Hi all,I'm a newbie to Shiro and was looking into implementing a custom auth filter and a respective realm over the past week. I’ve read a lot of articles and posts on the mailing list archive but still did not get it running. Please, please help me ;-)I have a web project running on Google App Engine (GAE) and a Android App. Basically I want to secure my REST API with Shiro and have some basic user/pw login. I would like to be able to use the authc filter for basic user registration on e.g. my webpage and additionally secure my API with the bearer token approach. I found the following post outlining the bearer token approach:http://shiro-user.582556.n2.nabble.com/REST-based-token-auth-approach-td7577677.htmlAlso, I found a post on custom filters: http://shiro-user.582556.n2.nabble.com/Adding-new-custom-filter-to-filters-in-ShiroFilter-tt4188224.htmlNevertheless, I don’t know what I’m doing wrong. Do I have to add my Filter to the web.xml file? So far I defined it in the shiro.ini file. Do I have to override isAccessAllowed and if so, what is it supposed to do? I overwrote onAccessDenied so far.I’m very thankful for any pointers. Please find pieces of my code below.Cheers,RalfPS: As I'm running my project on GAE, I cannot use DefaultWebSessionManager but have to use ServletContainerSessionManager (see: http://objectuser.wordpress.com/2011/06/30/apache-shiro-on-google-app-engine/)*shiro.ini*[main] bearerAuthFilter = com.example.BearerTokenAuthenticatingFiltersessionManager = org.apache.shiro.web.session.mgt.ServletContainerSessionManager securityManager.sessionManager = $sessionManager shiro.loginUrl = /loginbearerRealm = com.cilogi.shiro.bearer.BearerTokenRealmsecurityManager.realms = $iniRealm, $bearerRealm[users][roles]admin = *user = browse:*[urls]/testServlet = bearerAuthFilter*FILTER*public class BearerTokenAuthenticatingFilter extends AuthenticatingFilter { private static final Logger LOG = Logger.getLogger(BearerTokenAuthenticatingFilter.class.getName()); @Override protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) { LOG.warning("BearerTokenAuthenticatingFilter: create Token"); return new BearerAuthenticationToken(“TESTTOKEN”); } @Override protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { if (isLoginRequest(request, response)) { if (isLoginSubmission(request, response)) { return executeLogin(request, response); } else { return true; } } else { saveRequestAndRedirectToLogin(request, response); return false; } } private boolean isLoginSubmission(ServletRequest request, ServletResponse response) { return (request instanceof HttpServletRequest) && WebUtils.toHttp(request).getMethod().equalsIgnoreCase(POST_METHOD); }}*REALM*public class BearerTokenRealm extends AuthenticatingRealm { private static final Logger LOG = Logger.getLogger(BearerTokenRealm.class.getName()); public BearerTokenRealm() { LOG.warning("BearerTokenRealm: started"); //this makes the supports(...) method return true only if the token is an instance of BearerAuthenticationToken: setAuthenticationTokenClass(BearerAuthenticationToken.class); } @Override public boolean supports(AuthenticationToken token) { LOG.warning("BearerTokenRealm: supports"); if (token!=null) return token instanceof BearerAuthenticationToken; return false; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { LOG.warning("BearerTokenRealm: doGetAuthenticationInfo"); //TODO return new SimpleAccount(); }}*TOKEN*public class BearerAuthenticationToken implements AuthenticationToken { /** * */ private static final long serialVersionUID = 1L; private final String sessionId; public BearerAuthenticationToken(String sessionId) { Preconditions.checkNotNull(sessionId, "You have to have an auth token."); this.sessionId = sessionId; } public String getSessionId() { return sessionId; } @Override public Object getCredentials() { return sessionId; } @Override public Object getPrincipal() { return null; } }
-- View this message in context: http://shiro-user.582556.n2.nabble.com/Custom-Auth-Filter-and-Realm-tp7579020.html Sent from the Shiro User mailing list archive at Nabble.com.
