I don't believe that there is an existing filter that will parse your x509 headers. So you will need to write that yourself.
As far as falling through to the authcBasic filter - so long as you don't reject requests w/o x509 headers in your custom filter, everything should be fine so long as you specify them in your url filter - x509, then authcBasic. The authcBasic filter should pass the request through unmolested if the subject is already authenticated. HTH, Jared On Wed 16 Jan 2013 12:28:50 PM CST, Mo Maison wrote: > Hello Shiro users, > > I have a rather unusual authentication scheme, and don't > know how to handle that with Shiro for now. > > Basically, I'd like to authenticate users with one of the two > following methods : > 1- by a client certificate > OR > 2- with basic http > > Case 1 is handled by a external reverse proxy, which put client > x509 certificate into http request headers. > > Thus I'd like the following logic : > - if request contains x509 headers, use that to create token > - else use standard authcBasic Shiro filter. > > If a specify two filters on the same url in the ini config file, > I guess both filters will be executed ? > How can I shortcut authcBasic if first filter already returns > a token ? > I'd surprised if Shiro could not handle such a case (different > types of authentication) out of the box. > Do I have to implement a custom filter, which inherits (or better > compose) authcBasic ? > > Any advice would be appreciated. > > Regards, > > M. Maison
