Apache Shiro credentials based security for Rest service

Question

I\'m creating a App using Shiro as the security framework. The app have two parts; Web and Rest.

The Web is using Shiro\'s default FormAuthenticationFilter

Answer 1

You could use basic auth for your webservice endpoints and form based authentication for the web.

Do web users also have access to your webservice?

EDIT:

Checkout this sample app. https://github.com/dominicfarr/skybird-shiro

It has three url paths configured in shiro.

web - uses form authentication.

api - uses basic authentication.

jersey - anonymous access.

Cutting to the shiro.ini config.

[main]
authc.loginUrl = /web/login.html

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO

securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionDAO = $sessionDAO


[users]
dom = password, user

[roles]
user = standard

[urls]
/web/login.html = authc
/web/** = authc
/api/** = authcBasic
/jersey/message = anon