You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Jared Bunting <ja...@digitalreasoning.com> on 2011/01/21 18:14:53 UTC
Avoiding authorization when using authcBasic filter
Currently it appears that when using the authcBasic filter, users are required to login. Is there any simple way to eliminate this requirement, allowing users access (and doing authorization in the service layer) and only sending the challenge if an "UnauthenticatedException" is thrown?
Thanks,
Jared
RE: Avoiding authorization when using authcBasic filter
Posted by Hendy Irawan <he...@soluvas.com>.
I also want to do similar to this, but actually much simpler (no permissions
check, just "optional" authentication).
I still don't know how to make shiro use HTTP Basic Auth (authcBasic) while
at the same time allowing anonymous!
If I use anon, getSubject().getPrincipal() will return null.
If I use authcBasic, getSubject().getPrincipal() will return username if
credentials is valid, or else the request will be rejected.
What I want is, return username if credentials is valid, return null if
credentials is not valid.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Avoiding-authorization-when-using-authcBasic-filter-tp5948538p6247561.html
Sent from the Shiro User mailing list archive at Nabble.com.
RE: Avoiding authorization when using authcBasic filter
Posted by Jared Bunting <ja...@digitalreasoning.com>.
Les,
Thanks for the response. I'll try and be more clear.
Basically what I'm saying is, "the user must be authenticated to visit this URL" IS authorization. I want an HTTP BASIC filter that only rejects a user if a login fails, NOT if they don't even attempt to login. A user who doesn't attempt to login shouldn't be refused access (by the authentication filter), they should be allowed into the system as an unauthenticated user. Basically, a filter that looks something like this :
doFilter(request, response, chain) {
if(isLoginAttempt(request)) {
if(!executeLogin(createToken(request, response))) {
sendChallenge();
}
}
try {
chain.doFilter(request, response);
} catch (UnauthenticatedException e) {
sendChallenge();
}
}
Or, to reword, "when accessing this URL, the user may authenticated via the HTTP BASIC protocol. If authorization later requires the user to login, require authentication via the HTTP BASIC protocol." Another possible description, "allows authentication" vs "requires authentication".
I'm not sure how clear I'm being here...let me know if I need to explain it some other way...
Thanks,
Jared
-----Original Message-----
From: les.hazlewood@anjinllc.com on behalf of Les Hazlewood
Sent: Fri 1/21/2011 6:20 PM
To: user@shiro.apache.org
Subject: Re: Avoiding authorization when using authcBasic filter
Hi Jared,
I'm confused - the authcBasic filter deals with authentication via the
HTTP BASIC authentication protocol, and doesn't deal with
authorization. Using it basically means "the user must be
authenticated to visit this URL. If not, require authentication via
the HTTP BASIC protocol."
Authentication and Authorization are orthogonal concepts. What are
you trying to achieve?
Regards,
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com
On Fri, Jan 21, 2011 at 9:14 AM, Jared Bunting
<ja...@digitalreasoning.com> wrote:
> Currently it appears that when using the authcBasic filter, users are
> required to login. Is there any simple way to eliminate this requirement,
> allowing users access (and doing authorization in the service layer) and
> only sending the challenge if an "UnauthenticatedException" is thrown?
>
> Thanks,
> Jared
Re: Avoiding authorization when using authcBasic filter
Posted by Les Hazlewood <lh...@apache.org>.
Hi Jared,
I'm confused - the authcBasic filter deals with authentication via the
HTTP BASIC authentication protocol, and doesn't deal with
authorization. Using it basically means "the user must be
authenticated to visit this URL. If not, require authentication via
the HTTP BASIC protocol."
Authentication and Authorization are orthogonal concepts. What are
you trying to achieve?
Regards,
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com
On Fri, Jan 21, 2011 at 9:14 AM, Jared Bunting
<ja...@digitalreasoning.com> wrote:
> Currently it appears that when using the authcBasic filter, users are
> required to login. Is there any simple way to eliminate this requirement,
> allowing users access (and doing authorization in the service layer) and
> only sending the challenge if an "UnauthenticatedException" is thrown?
>
> Thanks,
> Jared