shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <lhazlew...@apache.org>
Subject SHIRO-283 design: supporting both Form & BASIC authc simultaneously
Date Mon, 15 Aug 2011 16:43:40 GMT
For reference: https://issues.apache.org/jira/browse/SHIRO-283

I wonder if there is a way for us to do this in a cleaner way.  I'm
not sure that the 'permissive' flag, while a good initial solution, is
ideal.

That is, to me, the AuthenticationFilter makes a _guarantee_ that the
request won't go through unless 1) the subject is already
authenticated or 2) the current request is an authentication-related
request.  Unless I'm missing something, the 'permissive' flag
eliminates this guarantee.

I wonder if it'd be better for us to create a composite Filter that
does the necessary logic to retain the guarantee.  Perhaps it is even
as simple as OO composition where we can use the
FormAuthenticationFilter and the BasicAuthenticationFilter internally
to offload work (not sure - haven't thought about that much yet).

Thoughts?

Les

Mime
View raw message