On Wed 02 Nov 2011 10:57:13 AM CDT, Bengt Rodehav wrote: > Thanks a lot for your quick reply Jared. > > I tried to return a 401 but it doesn't seem to cause the web browser > (Firefox in this case) to drop the user and password from its cache. > If I do a refresh then the cached user is automatically > re-authenticated again. > > Very annoying... > > We're developing an Ajax application which is the reason why we don't > want to redirect to a specific login page (that could use form based > login). If the user actively logs out then it's OK to redirect to a > login page but if the session times out, then we want to stay on the > same page so that the user can continue working after having specified > its user and password again. > > Basic authentication is not a requirement for me but it seemed like an > easy way to avoid redirecting to a dedicated login page. Is there a > way to accomplish an "ajax login" using Shiro? Is there a best > practice for it? > > Thanks, > > /Bengt > > > 2011/11/2 Jared Bunting <[email protected] > <mailto:[email protected]>> > > On Wed 02 Nov 2011 09:52:24 AM CDT, Bengt Rodehav wrote: > > I'm using Shiro together with the http service in Apache Karaf which > > in turn uses Jetty under the hood. I use Shiro 1.1. > > > > I've created my own AuthorizingRealm since we have a legacy system > > that I redirect the authentication to. This seems to work and I can > > get the currently logged in user as follows: > > > > Subject subject = SecurityUtils.getSubject(); > > > > When calling the "isAuthenticated" method I can see that the user is > > logged in. > > > > However, on each call from the web browser to my web application, a > > new authentication is being made. This means that I can't really log > > out the user neither explicitly nor by session timeout. If I call > > > > subject.logout() > > > > I can see that the user is indeed logged out since "isAuthenticated" > > then returns false. But on the next request from the web browser the > > user is authenticated again and a new session is created. If I > restart > > the web browser then I have to login again but as long as the web > > browser is running the user seems to be automatically > > re-authenticated. I use basic authentication and the behaviour > is the > > same in both Chrome and Firefox. > > > > Obviously I haven't understood how these things work. Can anyone > > explain to me how I can log out a user both explicitly and via > session > > timeout? > > > > /Bengt > > If I understand what you're describing correctly, you are running into > a browser behavior. Typically, when using HTTP BASIC authentication, > the browser will cache the user's name and password, and send the auth > header with every single request. This is very useful behavior for > stateless webapps that require authentication. It's less useful when > you're already tracking a known user. > > Unfortunately, I know of no way to alter this behavior. One thing you > could try is, when logging a user out, return a 401. This should > cause > the browser to re-ask the user for a username/password, which they > could cancel. So, while that's the best that I can offer, it sounds > like a crappy UI. > > If you have a page-based, user-navigable webapp, you might consider > using form authentication instead of basic. It avoids this issue > completely. > > Sorry I could not be of more help. > > -Jared > >
I haven't done it, but it seems like you could do something in ajax to ask for username/password (popup, ajaxified appearing form, or something of that nature) and submit that to the login page. Shiro form authentication doesn't force the user to go to the login page - it mostly just wants a post to that page with the username/password fields. -Jared
