Hi Matt,
I think I see two problems:
1) Your pastebin for your spring xml does not show the SecurityManager
being configured with your realm. I.e. it needs to look like this:
<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"/>
</bean>
2) You're setting up a Spring MVC controller to perform
authentication, which implies you want to control when subject.login()
is called and not rely on Shiro's built-in FormAuthenticationFilter
('authc').
If you do this, you will need to redefine the 'authc' filter to be a
PassThruAuthenticationFilter[1]
This allows the request to 'pass through' the filter chain to your
Login view/controller where you are responsible for calling
subject.login
You can do that in your spring.xml by setting the 'filters' property
and using 'authc' as the name for your configured filter:
<bean id="passthruAuthcFilter"
class="org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter">
<property name="unauthorizedUrl" value="/login"/>
</bean>
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
...
<property name="filters">
<util:map>
<entry key="authc" value-ref="passthruAuthcFilter"/>
</util:map>
</property>
...
</bean>
Also, as a tip, you might want to use Shiro's WebUtils to redirect the
end-user to the url they originally attempted before being redirected
to login. Shiro's FormAuthenticationFilter does this automatically,
but when you perform the login yourself, you're responsible for doing
this redirect if it is desired. For example, in your
LoginController's handlePost method:
subject.login(authcToken);
WebUtils.redirectToSavedRequest(request, response,
yourFallbackUrlIfThereIsntASavedRequest);
return null; //tells Spring MVC you've handled the response, and not
to render a view
[1]
http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/authc/PassThruAuthenticationFilter.html
HTH!
--
Les Hazlewood
CTO, Stormpath | http://stormpath.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
blog: http://leshazlewood.com
stormpath blog: http://www.stormpath.com/blog
On Wed, Apr 25, 2012 at 5:57 PM, yoyar <[email protected]> wrote:
>
> Hi,
>
> I've been trying to figure this out for a few days. Perhaps there is
> something I don't understand about spring mvc, tiles, and shiro integration.
> In any case, I've posted a question on stack overflow but I'm not getting
> any answers there. I'm hoping I can get some here with the Shiro experts!
>
> I don't think it is useful to copy the whole post to this message so I'll
> just provide the link. Feel free to reply at SO or here; whatever works for
> you. Here's the post: http://bit.ly/JAgit9
>
> Anyway, the short version is that with invalid credentials posted Shiro
> doesn't redirect to the configured /unauthorized url. It detects the login
> attempt. The attempt to access a secured url does redirect to the /login
> page however. I'm puzzled.
>
> I would really appreciate any advice offered.
>
> Thanks,
> Matt
>
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Shiro-Spring-Tiles-integration-no-direct-to-unauthorizedUrl-with-invalid-credentials-tp7501354p7501354.html
> Sent from the Shiro User mailing list archive at Nabble.com.
