I'm am planning on using Shiro and an Amazon-like authentication scheme to secure my REST API. My initial thoughts are to create a custom authentication token and a custom realm that supports the custom authentication token. The token will be an HMACAuthenticationToken and will hold the client's API key and HMAC. In my custom realm I will retrieve the client's API secret from a database based on the API key found in the authentication token, then use the secret and information from the HTTP request to verify that the HMAC value passed in from the client is correct. The only problem is I don't see a way to access the HTTP Request from within the custom realm. Am I approaching this the right way? If so, how do I access the HTTP request within the realm. If not, how should I be approaching this? The only other way I've thought of doing this is adding a third property to the HMACAuthenticationToken that will hold the message string that will be used verify the HMAC value provided by the client (i.e. instead of assembling the message string in the realm from information in the HTTP request I would assemble the message string at the time the HMACAuthenticationToken is created and add it into the token). Thanks in advance.
-- View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-REST-with-HMAC-Authentication-Tokens-tp7579814.html Sent from the Shiro User mailing list archive at Nabble.com.
