How to configure static Resource on WebServer for Authentication & Authorization.

[JMalkan <JM...@mail.com>]

Hi,

My app is currently configured for Authentication & Authorization with Shiro
and it works perfectly on AppServer Tomcat.

We have thin server architecture.
Client is mostly JavaScripts and few HTML using JQuery and JMVC where MVC
pattern is implemented on the client side and async calls are made to
server. Server side is mostly REST Services serving clients.

To improve performance and scaling, we have decided to move all static
resources like HTML/JavaScripts/Images... to Apache web server.

I am trying to figure out the best way to apply Authentication &
Authorization.

I am hoping some of you have done this and been there. So I would not have
to reinvent the wheel.
Any help here is appreciated.



Jiggy.

--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-configure-static-Resource-on-WebServer-for-Authentication-Authorization-tp6850961p6850961.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: How to configure static Resource on WebServer for Authentication & Authorization.

[Les Hazlewood <lh...@apache.org>]

Shiro does not work inside the Apache Web server as it is a Java
framework.  There is no way Shiro can secure a static resource unless
it is served from a Java-capable web server, like Tomcat or Jetty.
The _only_ way this could work is if someone created an Apache HTTPD
module in C or C++ that could communicate with a Shiro-enabled server
to perform security checks.

However, I offer a different suggestion that will be more valuable I
think:  for static resources, use Tomcat with the Apache Portable
Runtime (APR): http://tomcat.apache.org/tomcat-7.0-doc/apr.html

Because Tomcat links to the APR, and the APR is the _same_ runtime
that the Apache Web Server uses to serve static content, you will get
the exact same performance.  There is absolutely no reason to use
Apache anymore to serve static content if you're already using Tomcat.
 The only reason to use Apache w/ Tomcat these days is for convenience
- where Apache reverse-proxies one or more Tomcat or Jetty
installations so it can offload SSL or consolidate HTTP endpoints on a
single machine.  But these are conveniences - there is no _need_ to
offload static file serving anymore when using Tomcat + the APR.

HTH,

-- 
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

On Sat, Oct 1, 2011 at 4:46 PM, JMalkan <JM...@mail.com> wrote:
> Hi,
>
> My app is currently configured for Authentication & Authorization with Shiro
> and it works perfectly on AppServer Tomcat.
>
> We have thin server architecture.
> Client is mostly JavaScripts and few HTML using JQuery and JMVC where MVC
> pattern is implemented on the client side and async calls are made to
> server. Server side is mostly REST Services serving clients.
>
> To improve performance and scaling, we have decided to move all static
> resources like HTML/JavaScripts/Images... to Apache web server.
>
> I am trying to figure out the best way to apply Authentication &
> Authorization.
>
> I am hoping some of you have done this and been there. So I would not have
> to reinvent the wheel.
> Any help here is appreciated.
>
>
>
> Jiggy.
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-configure-static-Resource-on-WebServer-for-Authentication-Authorization-tp6850961p6850961.html
> Sent from the Shiro User mailing list archive at Nabble.com.