Hello community, I'm developing a web application and would like to implement the following.
(1) Form-based user (developer) login by user name and password. (2) REST API protected by API key and API secret. I think they can be achieved by authc (FormAuthenticationFilter) and authcBasic (BasicHttpAuthenticationFilter), respectively. But still I don't figure out how to configure shiro.ini. In my case, credentials used for login and credentials used for API are different. So I think different realms should be prepared for each. In other words, I'd like to manage the pool of username/password pairs and the pool of API key/secret pairs separately. However, I could not find a way to specify a realm to be used for a certain path. To be concrete, I'd like "/api/**" to be authenticated/authorized by API key and API secret and other paths to be authenticated/authorized by username and password. I might be able to achieve this in an ugly way with tricky Filter/Realm implementations, but I'd like to know the best practice. Could anyone help me please? Best Regards, Takahiko Kawasaki
