An authentication filter that redirects the user to the login page when they are trying to access
a protected resource. However, if the user is trying to access the login page, the filter lets
the request pass through to the application code.
The difference between this filter and the
FormAuthenticationFilter is that
on a login submission (by default an HTTP POST to the login URL), the FormAuthenticationFilter
filter
attempts to automatically authenticate the user by passing the username
and password
request parameter values to
org.apache.shiro.subject.Subject#login(org.apache.shiro.authc.AuthenticationToken)directly.
Conversely, this controller always passes all requests to the
#setLoginUrl through, both GETs and
POSTs. This is useful in cases where the developer wants to write their own login behavior, which should include a
call to
org.apache.shiro.subject.Subject#login(org.apache.shiro.authc.AuthenticationToken)at some point. For example, if the developer has their own custom MVC login controller or validator,
this PassThruAuthenticationFilter
may be appropriate.