I was just reading that post!! OK, cool, it can be done if need be. Gunna use the stormpath one for now.
thx! -joe > On Feb 24, 2017, at 9:46 AM, Brian Demers <[email protected]> wrote: > > Hey Joe, > > Not without a bit of custom work. > > See: > http://shiro-user.582556.n2.nabble.com/REST-based-token-auth-approach-td7577677.html > > <http://shiro-user.582556.n2.nabble.com/REST-based-token-auth-approach-td7577677.html> > > > > On Thu, Feb 23, 2017 at 10:37 PM, Joe Murray <[email protected] > <mailto:[email protected]>> wrote: > Hi Shiro’ers, > > I have an application that uses the …web.jaxrs.ShiroFeature class to > provide fine grained permissions control on my methods something like: > > …. > > @GET > @Path("/gettest") > @RequiresPermissions("trooper:write”) > public List<Stuff> gettest() throws Exception { > return listOfStuff; > } > > > > In order to invoke those the API, the client has to put the credentials in > headers - with Android/Volley for example something like this: > > @Override > public Map<String, String> getHeaders() throws AuthFailureError { > > Map<String, String> headers = new HashMap<>(); > String credentials = "jlpicard:Changeme1"; > String auth = "Basic " > + Base64.encodeToString(credentials.getBytes(), Base64.NO_WRAP); > > headers.put("Authorization", auth); > return headers; > } > > All works great. But I’m wondering if there’s any other way to pass/get > credentials? Maybe authenticate first, then set a bearer token in the > headers instead of the credentials or something like that? > > I know the Stormpath servlet can do it - but there are some simple instances > where I might want to have just one or 2 user credentials in the shiro.ini > file for example - rather then use Stormpath all time. > > Possible? > > -joe > > ... > > [main] > > > # Shiro and the Stormpath API can use the same configured Cache Manager > > #stormpathClient = com.stormpath.shiro.client.ClientFactory > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager > securityManager.cacheManager = $cacheManager > > stormpathClient = com.stormpath.shiro.client.ClientFactory > stormpathClient.cacheManager = $cacheManager > > # we can disable session tracking completely, and have Stormpath manage it > for us. > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > securityManager.sessionManager = $sessionManager > securityManager.sessionManager.sessionIdCookieEnabled = false > securityManager.sessionManager.sessionIdUrlRewritingEnabled = false > > stormpathRealm = com.stormpath.shiro.realm.ApplicationRealm > stormpathRealm.client = $stormpathClient > > stormpathRealm.groupRoleResolver.modeNames = name > securityManager.realm = $stormpathRealm > > stormpathRealm.applicationRestUrl = > https://api.stormpath.com/v1/applications/XXXXXXXXXXXXXX > <https://api.stormpath.com/v1/applications/XXXXXXXXXXXXXX> > > > [urls] > # use permissive to NOT require authentication, our resource Annotations will > decide that > > /** = noSessionCreation, authcBasic[permissive] >
