Can I implement my own Servlet to habdle authentication through Shiro ?
For example
<form action="/login" method="POST">
<input type = "text" name = "username" />
<br />
<input type = "password" name = "password" />
<br />
<input type = "Submit" name = "submit" value="Login" />
</form>
And in the servlet can i do something like-:
doPost(HttpServletRequest req, HttpServletResponse res) {
String userid = req.getParameter("username");
String password = req.getParameter("password");
Subject currentUser = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(userid, password);
//this is all you have to do to support 'remember me' (no config -
built in!): token.setRememberMe(true);
currentUser.login(token);
}
Now for this I have two questions-:
1. Will this use the Realm defined in the shiro.ini ?
2. Will this use the appropriate password matcher defined in shiro.ini ?
Also does the login servlet need to have a user role of anon ? ie.
anonymous user ? Since when the user reaches it for the first time he/she
will be unauthenticated.
On Wed, Sep 9, 2015 at 12:44 PM, scSynergy <[email protected]>
wrote:
> [main]
> // is there a line missing which would look something like 'shiro =
> org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter' ?
> shiro.loginUrl = /login.jsp // this line tells Shiro what to do when an
> unauthenticated user tries to acces a secured page: redirect the user to
> /login.jsp
>
> [urls]
> /login.jsp = authc // defines a servlet filter of type AuthenticationFilter
> https://shiro.apache.org/static/1.2.3/apidocs/; this page is open to let
> unauthenticated users access it (shiro.loginUrl tells Shiro to excempt this
> page from restrictions)
> /logout = logout // this line maps the pseudo URL '/logout' to the Shiro
> logout functionality
> /account/** = authc // every page beneath /account is restricted to
> authenticated users (which may pass the authc filter)
> /remoting/** = authc, roles[b2bClient], perms["remote:invoke:lan,wan"] //
> every page beneath /remoting is restricted to authenticated users (authc)
> which have the role 'b2bClient' and / or (not sure which) the permission
> "remote:invoke:lan,wan"
>
> There is no failed login page and no 'authc.successUrl = /welcome.xhtml' ,
> so on failed or successful logins you will stay on the login page unless
> that page does an explicit redirect.
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Explanation-of-this-shiro-ini-tp7580693p7580699.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
