Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Shiro with HTTP Basic Auth or Anonymous access to same URI

I've a set of APIs under /api. If my shiro.ini lists this as:

/api/** = authcBasic

Then basic auth is required. If anon is present in place of authcBasic then no auth is required. I'd like to be able to use the APIs with basic auth so I can e.g. programatically check the user is authenticated for POSTs and yet still allow anonymous access to GETs on the same URI. Alternatively to hide restricted data at the same URI for anonymous users and reveal it for auth'd users.

Is this possible?

like image 955
rich Avatar asked Mar 19 '23 17:03

rich


2 Answers

You can roll your own custom shiro filter. Extend class BasicHttpAuthenticationFilter and override onPreHandle where you can check the servlet request method if it is GET or POST and act on it.

So something like:

public class MyFilter extends BasicHttpAuthenticationFilter {

    @Override
    protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) {
        if ("GET".equals((HttpServletRequest)request).getMethod()){
            return true;
        }
        return super.onPreHandle(request, response, mappedValue);
    }

}

And in shiro.ini:

[main]
myfilter = mypackage.MyFilter

[urls]
/api/** = myfilter
like image 154
Wouter Avatar answered Apr 06 '23 12:04

Wouter


Have you tried:

/api/** = authcBasic[permissive]

  • if user/password is set, shiro sends 401 if they are wrong
  • if user/password is not set, no 401. SecurityUtils.getSubject().authenticated is false
like image 31
c-toesca Avatar answered Apr 06 '23 11:04

c-toesca