Thanks for the info.
Yeah, I don't know what's up, but I just get the 302 "FOUND" status code, do you have any idea why that would be? I will try to find out what gets passed down, or see if there is some sort of error, but it seems to not pass any error since it is "FOUND"| just not sure why that's the statuscode I get. Gotcha, not sure if I would return the status code 401 or not, because I'm not sure if that information is relevant to the users over a "cannot log in" message,. Thanks, I actually saw a comment on Apache HTTP"' Client that was talking about BASIC vs DIGEST authentication, so I'm assuming there are a few authentication schemes. I see there are ways to use the built in HTTP/HTTPClient Login with authentication, but not sure if I'm supposed to work with that that, or just send the information to the servlet via a form login which is what I see mentioned in HTTPClient as a basic example? I didn't think there was a special way to do this, and the example on HTTPClient just shows us how to create a form as if we were logging in a web page. Is there something special I must tdo in order to do this "correctly?" I'm a litle confused what the difference between just sending the username/password as a form request over a "BASIC AUTH" would be.... I'll check onto the wiki and such so that might also answer my question. Thanks for the info on TLS I'll try to setup it properly, but not sure if users will have issues with non-admin access. My target should be pretty much only Windows machines I would assume. I noticed from looking at the docs that essentially the PassThru filter will send everything to the loginUrl, which they said is something you do if you have created your own login scheme and calling .login(token) yyourself? I'm assuming most people will use the formauthentnication filter? "I'll check out to see what hte differences are. I might use this eventually since I need to set up my own Authentication class at some point, but maybe there is another filter that might be better, but this seemst o be the one if you use it with your own login code, at least that's what the docs mention. Also, I thought I read somewhere that Shiro only works with Servlet spec 2.5? I notice I am using that spec in my Web.xml, but I am curious if I should upgrade to something better such as 3.1? I have a feeling that I lowered my spec because I was using Tomcat 6 originally, but now that I'm using Tomcat8 I feel that it might be better to Upgrade. I'm just not sure if there are any issues with upgrading that could affect my Libraries/projects. Is there anything to worry about when upgrading specs that might affect Shiro/Other Apache Products? I'm pretty sure I saw something that specifically mentioned we should use 2.5 in Shiro, but cannot find that information now so 'i don't know what the truth is. >From what I read in 3.0+ we can use certain methods to get multi-part entities >read, or else we have to use another library such as Apache FileUpload which >I've used before if we use Servlet Spec 2.5...? Thanks for all of the help, much appreciated. ________________________________ From: scSynergy <[email protected]> Sent: Wednesday, November 16, 2016 2:22:37 AM To: [email protected] Subject: Re: How should we go about configuring a Desktop Client with Shiro in the Server? If you cannot log in then something is wrong - did an exception get thrown or some other hint show up as to what might be the cause? A failed login attempt should return an HTTP 401 response so as to behave in a way that most people would expect - but there is no technical reason for it. Basic Authentication <https://en.wikipedia.org/wiki/Basic_access_authentication> is the most simple and widespread means for authentication with REST services but it is definitely not a must. Also, BasicAuth sends username and password in clear text (base64 encoded is *not* encrypted) so in a production environment you should only use it in conjunction with TLS to prevent passwords from getting stolen. Depending on your needs and preferences you may want to use a different secure alternative instead, but that is totally up to you. I only recommend BasicAuth because it is easy to do since it is part of the HTTP specification and comes with lots of examples on the internet. The port most people use for TLS is 443, we only use 8443 to prevent port conflicts with other applications running on the same server and because having non-root users open ports to listen below 1024 requires additional magic under unix. Yes, FormAuthenticationFilter defaults to authc with Shiro. We only use the PassThruAuthenticationFilter because we do not need the additional features that FormAuthenticationFilter offers. PassThruAuthenticationFilter <https://shiro.apache.org/static/1.3.2/apidocs/org/apache/shiro/web/filter/authc/PassThruAuthenticationFilter.html> -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-should-we-go-about-configuring-a-Desktop-Client-with-Shiro-in-the-Server-tp7581322p7581390.html Sent from the Shiro User mailing list archive at Nabble.com.
