Hi Dan, All of Shiro's authentication filters will only execute a login if the Subject is not already authenticated. If your mobile device logs in once, it won't be required to log in again unless its session id becomes invalid.
Are your j_* params sent via a POST request or a GET request? -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com On Fri, Mar 4, 2011 at 10:18 AM, dan <[email protected]> wrote: > Hi -- > > In my web application, I have the normal form-based login for users, which > is working fine -- I'm using authc. > > I also have requests from a mobile device that arrive in a particular > directory, such as /api/getStatus.jsp and /api/getPosition.jsp. These > requests might have parameters j_username and j_password. From a particular > mobile device, I want authentication to occur using the j_ parameters the > first time they are seen and then have it use the JSESSIONID cookie after > that (ignoring any passed j_ parameters). Also, if access is denied, I wish > to return a jsp page, AuthError.jsp. > > If authentication succeeds, I then wish to return to the /api/xxx.jsp > routine to run. > > I have tried a few things, but would be very interested if you could steer > me in the right direction! I think I need a second AutenticatingFilter but > one problem I have is I don't know how the shiro configuration should look > or exactly what it should do... Also, I don't want a form to be displayed > but for the j_ parameters to be plucked from the passed in routine and > processed. > > Thanks, > Dan > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Seconday-authentication-without-a-form-tp6089493p6089493.html > Sent from the Shiro User mailing list archive at Nabble.com.
