A quick note: the filters automatically enabled for url chain definitions are defined here:
http://incubator.apache.org/shiro/web.html in the 'Default Filters' section. Cheers, Les On Fri, Jul 2, 2010 at 11:52 AM, Les Hazlewood <[email protected]> wrote: > Hi Tauren, > > If you'll indulge me, I'll reference how to do it both in INI and in > Spring config - I know you're not using INI, but this could help > others who might. Also, you can see the parallel between the two > config mechanisms, as they achieve almost the same thing. > > For registering AuthenticationListeners, you would have to set them by > traversing the SecurityManager's object graph and setting the property > that way - the same way you would do it in INI. For example, in INI: > > securityManager.authenticator.authenticationListeners = > $authcListener1, $authcListener2, ..., $authcListenerN > > In Spring: > > <bean id="securityManager" class="..."> > ... > <property name="authenticator.authenticationListeners"> > <set> > <bean ref="authcListener1"/> > <bean ref="authcListener2"/> > ... > </bean ref="authcListenerN"/> > </set> > </property> > </bean> > > As for excluding URLs, no coding necessary - you can do that via URL > chain configuration. For example, in INI, you can do that by using > [urls] section and defining a chain with the 'anon' filter (anonymous > - allow requests to pass through without any security check): > > shiro.ini: > ... > [urls] > /css = anon > /js = anon > /assets/images = anon > > Or, in Spring: > > <bean id="shiroFilter" > class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> > ... > <!-- the ShiroFilterFactoryBean's 'filterChainDefinitions' property is the > same exact thing as the INI's [urls] section: --> > <property name="filterChainDefinitions"> > <value> > /css = anon > /js = anon > /asses/images = anon > ... > </value> > </property> > </bean> > > So technically the ShiroFilter still handles all requests (in web.xml, > you want the <url-pattern>/*</url-pattern> to be defined), but you can > exclude urls this way. This is far more flexible than using web.xml > since it doesn't have the notion of exclusionary policies. > > Also, don't forget that in Shiro's url chain definitions, the 'first > match wins' for url pattern matching. Make sure you define chains in > the order that they will be successfully matched against. For > example, this is good: > > /user/signup = anon > /user/** = authc > > and this wouldn't be nice: > > /user/** = authc > /user/signup = anon > > Because in the 2nd example, '/user/**' matches any request targeted at > '/user/signup' and the 'authc' filter would be invoked (thereby > preventing guests from signing up - clearly not the desired behavior). > > HTH! > > Les > > On Fri, Jul 2, 2010 at 12:24 AM, Tauren Mills <[email protected]> wrote: >> Where can I find some sample code that illustrates the best way to >> register an AuthenticationListener? It seems that >> AuthenticationListenerRegistrar no longer exists. I would prefer to >> see how to do it using Spring for configuration instead of INI. Is >> there a sample project that illustrates how to do this? >> >> Also, I'm unclear on how to best customize the filter. My web.xml >> specifies a DelegatingFilterProxy, which I believe is then utilizing a >> ShiroFilterFactoryBean. My intent is to write a custom doFilter method >> that excludes certain paths, such as /css, /img, and /js. Should my >> custom filter extend some class? And how do I wire up my custom >> filter? Do I specify something as the targetBeanName init param? >> >> Alternatively, is there a different, simpler, or better way to EXCLUDE >> certain paths from being handled by the ShiroFilter? For instance, is >> there a way to do this purely with configuration inside of the web.xml >> alone? >> >> Lastly, what does the targetFilterLifecycle init param do? >> >> Here's the pertinent part of my spring ShiroFilter config: >> >> <bean id="ShiroFilter" >> class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> >> <property name="securityManager" ref="securityManager"/> >> </bean> >> >> Here are my current filter mappings: >> >> <filter> >> <filter-name>HibernateFilter</filter-name> >> >> <filter-class>org.springframework.orm.hibernate3.support.OpenSessionInViewFilter</filter-class> >> </filter> >> <filter> >> <filter-name>ShiroFilter</filter-name> >> >> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> >> <!-- >> <init-param> >> <param-name>targetFilterLifecycle</param-name> >> <param-value>true</param-value> >> </init-param> >> --> >> </filter> >> <filter> >> <filter-name>WicketFilter</filter-name> >> >> <filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class> >> <init-param> >> <param-name>applicationFactoryClassName</param-name> >> >> <param-value>org.apache.wicket.spring.SpringWebApplicationFactory</param-value> >> </init-param> >> </filter> >> >> <filter-mapping> >> <filter-name>HibernateFilter</filter-name> >> <url-pattern>/*</url-pattern> >> </filter-mapping> >> <filter-mapping> >> <filter-name>ShiroFilter</filter-name> >> <url-pattern>/*</url-pattern> >> </filter-mapping> >> <filter-mapping> >> <filter-name>WicketFilter</filter-name> >> <url-pattern>/*</url-pattern> >> <dispatcher>REQUEST</dispatcher> >> <dispatcher>ERROR</dispatcher> >> </filter-mapping> >> >> Thanks, >> Tauren >> >
