8

I'm having a problem configuring Apache Shiro to disable anonymous access to all pages except /js and /resources because that breaks the site design and layout before the user is logged in.

My current shiro-context.xml file has the following section:

/**=authc
/js/** =anon
/resources/** =anon

This will require authentication for all pages and redirect the user to /login page, but as I previously said, it will break access to resource files. It's as if doesn't pick up the 2nd and the 3rd line instructing it to allow anon access.

Am I doing something wrong? Should I perhaps prefix the path to all secure pages with something like /secure/ and allow anonymous access to everything above that folder?

Vex
  • 1,179
  • 3
  • 15
  • 24
  • In the title I wrote that I want to allow anonymous access to resource folders. In the text I said I want to disallow access to ALL pages EXCEPT resource folders. Same thing. – Vex Sep 27 '12 at 05:59

1 Answers1

7

Ok, I got it to work.

Answer from the documentation:

Order Matters! URL path expressions are evaluated against an incoming request in the order they are defined and the FIRST MATCH WINS.

I restructured my definitions to look like this:

/js/** =anon
/resources/** =anon
/**=authc
Vex
  • 1,179
  • 3
  • 15
  • 24