (try it yourself)
question:
Does anybody have any other solution so terminateFilter does not have to be
defined ?
Any advice would be appreciated ...
Regards
Armando
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Multiple-auth-filters-and-onAccessDenied-method-logic-question-tp7581679.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Multiple auth filters and onAccessDenied() method logic
question
Posted by armandoxxx <ar...@dropchop.com>.
thank you for your idea ... will check it out ..
regards
Armando
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Multiple-auth-filters-and-onAccessDenied-method-logic-question-tp7581679p7581687.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Multiple auth filters and onAccessDenied() method logic question
Posted by Brian Demers <br...@gmail.com>.
You could create a filter that would delegate to another component for each
auth type you are looking for in the request.
Possible with a "boolean supportsRequest(ServletRequest request)" and
"boolean handleAuthRequest(ServletRequest request)"
This is more or less what happens when you have multiple realms. You could
look at the pattern used by the ModularRealmAuthenticator. (that one is a
little more complex as it support multiple strategies)
On Fri, Jul 7, 2017 at 4:39 AM, armandoxxx <ar...@dropchop.com> wrote:
> Hey guys ...
>
> I've got a little logical problem with filters ...
>
> Our use case:
>
> we export rest services and our end points are protected by Shiro.
> on our end points we have different types or filter spceified.
>
>
>
> terminateFilter code is as follows
>
>
>
> Explanation:
>
> All previous filters (before terminateFilter) execute login if they are
> supposed to execute it (meaning .. if formAuthFilter resolves it is login
> request, then login will execute and return true or false depending on the
> credentials)
> All previous filters will return true in case request is not meant it to
> execute login.
> if none of the previous filters succeeded in isAccessAllowed and all
> onAccessDenied() methods return true this terminateFilter filter will
> definetly throw unauthorized response.
> So unless we have terminateFilter in configuration and all fitlers skip
> execute login, shiro does not block user ... (try it yourself)
>
> question:
> Does anybody have any other solution so terminateFilter does not have to be
> defined ?
>
> Any advice would be appreciated ...
>
> Regards
>
> Armando
>
>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.
> nabble.com/Multiple-auth-filters-and-onAccessDenied-method-logic-question-
> tp7581679.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>