Shiro and REST with HMAC Authentication Tokens

[rawc <ra...@gmail.com>]

I'm am planning on using Shiro and an Amazon-like authentication scheme to
secure my REST API. My initial thoughts are to create a custom
authentication token and a custom realm that supports the custom
authentication token. The token will be an HMACAuthenticationToken and will
hold the client's API key and HMAC. In my custom realm I will retrieve the
client's API secret from a database based on the API key found in the
authentication token, then use the secret and information from the HTTP
request to verify that the HMAC value passed in from the client is correct.
The only problem is I don't see a way to access the HTTP Request from within
the custom realm. Am I approaching this the right way? If so, how do I
access the HTTP request within the realm. If not, how should I be
approaching this? The only other way I've thought of doing this is adding a
third property to the HMACAuthenticationToken that will hold the message
string that will be used verify the HMAC value provided by the client (i.e.
instead of assembling the message string in the realm from information in
the HTTP request I would assemble the message string at the time the
HMACAuthenticationToken is created and add it into the token). Thanks in
advance.



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-REST-with-HMAC-Authentication-Tokens-tp7579814.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Shiro and REST with HMAC Authentication Tokens

[Dominic Farr <do...@gmail.com>]

Shiro correctly divides everything web/http away from
authentication/authorization. separation of concerns.

Your realm's doGetAuthenticationInfo method should gather information about
the user, including what you need to match any password or hash. Returns
a AuthenticationInfo.

Your call to subject.login takes AuthenticationToken which is in your web
layer, which has access to your http request.

Both AuthenticationToken and AuthenticationInfo are passed to
your CredentialsMatcher in the shiro classes when you call login

As long as your tokens contain the right information to perform a match you
should be able to create a CredentialsMatcher that works for you.....I
think?

Does that make sense? If not, sorry, it's late.

-d


On 20 March 2014 19:06, rawc <ra...@gmail.com> wrote:

> I'm am planning on using Shiro and an Amazon-like authentication scheme to
> secure my REST API. My initial thoughts are to create a custom
> authentication token and a custom realm that supports the custom
> authentication token. The token will be an HMACAuthenticationToken and will
> hold the client's API key and HMAC. In my custom realm I will retrieve the
> client's API secret from a database based on the API key found in the
> authentication token, then use the secret and information from the HTTP
> request to verify that the HMAC value passed in from the client is correct.
> The only problem is I don't see a way to access the HTTP Request from
> within
> the custom realm. Am I approaching this the right way? If so, how do I
> access the HTTP request within the realm. If not, how should I be
> approaching this? The only other way I've thought of doing this is adding a
> third property to the HMACAuthenticationToken that will hold the message
> string that will be used verify the HMAC value provided by the client (i.e.
> instead of assembling the message string in the realm from information in
> the HTTP request I would assemble the message string at the time the
> HMACAuthenticationToken is created and add it into the token). Thanks in
> advance.
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Shiro-and-REST-with-HMAC-Authentication-Tokens-tp7579814.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>