Multiple auth filters and onAccessDenied() method logic question

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple auth filters and onAccessDenied() method logic question

armandoxxx
Hey guys ...

I've got a little logical problem with filters ...

Our use case:

we export rest services and our end points are protected by Shiro.
on our end points we have different types or filter spceified.

/rest/* = headerAuthFilter, formAuthFilter, tokenAuthFilter, ..., terminateFilter

terminateFilter code is as follows

public class TerminateFilter extends AuthenticationFilter {

  private static final Logger LOG = LoggerFactory.getLogger(TerminateFilter.class);

  @Override
  protected boolean onAccessDenied(final ServletRequest request, final ServletResponse response) throws Exception {
    LOG.info("Not logged in! Sending unauthorized response header");
    HttpServletResponse httpResponse = WebUtils.toHttp(response);
    httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    return false;
  }
}

Explanation:

All previous filters (before terminateFilter) execute login if they are supposed to execute it (meaning .. if formAuthFilter resolves it is login request, then login will execute and return true or false depending on the credentials)
All previous filters will return true in case request is not meant it to execute login.  
if none of the previous filters succeeded in isAccessAllowed and all onAccessDenied() methods return true this terminateFilter filter will definetly throw unauthorized response.
So unless we have terminateFilter in configuration and all fitlers skip execute login, shiro does not block user ... (try it yourself)

question:
Does anybody have any other solution so terminateFilter does not have to be defined ?

Any advice would be appreciated ...

Regards

Armando

Reply | Threaded
Open this post in threaded view
|

Re: Multiple auth filters and onAccessDenied() method logic question

Brian Demers
You could create a filter that would delegate to another component for each auth type you are looking for in the request.

Possible with a "boolean supportsRequest(ServletRequest request)" and "boolean handleAuthRequest(ServletRequest request)"

This is more or less what happens when you have multiple realms.  You could look at the pattern used by the ModularRealmAuthenticator.  (that one is a little more complex as it support multiple strategies)



On Fri, Jul 7, 2017 at 4:39 AM, armandoxxx <[hidden email]> wrote:
Hey guys ...

I've got a little logical problem with filters ...

Our use case:

we export rest services and our end points are protected by Shiro.
on our end points we have different types or filter spceified.



terminateFilter code is as follows



Explanation:

All previous filters (before terminateFilter) execute login if they are
supposed to execute it (meaning .. if formAuthFilter resolves it is login
request, then login will execute and return true or false depending on the
credentials)
All previous filters will return true in case request is not meant it to
execute login.
if none of the previous filters succeeded in isAccessAllowed and all
onAccessDenied() methods return true this terminateFilter filter will
definetly throw unauthorized response.
So unless we have terminateFilter in configuration and all fitlers skip
execute login, shiro does not block user ... (try it yourself)

question:
Does anybody have any other solution so terminateFilter does not have to be
defined ?

Any advice would be appreciated ...

Regards

Armando





--
View this message in context: http://shiro-user.582556.n2.nabble.com/Multiple-auth-filters-and-onAccessDenied-method-logic-question-tp7581679.html
Sent from the Shiro User mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: Multiple auth filters and onAccessDenied() method logic question

armandoxxx
thank you for your idea ... will check it out ..

regards

Armando