Hi there, Richard. I created securityrequestfilter that reads header for auth token and autorize/or not. Than it pass request to other filters. Some part of code for example:
public class SecurityRequestFilter implements HttpServletRequestFilter { @Inject private SecurityService securityService; @Override public boolean service(HttpServletRequest request, HttpServletResponse response, HttpServletRequestHandler handler) throws IOException { if (request.getHeader("Authorization") != null) login(request.getHeader("Authorization")); else slog.info("Anonymous request detected."); return handler.service(request, response); } As for application module(Main tapestry configuration class): @Contribute(HttpServletRequestHandler.class) public static void httpServletRequestHandler(OrderedConfiguration<HttpServletRequestFilter> configuration, @InjectService("ServletRequestFilter") HttpServletRequestFilter servletRequestFilter, @InjectService("SecurityRequestFilter") HttpServletRequestFilter securityRequestFilter) { configuration.add("SecurityRequestFilter", securityRequestFilter, "after:SecurityConfiguration", "before:ResteasyRequestFilter"); configuration.add("ServletRequestFilter", servletRequestFilter, "after:ResteasyRequestFilter", "before:GZIP"); } I can't say that a right thing to do. But my way works fine to use tapestry-security with tapestry-resteasy. Good luck. On 5 May 2017 at 23:49, Richard Frovarp <rfrov...@apache.org> wrote: > I'm wondering if there is a straightforward way to secure > tapestry-resteasy with Shiro. We're already using tapestry-security. I have > a student doing some work to do this, and it doesn't seem like the two work > together. We can protect the URL path from the AppModule using the Shiro > code like we do everywhere else. However, we can't get annotations to work > on the REST "pages" or methods. I would like to be able to do things like > access level access control and permission based control based on the > authenticated user through the same Shiro tools that we have been using. > > It feels like we're missing something. I can probably build my own > integration, but if it is already solved and we are just missing it, I > would rather do it the correct way. > > Thanks, > > Richard > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > -- With best regards, Pavel Chernyak