I am not familiar with shibboleth, but I wrote a shiro filter to do SPNEGO SSO authentication to active directory by extending AccessControlFilter and then implementing the @Override protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception method. Within this method I return 'false' when I directly manipulate the http response and do not want shiro to proceed through the other filters. I return 'true' when I want shiro to follow through with its entire stack.
@Override protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object o) throws Exception always returns true because my filter only does automatic authentication through SPNEGO and leaves the path-matching etc. to authc filter. So in effect I have chained two filters together: My filter goes first and tries to do an automatic authentication through SPNEGO. If SPNEGO succeeds the subject's principal is retrieved from kerberos token and bound to shiro stack: String principal = context.getSrcName().toString().toLowerCase(); PrincipalCollection principals = new SimplePrincipalCollection(principal, getRealmName()); WebSubject.Builder builder = new WebSubject.Builder(request, response); builder.principals(principals).authenticated(true); WebSubject webSubject = builder.buildWebSubject(); ThreadContext.bind(webSubject); After my filter comes authc filter which blocks access based on whether the subject is authenticated or not, path-matching etc. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Adding-principal-information-to-a-web-request-tp7579196p7579218.html Sent from the Shiro User mailing list archive at Nabble.com.
