Hello, We currently have a Wicket web application that uses Shiro for authn/authz. We're planning on converting the underlying business model into an API, leaving the web application to take care of presentation only. As other applications are going to use the API, I need to secure both authentication via API and authentication via the web application. I did add a realm to the API, and it works just fine. So, in my web application do I need to make an API call now for every time I need to check the current subject's permission, or is there some way I can add Shiro authentication both to the API and the web application? I guess my point is 1) I want to avoid code duplication 2) I would like to take advantage of Shiro's session management for the web application
Any pointers would be greatly appreciated, Natalie -- View this message in context: http://shiro-user.582556.n2.nabble.com/Securing-both-web-application-and-API-tp7579417.html Sent from the Shiro User mailing list archive at Nabble.com.
