no problem ... best practices when implementing shiro security
1. your custom implementation of Authenticating shiro filter has its own auth token and it's own realm 2 your custom implementation of AccessControll shiro filter should check if access for request is allowed 3. mind the filter chain order: (first check if authorizedm, then try to login user .. if everything else fails = access forbidden) - authz filter 1 ... n - auth filter 1 .. n - AccessForbiddenFilter always throwing 403 FORBIDDEN thats it ;) Regards Armando -- Sent from: http://shiro-user.582556.n2.nabble.com/
