I think your problem is that basic authentication isn't stored in a session or session identifier, and therefore shiro isn't aware of it in the same way CAS or authC filter is.
Why not proxy your web calls to your api behind a url that needs casFilter. -d On 3 March 2014 07:37, skybird <[email protected]> wrote: > I have a web application that has some web services and some account pages. > When protected account pages are accessed it authenticates against CAS. > That > works fine. > > If a webservice is invoked by the same application the rest service should > not need authentication any more. However rest services are also exposed > and > I want authcBasic enabled on them if the client is not my own web app. So > my > question is how do I configure the /rest/** url so that it does not ask for > authentication if it is being called from an authenticated CAS user but > prompt for basic auth if the client is not my web app? > > Heres my shiro urls section config: > > [urls] > /shiro-cas = casFilter > /account/** = roles[ROLE_USER] > /rest/** = authcBasic > > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708.html > Sent from the Shiro User mailing list archive at Nabble.com. >
