>>>>> Brian Demers <[email protected]>:
> You can also use `@RequireRoles("myapprole")` annotation instead of
> the permission one.
> I think the problem you might be running into is the
> `PassThruAuthenticationFilter` doesn't have a "permissive" option, so
> it's likely redirecting on that fitler.
Ok. I can't remember why I'm using that one, but it is the one that had
the behaviour I desired once upon a time... ah! The comment says why:
// Using the PassThruAuthenticationFilter instead of the default authc
FormAuthenticationFilter
// to be able to do a redirect back "out of" authservice to the originalUrl
It's because of my usage of shiro to something other than authentication
inside of a java webapp. I use it to provide cookie authentication to
nginx and across multiple web applications.
> To work around this, you could use the form auth filter, or create
> your own filter that instead of redirecting returns a 401
> https://github.com/apache/shiro/blob/0c0d9da2d81a4b24de6e02bc1c8a2ad1b5ef32d7/web/src/main/java/org/apache/shiro/web/filter/authc/PassThruAuthenticationFilter.java#L49-L56
> Bind your new fitler to `/api/**`
> Does that help?
Yes, I think so, thanks!
But it will require some thought and experimentation...
But since I won't do redirects on the /api/* paths, there is no need for
the PassThruAuthentication behaviour here, so I could use the regular
authc filter for this path.
