I have been able to implement basic authentication using Shiro. I would now like to write custom logic to implement only the authentication step of the process i.e., when user credentials are supplied, are the credentials valid (and potentially what roles does the user have if these two pieces of logic are coupled in the logic of the framework). What class(s)/method(s) do I need to override to enable this? I'm assuming I would create a custom implementation to replace org.apache.shiro.web.servlet.ShiroFilter but I'm not sure what method(s) in the class hierarch need to be modified/overwritten.
My shiro.ini file looks like this:
# ---
#
# ini file for shiro
#
# ---
[main]
# authc.usernameParam = uid
# authc.passwordParam = pwd
# authc.failureKeyAttribute = shiroLoginFailure
[users]
admin = admin, ROLE_ADMIN
[roles]
ROLE_ADMIN = *
[urls]
/app/** = authcBasic
The relevant part of my web.xml looks like this:
<!--
*
* shiro stuff
*
-->
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
Full implementation is available here:
https://github.com/NACHC-CAD/web-security-example
Basic authentication is here:
https://github.com/NACHC-CAD/web-security-example/releases/tag/v1.0.0
You want to define a custom Realm
: https://shiro.apache.org/realm.html
Specifically, you probably want to extend org.apache.shiro.realm. AuthorizingRealm
and implement the doGetAuthenticationInfo
and doGetAuthorizationInfo
methods.