shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <>
Subject Re: Using Shiro with Icefaces.
Date Tue, 05 Oct 2010 17:52:36 GMT
The 'authc' filter is an instance of the FormAuthenticationFilter
class by default.  This means it is expected that the underlying page
that is served has a form in it, and that form has 'username' and
'password' form fields and an optional 'rememberMe' field.

The FormAuthenticationFilter will automatically look for those form
fields, construct a UsernamePasswordToken accordingly, and call
subject.login(token) automatically.  You don't need to write a servlet
or JSP to do that logic.  You just need to ensure that the form is
served - either via a normal .html page or a JSP/JSF or whatever page.

Now, if you _do_ want to process the submission yourself (construct
the token and call subject.login manually), because you want to use
your own MVC framework, or to customize how error messages are
displayed, or for whatever other reason, you should use the
PassThruAuthenticationFilter instead:

# override authc to 'pass thru' to an underlying MVC mechanism:
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
authc.loginUrl = /login.whatever
roles.unauthorizedUrl = /unauthorized.whatever

/secure/** = authc, roles[user]
/admin/** = authc, roles[admin]
/** = authc


Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:

On Tue, Oct 5, 2010 at 2:23 AM, pkerrigan <> wrote:
> Hi Kalle,
> thanks for the pointer. I think now it must be a problem of configuration,
> not Icefaces.
> My working example program had a public home page and a secure area, but I
> want to restrict access to ALL pages in my Icefaces application. To do this
> I added /** = authc to the url section as shown below.
> When I do this to my working example program it stops working in the same
> way as with the Icefaces webapp, even though I have added the /login.jsp =
> authc line.
> What is the correct way to restrict access to all pages?
>               [filters]
>                authc.loginUrl = /login.jsp
>                roles.unauthorizedUrl = /unauthorized.jsp
>                [urls]
>                /login.jsp = authc
>                /secure/** = authc, roles[user]
>                /admin/** = authc, roles[admin]
>                /** = authc
> -----
> regards,
> Philip Kerrigan
> --
> View this message in context:
> Sent from the Shiro User mailing list archive at

View raw message