You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Joe Murray <jo...@odell.ca> on 2017/02/24 03:37:27 UTC
credentials in headers vs. token
Hi Shiro’ers,
I have an application that uses the …web.jaxrs.ShiroFeature class to provide fine grained permissions control on my methods something like:
….
@GET
@Path("/gettest")
@RequiresPermissions("trooper:write”)
public List<Stuff> gettest() throws Exception {
return listOfStuff;
}
In order to invoke those the API, the client has to put the credentials in headers - with Android/Volley for example something like this:
@Override
public Map<String, String> getHeaders() throws AuthFailureError {
Map<String, String> headers = new HashMap<>();
String credentials = "jlpicard:Changeme1";
String auth = "Basic "
+ Base64.encodeToString(credentials.getBytes(), Base64.NO_WRAP);
headers.put("Authorization", auth);
return headers;
}
All works great. But I’m wondering if there’s any other way to pass/get credentials? Maybe authenticate first, then set a bearer token in the headers instead of the credentials or something like that?
I know the Stormpath servlet can do it - but there are some simple instances where I might want to have just one or 2 user credentials in the shiro.ini file for example - rather then use Stormpath all time.
Possible?
-joe
...
[main]
# Shiro and the Stormpath API can use the same configured Cache Manager
#stormpathClient = com.stormpath.shiro.client.ClientFactory
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
stormpathClient = com.stormpath.shiro.client.ClientFactory
stormpathClient.cacheManager = $cacheManager
# we can disable session tracking completely, and have Stormpath manage it for us.
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionIdCookieEnabled = false
securityManager.sessionManager.sessionIdUrlRewritingEnabled = false
stormpathRealm = com.stormpath.shiro.realm.ApplicationRealm
stormpathRealm.client = $stormpathClient
stormpathRealm.groupRoleResolver.modeNames = name
securityManager.realm = $stormpathRealm
stormpathRealm.applicationRestUrl = https://api.stormpath.com/v1/applications/XXXXXXXXXXXXXX
[urls]
# use permissive to NOT require authentication, our resource Annotations will decide that
/** = noSessionCreation, authcBasic[permissive]
Re: credentials in headers vs. token
Posted by Joe Murray <jo...@odell.ca>.
I was just reading that post!!
OK, cool, it can be done if need be. Gunna use the stormpath one for now.
thx!
-joe
> On Feb 24, 2017, at 9:46 AM, Brian Demers <br...@gmail.com> wrote:
>
> Hey Joe,
>
> Not without a bit of custom work.
>
> See:
> http://shiro-user.582556.n2.nabble.com/REST-based-token-auth-approach-td7577677.html <http://shiro-user.582556.n2.nabble.com/REST-based-token-auth-approach-td7577677.html>
>
>
>
> On Thu, Feb 23, 2017 at 10:37 PM, Joe Murray <joe@odell.ca <ma...@odell.ca>> wrote:
> Hi Shiro’ers,
>
> I have an application that uses the …web.jaxrs.ShiroFeature class to provide fine grained permissions control on my methods something like:
>
> ….
>
> @GET
> @Path("/gettest")
> @RequiresPermissions("trooper:write”)
> public List<Stuff> gettest() throws Exception {
> return listOfStuff;
> }
>
>
>
> In order to invoke those the API, the client has to put the credentials in headers - with Android/Volley for example something like this:
>
> @Override
> public Map<String, String> getHeaders() throws AuthFailureError {
>
> Map<String, String> headers = new HashMap<>();
> String credentials = "jlpicard:Changeme1";
> String auth = "Basic "
> + Base64.encodeToString(credentials.getBytes(), Base64.NO_WRAP);
>
> headers.put("Authorization", auth);
> return headers;
> }
>
> All works great. But I’m wondering if there’s any other way to pass/get credentials? Maybe authenticate first, then set a bearer token in the headers instead of the credentials or something like that?
>
> I know the Stormpath servlet can do it - but there are some simple instances where I might want to have just one or 2 user credentials in the shiro.ini file for example - rather then use Stormpath all time.
>
> Possible?
>
> -joe
>
> ...
>
> [main]
>
>
> # Shiro and the Stormpath API can use the same configured Cache Manager
>
> #stormpathClient = com.stormpath.shiro.client.ClientFactory
> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> securityManager.cacheManager = $cacheManager
>
> stormpathClient = com.stormpath.shiro.client.ClientFactory
> stormpathClient.cacheManager = $cacheManager
>
> # we can disable session tracking completely, and have Stormpath manage it for us.
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> securityManager.sessionManager = $sessionManager
> securityManager.sessionManager.sessionIdCookieEnabled = false
> securityManager.sessionManager.sessionIdUrlRewritingEnabled = false
>
> stormpathRealm = com.stormpath.shiro.realm.ApplicationRealm
> stormpathRealm.client = $stormpathClient
>
> stormpathRealm.groupRoleResolver.modeNames = name
> securityManager.realm = $stormpathRealm
>
> stormpathRealm.applicationRestUrl = https://api.stormpath.com/v1/applications/XXXXXXXXXXXXXX <https://api.stormpath.com/v1/applications/XXXXXXXXXXXXXX>
>
>
> [urls]
> # use permissive to NOT require authentication, our resource Annotations will decide that
>
> /** = noSessionCreation, authcBasic[permissive]
>
Re: credentials in headers vs. token
Posted by Brian Demers <br...@gmail.com>.
Hey Joe,
Not without a bit of custom work.
See:
http://shiro-user.582556.n2.nabble.com/REST-based-token-auth-approach-td7577677.html
On Thu, Feb 23, 2017 at 10:37 PM, Joe Murray <jo...@odell.ca> wrote:
> Hi Shiro’ers,
>
> I have an application that uses the …web.jaxrs.ShiroFeature class
> to provide fine grained permissions control on my methods something like:
>
> ….
>
> @GET
> @Path("/gettest")
> @RequiresPermissions("trooper:write”)
> public List<Stuff> gettest() throws Exception {
> return listOfStuff;
> }
>
>
>
> In order to invoke those the API, the client has to put the credentials in
> headers - with Android/Volley for example something like this:
>
> @Override
> public Map<String, String> getHeaders() throws AuthFailureError {
>
> Map<String, String> headers = new HashMap<>();
> String credentials = "jlpicard:Changeme1";
> String auth = "Basic "
> + Base64.encodeToString(credentials.getBytes(),
> Base64.NO_WRAP);
>
> headers.put("Authorization", auth);
> return headers;
> }
>
> All works great. But I’m wondering if there’s any other way to pass/get
> credentials? Maybe authenticate first, then set a bearer token in the
> headers instead of the credentials or something like that?
>
> I know the Stormpath servlet can do it - but there are some simple
> instances where I might want to have just one or 2 user credentials in the
> shiro.ini file for example - rather then use Stormpath all time.
>
> Possible?
>
> -joe
>
> ...
>
> [main]
>
>
> # Shiro and the Stormpath API can use the same configured Cache Manager
>
> #stormpathClient = com.stormpath.shiro.client.ClientFactory
> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> securityManager.cacheManager = $cacheManager
>
> stormpathClient = com.stormpath.shiro.client.ClientFactory
> stormpathClient.cacheManager = $cacheManager
>
> # we can disable session tracking completely, and have Stormpath manage it
> for us.
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> securityManager.sessionManager = $sessionManager
> securityManager.sessionManager.sessionIdCookieEnabled = false
> securityManager.sessionManager.sessionIdUrlRewritingEnabled = false
>
> stormpathRealm = com.stormpath.shiro.realm.ApplicationRealm
> stormpathRealm.client = $stormpathClient
>
> stormpathRealm.groupRoleResolver.modeNames = name
> securityManager.realm = $stormpathRealm
>
> stormpathRealm.applicationRestUrl = https://api.stormpath.com/v1/
> applications/XXXXXXXXXXXXXX
>
>
> [urls]
> # use permissive to NOT require authentication, our resource Annotations
> will decide that
>
> /** = noSessionCreation, authcBasic[permissive]