In my shiro application, I want to define a AuthenticationFilter for all paths except REST.
ie /rest/... doesnt go through it but everything else would.
I'm using Shiro-Guice so my filter setups are of the form
addFilterChain("/rest/**" ,restFilter)
addFilterChain("/**", filter) //I want this one to work on everything except my rest filter
I looked at this question about Ant path pattern style but there doesnt seem to be support for regexes.
You can't do it like that. The way shiro works is that it checks the filters in the order they are configured. It first checks the first filter, if it can't authenticate, it will move on to the next. There is no exclusion pattern for that.
You can write your own custom shiro filter that will deny authrorization on de rest url.
I don't know how it will work in guice, but in shiro.ini you can do something like:
[main]
myfilter = UrlBasedAuthzFilter
restFilter = YourRestFilterClass
[urls]
/rest/** = restFilter
/** = myfilter
And the filter class:
public class UrlBasedAuthzFilter extends AuthorizationFilter {
@Override
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
if (request.getServletContext().getContextPath().startsWith("/rest"){
return false;
}
return super.isAccessAllowed(request, response, mappedValue);
}
}