Hi Tauren, You should configure the loginUrl, successUrl and unauthorizedUrl properties on the ShiroFilterFactoryBean as shown in the 'applicationContext.xml' section here:
http://incubator.apache.org/shiro/spring.html Those properties on the FactoryBean will automatically trigger setting the same properties on any Shiro filter that has them (e.g. the 'authc' filter needs to know where to redirect users for login. The default is '/login.jsp'). Finally, I think it might be a little odd to define a user's last access timestamp based on how Shiro acquires its remembered principals. Might it be better if it was based on their Session's last access timestamp? I realize there a number of ways to solve this, and your solution might work perfectly well for your application - so don't change it unless it makes sense to. I only bring it up because I personally use the session last access timestamp for this in my own applications. Cheers, Les On Fri, Jul 2, 2010 at 12:27 PM, Tauren Mills <[email protected]> wrote: > Les, > > Thanks so much, this helps a lot! I'll give the a > AuthenticationListener configuration a try shortly. > > However, I'm still having troubles with excluding paths. Adding > filterChainDefinitions does seem to avoid calling > CookieRememberMeManager.getRememberedPrincipals() multiple times for > hits to resources on the home page. My goal for excluding these paths > is to reduce the number of times my user object is updated with a new > accessed date: > > �...@override > public PrincipalCollection getRememberedPrincipals(SubjectContext > subjectContext) { > PrincipalCollection principals = > super.getRememberedPrincipals(subjectContext); > if ( principals != null ) { > Long id = (Long) principals.getPrimaryPrincipal(); > log.info("RememberMe Principals located for: "+id); > memberService.updateAccessed(id); > } > return principals; > } > > However, when I add filterChainDefinitions, it seems to override my > Wicket configuration for what URL should be used for login. When I > don't have any filterChainDefinitions defined, and a user goes to > /dashboard, Wicket redirects them to /login. However, when I define > filterChainDefinitions, they are sent to /login.jsp which doesn't > exist. > > <property name="filterChainDefinitions"> > <value> > /css = anon > /img = anon > /js = anon > /signup = anon > /login = anon > /dashboard = authc > </value> > </property> > > Any suggestions? > > Thanks again, > Tauren > > > On Fri, Jul 2, 2010 at 11:52 AM, Les Hazlewood <[email protected]> wrote: >> Hi Tauren, >> >> If you'll indulge me, I'll reference how to do it both in INI and in >> Spring config - I know you're not using INI, but this could help >> others who might. Also, you can see the parallel between the two >> config mechanisms, as they achieve almost the same thing. >> >> For registering AuthenticationListeners, you would have to set them by >> traversing the SecurityManager's object graph and setting the property >> that way - the same way you would do it in INI. For example, in INI: >> >> securityManager.authenticator.authenticationListeners = >> $authcListener1, $authcListener2, ..., $authcListenerN >> >> In Spring: >> >> <bean id="securityManager" class="..."> >> ... >> <property name="authenticator.authenticationListeners"> >> <set> >> <bean ref="authcListener1"/> >> <bean ref="authcListener2"/> >> ... >> </bean ref="authcListenerN"/> >> </set> >> </property> >> </bean> >> >> As for excluding URLs, no coding necessary - you can do that via URL >> chain configuration. For example, in INI, you can do that by using >> [urls] section and defining a chain with the 'anon' filter (anonymous >> - allow requests to pass through without any security check): >> >> shiro.ini: >> ... >> [urls] >> /css = anon >> /js = anon >> /assets/images = anon >> >> Or, in Spring: >> >> <bean id="shiroFilter" >> class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> >> ... >> <!-- the ShiroFilterFactoryBean's 'filterChainDefinitions' property is the >> same exact thing as the INI's [urls] section: --> >> <property name="filterChainDefinitions"> >> <value> >> /css = anon >> /js = anon >> /asses/images = anon >> ... >> </value> >> </property> >> </bean> >> >> So technically the ShiroFilter still handles all requests (in web.xml, >> you want the <url-pattern>/*</url-pattern> to be defined), but you can >> exclude urls this way. This is far more flexible than using web.xml >> since it doesn't have the notion of exclusionary policies. >> >> Also, don't forget that in Shiro's url chain definitions, the 'first >> match wins' for url pattern matching. Make sure you define chains in >> the order that they will be successfully matched against. For >> example, this is good: >> >> /user/signup = anon >> /user/** = authc >> >> and this wouldn't be nice: >> >> /user/** = authc >> /user/signup = anon >> >> Because in the 2nd example, '/user/**' matches any request targeted at >> '/user/signup' and the 'authc' filter would be invoked (thereby >> preventing guests from signing up - clearly not the desired behavior). >> >> HTH! >> >> Les >> >> On Fri, Jul 2, 2010 at 12:24 AM, Tauren Mills <[email protected]> wrote: >>> Where can I find some sample code that illustrates the best way to >>> register an AuthenticationListener? It seems that >>> AuthenticationListenerRegistrar no longer exists. I would prefer to >>> see how to do it using Spring for configuration instead of INI. Is >>> there a sample project that illustrates how to do this? >>> >>> Also, I'm unclear on how to best customize the filter. My web.xml >>> specifies a DelegatingFilterProxy, which I believe is then utilizing a >>> ShiroFilterFactoryBean. My intent is to write a custom doFilter method >>> that excludes certain paths, such as /css, /img, and /js. Should my >>> custom filter extend some class? And how do I wire up my custom >>> filter? Do I specify something as the targetBeanName init param? >>> >>> Alternatively, is there a different, simpler, or better way to EXCLUDE >>> certain paths from being handled by the ShiroFilter? For instance, is >>> there a way to do this purely with configuration inside of the web.xml >>> alone? >>> >>> Lastly, what does the targetFilterLifecycle init param do? >>> >>> Here's the pertinent part of my spring ShiroFilter config: >>> >>> <bean id="ShiroFilter" >>> class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> >>> <property name="securityManager" ref="securityManager"/> >>> </bean> >>> >>> Here are my current filter mappings: >>> >>> <filter> >>> <filter-name>HibernateFilter</filter-name> >>> >>> <filter-class>org.springframework.orm.hibernate3.support.OpenSessionInViewFilter</filter-class> >>> </filter> >>> <filter> >>> <filter-name>ShiroFilter</filter-name> >>> >>> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> >>> <!-- >>> <init-param> >>> <param-name>targetFilterLifecycle</param-name> >>> <param-value>true</param-value> >>> </init-param> >>> --> >>> </filter> >>> <filter> >>> <filter-name>WicketFilter</filter-name> >>> >>> <filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class> >>> <init-param> >>> <param-name>applicationFactoryClassName</param-name> >>> >>> <param-value>org.apache.wicket.spring.SpringWebApplicationFactory</param-value> >>> </init-param> >>> </filter> >>> >>> <filter-mapping> >>> <filter-name>HibernateFilter</filter-name> >>> <url-pattern>/*</url-pattern> >>> </filter-mapping> >>> <filter-mapping> >>> <filter-name>ShiroFilter</filter-name> >>> <url-pattern>/*</url-pattern> >>> </filter-mapping> >>> <filter-mapping> >>> <filter-name>WicketFilter</filter-name> >>> <url-pattern>/*</url-pattern> >>> <dispatcher>REQUEST</dispatcher> >>> <dispatcher>ERROR</dispatcher> >>> </filter-mapping> >>> >>> Thanks, >>> Tauren >>> >> >
