If you configure the FormAuthenticationFilter to protect every HTTP request in the [urls] section (/** = authc) then users would not be able to access your login page without being authenticated. So, in order to let users access the login page you specify it in the ini file which causes Shiro to exempt it from access restrictions and also do an automatic redirect to the login page whenever someone tries to navigate to an URL without being authenticated.
You only need to enable Shiro via web.xml file as described here https://shiro.apache.org/webapp-tutorial.html#step1, chapter 1b: Enable Shiro in web.xml and configure Shiro via ini file and everything is ready to work. You do *not* need manipulate any SecurityManager, token, factory or whatsoever. You need to supply a login page for browsers to authenticate through and some server side code (JSF, servlet, jax-rs ...) to handle requests and deliver data from the database to the client or trigger business methods on the database. This server side code must check whether SecurityUtils.getSubject().isAuthenticated() == true to execute the code or return an HTTP 401 otherwise. For REST requests you should use BasicAuthentication over TLS because it is built into Shiro. You can also use other authentication methods like OAuth tokens or something completely different but that is not provided out of the box and therefore must be somehow implemented by you beforehand. This is what part of our ini file looks like - we only accept TLS connections to port 8443 and do not use a FormAuthenticationFilter but instead use a PassThroughAuthenticationFilter in combination with our own login page which differs from what the FormAuthenticationFilter would require: [main] ... authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter logout=org.apache.shiro.web.filter.authc.LogoutFilter authc.loginUrl = /login.xhtml authc.successUrl = /welcome.xhtml logout.redirectUrl = /login.xhtml [urls] /login.xhtml = ssl[8443], authc /logout = logout # the next line is needed to retrieve jsf resources from jar library /javax.faces.resource/** = ssl[8443], anon /rest/** = noSessionCreation, ssl[8443], authcBasic /SoapService/** = noSessionCreation, ssl[8443], authcBasic /** = ssl[8443], authc -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-should-we-go-about-configuring-a-Desktop-Client-with-Shiro-in-the-Server-tp7581322p7581359.html Sent from the Shiro User mailing list archive at Nabble.com.
