Securing both web application and API

[nmetzger <nm...@odu.edu>]

Hello,

We currently have a Wicket web application that uses Shiro for authn/authz.
We're planning on converting the underlying business model into an API,
leaving the web application to take care of presentation only. As other
applications are going to use the API, I need to secure both authentication
via API and authentication via the web application. I did add a realm to the
API, and it works just fine. So, in my web application do I need to make an
API call now for every time I need to check the current subject's
permission, or is there some way I can add Shiro authentication both to the
API and the web application?
I guess my point is 
1) I want to avoid code duplication
2) I would like to take advantage of Shiro's session management for the web
application

Any pointers would be greatly appreciated,
Natalie



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Securing-both-web-application-and-API-tp7579417.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Securing both web application and API

[shockwave <an...@gmail.com>]

Hi, 
I need to use shiro to secure my API calls, can you help me figuring or draw
me towards some test-case or example on how can I use it...
I have embedded server in my application, any one who want to use should
post to this server. I am thinking of having a Login API which user have to
call before any API calls are made. And I want this API to be shiro driven,
and dont want to prompt user for authentication, everything should be done
through program only. Any idea on how can we achieve it..??

Regards 



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Securing-both-web-application-and-API-tp7579417p7579647.html
Sent from the Shiro User mailing list archive at Nabble.com.