Shiro with HTTP Basic Auth or Anonymous access to same URI

Question

I've a set of APIs under /api. If my shiro.ini lists this as:

/api/** = authcBasic

Then basic auth is required. If anon is present in place of authcBasic then no auth is required. I'd like to be able to use the APIs with basic auth so I can e.g. programatically check the user is authenticated for POSTs and yet still allow anonymous access to GETs on the same URI. Alternatively to hide restricted data at the same URI for anonymous users and reveal it for auth'd users.

Is this possible?

Answer 1

You can roll your own custom shiro filter. Extend class BasicHttpAuthenticationFilter and override onPreHandle where you can check the servlet request method if it is GET or POST and act on it.

So something like:

public class MyFilter extends BasicHttpAuthenticationFilter {

    @Override
    protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) {
        if ("GET".equals((HttpServletRequest)request).getMethod()){
            return true;
        }
        return super.onPreHandle(request, response, mappedValue);
    }

}

And in shiro.ini:

[main]
myfilter = mypackage.MyFilter

[urls]
/api/** = myfilter

Answer 2

Have you tried:

/api/** = authcBasic[permissive]

• if user/password is set, shiro sends 401 if they are wrong
• if user/password is not set, no 401. SecurityUtils.getSubject().authenticated is false