Apache Shiro credentials based security for Rest service
I'm creating a App using Shiro as the security framework. The app have two parts; Web and Rest.
The Web is using Shiro's default FormAuthenticationFilter.
I'm happy with the session based approach.
The stand alone app which is using Rest, I want to limit from using the FormAuthenticationFilter and from creating a session, which I'm able to do via shiro.ini file
I need to implement credentials based security on the rest service.
Browsing on the web I saw some blogs suggesting that you create your own Realm and filter to handle this scenario. But no details on how to do this.
Is it possible to implement credentials based security on Apache Shiro? If so is there a blog or tutorial that shows you how to achieve this?
Regards
Answer
You could use basic auth for your webservice endpoints and form based authentication for the web.
Do web users also have access to your webservice?
EDIT:
Checkout this sample app. https://github.com/dominicfarr/skybird-shiro
It has three url paths configured in shiro.
web - uses form authentication.
api - uses basic authentication.
jersey - anonymous access.
Cutting to the shiro.ini config.
[main]
authc.loginUrl = /web/login.html
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionDAO = $sessionDAO
[users]
dom = password, user
[roles]
user = standard
[urls]
/web/login.html = authc
/web/** = authc
/api/** = authcBasic
/jersey/message = anon