Apache Shiro credentials based security for Rest service

Question

I'm creating a App using Shiro as the security framework. The app have two parts; Web and Rest.

The Web is using Shiro's default FormAuthenticationFilter. I'm happy with the session based approach.

The stand alone app which is using Rest, I want to limit from using the FormAuthenticationFilter and from creating a session, which I'm able to do via shiro.ini file

I need to implement credentials based security on the rest service.

Browsing on the web I saw some blogs suggesting that you create your own Realm and filter to handle this scenario. But no details on how to do this.

Is it possible to implement credentials based security on Apache Shiro? If so is there a blog or tutorial that shows you how to achieve this?

Regards

Answer 1

You could use basic auth for your webservice endpoints and form based authentication for the web.

Do web users also have access to your webservice?

EDIT:

Checkout this sample app. https://github.com/dominicfarr/skybird-shiro

It has three url paths configured in shiro.

web - uses form authentication.

api - uses basic authentication.

jersey - anonymous access.

Cutting to the shiro.ini config.

[main]
authc.loginUrl = /web/login.html

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO

securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionDAO = $sessionDAO


[users]
dom = password, user

[roles]
user = standard

[urls]
/web/login.html = authc
/web/** = authc
/api/** = authcBasic
/jersey/message = anon