Thank you, but I'd like to use Shiro for both user login and API.
Below is my idea of tricky implementation. Could anyone give me any comment
or advice? I'm afraid I may be trying something wrong...
1. Create an implementation of AuthenticationToken (subclass of
UsernamePasswordToken).
2. Create a subclass of BasicHttpAuthenticationFilter.
2-1. Override createToken method to return an instance of the class
implemented at the step 1.
3. Set the filter implemented at the step 2 to "/api/***" (instead of
authcBasic).
4. Create an implementation of Realm (subclass of AuthorizingRealm).
4-1. Implement doGetAuthenticationInfo and do the following in the
implementation:
(a) If the given token is an instance of the class implemented at the
step 1, do authentication with API key and API secret.
(b) Otherwise, do authentication with username and password.
Virtual implementation in my head:
// Token at the step 1.
public class MyToken extends UsernamePasswordToken {
public MyToken(UseramePasswordToken token) {
super(token.getUsername(), token.getPassword(),
token.getRememerMe(), token.getHost());
}
....
}
// Filter at the step 2.
public class MyFilter extends BasicHttpAuthenticationFilter {
@Override
protected AutthenticationToken createToken(request, response) throws
Exception {
AuthenticationToken token = super.createToken(request, response);
return new MyToken((UsernamePasswordToken)token);
}
...
}
// Realm at the step 4.
public class MyRealm extends AuthorizingRealm {
@Override
protected AuthenticationInfo(token) throws AuthenticationException {
if (token instanceof MyToken) {
// Do authentication with API key and API secret.
} else {
// Do authentication with username and password.
}
}
}
Best Regards,
Takahiko Kawasaki
2014-02-24 17:04 GMT+09:00 Dominic Farr <[email protected]>:
> You could skip shiro for the api.
>
> /web/url/ = authc
> /api/url/ = anon
>
> Then handle basic auth in your api endpoints. I use Dropwizard for my api
> endpoints, for example, it handles basic auth very neatly.
>
>
>
>
>
>
> On 24 February 2014 07:47, Takahiko Kawasaki <[email protected]> wrote:
>
>> Hello community,
>>
>> I'm developing a web application and would like to implement the
>> following.
>>
>> (1) Form-based user (developer) login by user name and password.
>> (2) REST API protected by API key and API secret.
>>
>> I think they can be achieved by authc (FormAuthenticationFilter) and
>> authcBasic (BasicHttpAuthenticationFilter), respectively. But still I don't
>> figure out how to configure shiro.ini.
>>
>> In my case, credentials used for login and credentials used for API are
>> different. So I think different realms should be prepared for each. In
>> other words, I'd like to manage the pool of username/password pairs and the
>> pool of API key/secret pairs separately. However, I could not find a way to
>> specify a realm to be used for a certain path. To be concrete, I'd like
>> "/api/**" to be authenticated/authorized by API key and API secret and
>> other paths to be authenticated/authorized by username and password.
>>
>> I might be able to achieve this in an ugly way with tricky Filter/Realm
>> implementations, but I'd like to know the best practice.
>>
>> Could anyone help me please?
>>
>> Best Regards,
>> Takahiko Kawasaki
>>
>
>
