Hi all, I am in a situation where I need to extend AuthenticatingFilter in order to provide some customized behavior for the web application I'm building. This application is system-to-system and will not have any visible UI. All operations are going to be done via HTTP POST's. All URL's are going to be protected by shiro except for login and logout (as expected), however if a user is not authenticated then there will be no HTTP 302 redirect to a login form. Instead an HTTP 200 will be returned with an xml payload that contains our application specific error codes.
Therefore I am extending the AuthenticatingFilter and implementing createToken() and onAccessDenied(). However, I'm a bit fuzzy of the lifecycle of the framework and when each of these methods will be called and what their interaction is (whether direct or indirect). Also, I am implementing a realm that integrates with our existing data layer that provides authentication functionality, therefore I'm extending AuthorizingRealm to interact with our existing data layer. My question there lies in what happens if my application doesn't perform authorization, and only performs authentications? How should the doGetAuthorizationInfo() method behave? Should have any interaction with doGetAuthenticationInfo() or vice versa? Any input would be most welcome! Best Regards, Allan
