Yes exactly. You should replace "no authentication" with "hidden authentication". For example: You can use a second realm for this which knows the public part of the certificate. The client could be configured to automatically pass the corresponding private certificate.
Am Fr., 15. Mai 2020 um 20:34 Uhr schrieb Lenny Primak <[email protected]>: > > That’s really dangerous. > I would suggest something like client certificate authentication in web > browsers to do this job > > > On May 15, 2020, at 1:08 PM, Alex Sviridov <[email protected]> wrote: > > > > Hi all, > > > > I have a a system, that can be accessed by web interface (http servlet) and > > by CLI. > > > > In my application I have a superuser with loginname and password. When > > someone wants to use system by web as a superuser he must > > provide superuser loginname and password. This case Shiro web filter is > > used and everything is ok →I have subject.login(...), subject.logout() etc. > > So, everything is clear here. > > > > However, when someone uses application by CLI he needs towork as superuser > > without providing loginname and password (by CLI it is possible to reset > > superuser > > loginname and password). So, I need to log superuser in without loginname > > and > > password. Could anyone say how it can be done in Shiro? I mean I have a User > > object and I need to authenticate it in shiro without loginname and > > password. > > > > Best regards, Alex > > >
