I agree with Josh that sounds reasonable. And really, if the data and changes you're exposing via your API require more stringent security, you shouldn't be using HTTP-Basic as your auth scheme anyway. Probably something like OAuth or some custom signing scheme. See long discussion at http://www.stormpath.com/blog/secure-your-rest-api-right-way .
Thanks for the enlightening discussion guys. ---- Saad -- View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-Auth-On-REST-API-Killing-CPU-tp7579340p7579359.html Sent from the Shiro User mailing list archive at Nabble.com.
