You could skip shiro for the api. /web/url/ = authc /api/url/ = anon
Then handle basic auth in your api endpoints. I use Dropwizard for my api endpoints, for example, it handles basic auth very neatly. On 24 February 2014 07:47, Takahiko Kawasaki <[email protected]> wrote: > Hello community, > > I'm developing a web application and would like to implement the following. > > (1) Form-based user (developer) login by user name and password. > (2) REST API protected by API key and API secret. > > I think they can be achieved by authc (FormAuthenticationFilter) and > authcBasic (BasicHttpAuthenticationFilter), respectively. But still I don't > figure out how to configure shiro.ini. > > In my case, credentials used for login and credentials used for API are > different. So I think different realms should be prepared for each. In > other words, I'd like to manage the pool of username/password pairs and the > pool of API key/secret pairs separately. However, I could not find a way to > specify a realm to be used for a certain path. To be concrete, I'd like > "/api/**" to be authenticated/authorized by API key and API secret and > other paths to be authenticated/authorized by username and password. > > I might be able to achieve this in an ugly way with tricky Filter/Realm > implementations, but I'd like to know the best practice. > > Could anyone help me please? > > Best Regards, > Takahiko Kawasaki >
