Les, Thanks for the response. I'll try and be more clear.
Basically what I'm saying is, "the user must be authenticated to visit this
URL" IS authorization. I want an HTTP BASIC filter that only rejects a user if
a login fails, NOT if they don't even attempt to login. A user who doesn't
attempt to login shouldn't be refused access (by the authentication filter),
they should be allowed into the system as an unauthenticated user. Basically,
a filter that looks something like this :
doFilter(request, response, chain) {
if(isLoginAttempt(request)) {
if(!executeLogin(createToken(request, response))) {
sendChallenge();
}
}
try {
chain.doFilter(request, response);
} catch (UnauthenticatedException e) {
sendChallenge();
}
}
Or, to reword, "when accessing this URL, the user may authenticated via the
HTTP BASIC protocol. If authorization later requires the user to login,
require authentication via the HTTP BASIC protocol." Another possible
description, "allows authentication" vs "requires authentication".
I'm not sure how clear I'm being here...let me know if I need to explain it
some other way...
Thanks,
Jared
-----Original Message-----
From: [email protected] on behalf of Les Hazlewood
Sent: Fri 1/21/2011 6:20 PM
To: [email protected]
Subject: Re: Avoiding authorization when using authcBasic filter
Hi Jared,
I'm confused - the authcBasic filter deals with authentication via the
HTTP BASIC authentication protocol, and doesn't deal with
authorization. Using it basically means "the user must be
authenticated to visit this URL. If not, require authentication via
the HTTP BASIC protocol."
Authentication and Authorization are orthogonal concepts. What are
you trying to achieve?
Regards,
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com
On Fri, Jan 21, 2011 at 9:14 AM, Jared Bunting
<[email protected]> wrote:
> Currently it appears that when using the authcBasic filter, users are
> required to login. Is there any simple way to eliminate this requirement,
> allowing users access (and doing authorization in the service layer) and
> only sending the challenge if an "UnauthenticatedException" is thrown?
>
> Thanks,
> Jared
<<winmail.dat>>
