This filter constructs a {@link UsernamePasswordToken UsernamePasswordToken} with the values found in{@link #setUsernameParam(String) username}, {@link #setPasswordParam(String) password}, and {@link #setRememberMeParam(String) rememberMe} request parameters. It then calls{@link org.apache.shiro.subject.Subject#login(org.apache.shiro.authc.AuthenticationToken) Subject.login(usernamePasswordToken)}, effectively automatically performing a login attempt. Note that the login attempt will only occur when the {@link #isLoginSubmission(javax.servlet.ServletRequest,javax.servlet.ServletResponse) isLoginSubmission(request,response)}is true, which by default occurs when the request is for the {@link #setLoginUrl(String) loginUrl} andis a POST request.
If the login attempt fails, the resulting AuthenticationException fully qualified class name will be set as a request attribute under the {@link #setFailureKeyAttribute(String) failureKeyAttribute} key. ThisFQCN can be used as an i18n key or lookup mechanism to explain to the user why their login attempt failed (e.g. no account, incorrect password, etc).
If you would prefer to handle the authentication validation and login in your own code, consider using the {@link PassThruAuthenticationFilter} instead, which allows requests to the{@link #loginUrl} to pass through to your application's code directly. @author Les Hazlewood @author Jeremy Haile @see PassThruAuthenticationFilter @since 0.9
| |