You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Anant Rao <ra...@yahoo.com> on 2014/09/01 17:03:27 UTC

AJAX

Hi,

I am a backend developer. Using Shiro, I implemented a form-based authenticator with SHA256 salted password hasher. All of this works great.
Now, the front-end developer says he is using angularJS and he's unable to mix form-based auth with the rest of his stuff and asked me to figure out if I can support AJAX based thing for Auth also.

I'm not familiar with the front-end technologies. Could you help me understand if Shiro supports such AJAX-based authentication.
Thanks!
Anant

Re: AJAX

Posted by Dominic Farr <do...@gmail.com>.

Sorry, correction, Auth0 wrote the AngularJS blog. Auth0 has nothing to do
with OAuth, the open standard for authorization.
I clearly need a coffee!


On 2 September 2014 08:17, Dominic Farr <do...@gmail.com> wrote:

> Not sure that makes sense. Basic authentication uses HTTP Headers, not
> cookies. See Here
> <http://en.wikipedia.org/wiki/Basic_access_authentication>
>
> Yes, Shiro can handle security for ajax stacks like AngularJS, but it all
> depends on your security requirements; Basic, Session based cookies,
> or Token based authentication (sometimes called Bearer Token.)
>
> OAuth did a nice break down for AngularJS and security, you can read that
> here
> <https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/>
>
> Best of luck.
>
> Dom
> On 2 Sep 2014 03:26, "Brian Demers" <br...@gmail.com> wrote:
>
>> You could use BASIC auth (and check for a cookie)
>>
>> -Brian
>>
>> On Sep 1, 2014, at 11:03 AM, Anant Rao <ra...@yahoo.com> wrote:
>>
>> Hi,
>>
>> I am a backend developer. Using Shiro, I implemented a form-based
>> authenticator with SHA256 salted password hasher. All of this works great.
>> Now, the front-end developer says he is using angularJS and he's unable
>> to mix form-based auth with the rest of his stuff and asked me to figure
>> out if I can support AJAX based thing for Auth also.
>>
>> I'm not familiar with the front-end technologies. Could you help me
>> understand if Shiro supports such AJAX-based authentication.
>> Thanks!
>> Anant
>>
>>
>>

Re: AJAX

Posted by Dominic Farr <do...@gmail.com>.

Fair enough; But I would not recommend that approach.


On 2 September 2014 13:30, Brian Demers <br...@gmail.com> wrote:

> My point was more the fact that you could use basic auth, and drop a
> cookie for the following requests. (Basically just replacing the form login)
>
>
>
> -Brian
>
> On Sep 2, 2014, at 3:17 AM, Dominic Farr <do...@gmail.com> wrote:
>
> Not sure that makes sense. Basic authentication uses HTTP Headers, not
> cookies. See Here
> <http://en.wikipedia.org/wiki/Basic_access_authentication>
>
> Yes, Shiro can handle security for ajax stacks like AngularJS, but it all
> depends on your security requirements; Basic, Session based cookies,
> or Token based authentication (sometimes called Bearer Token.)
>
> OAuth did a nice break down for AngularJS and security, you can read that
> here
> <https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/>
>
> Best of luck.
>
> Dom
> On 2 Sep 2014 03:26, "Brian Demers" <br...@gmail.com> wrote:
>
>> You could use BASIC auth (and check for a cookie)
>>
>> -Brian
>>
>> On Sep 1, 2014, at 11:03 AM, Anant Rao <ra...@yahoo.com> wrote:
>>
>> Hi,
>>
>> I am a backend developer. Using Shiro, I implemented a form-based
>> authenticator with SHA256 salted password hasher. All of this works great.
>> Now, the front-end developer says he is using angularJS and he's unable
>> to mix form-based auth with the rest of his stuff and asked me to figure
>> out if I can support AJAX based thing for Auth also.
>>
>> I'm not familiar with the front-end technologies. Could you help me
>> understand if Shiro supports such AJAX-based authentication.
>> Thanks!
>> Anant
>>
>>
>>

Re: AJAX

Posted by Brian Demers <br...@gmail.com>.

My point was more the fact that you could use basic auth, and drop a cookie for the following requests. (Basically just replacing the form login)



-Brian

> On Sep 2, 2014, at 3:17 AM, Dominic Farr <do...@gmail.com> wrote:
> 
> Not sure that makes sense. Basic authentication uses HTTP Headers, not cookies. See Here
> 
> Yes, Shiro can handle security for ajax stacks like AngularJS, but it all depends on your security requirements; Basic, Session based cookies, or Token based authentication (sometimes called Bearer Token.)
> 
> OAuth did a nice break down for AngularJS and security, you can read that here
> 
> Best of luck.
> 
> Dom
> 
>> On 2 Sep 2014 03:26, "Brian Demers" <br...@gmail.com> wrote:
>> You could use BASIC auth (and check for a cookie)
>> 
>> -Brian
>> 
>>> On Sep 1, 2014, at 11:03 AM, Anant Rao <ra...@yahoo.com> wrote:
>>> 
>>> Hi,
>>> 
>>> I am a backend developer. Using Shiro, I implemented a form-based authenticator with SHA256 salted password hasher. All of this works great.
>>> Now, the front-end developer says he is using angularJS and he's unable to mix form-based auth with the rest of his stuff and asked me to figure out if I can support AJAX based thing for Auth also.
>>> 
>>> I'm not familiar with the front-end technologies. Could you help me understand if Shiro supports such AJAX-based authentication.
>>> Thanks!
>>> Anant

Re: AJAX

Posted by Dominic Farr <do...@gmail.com>.

Not sure that makes sense. Basic authentication uses HTTP Headers, not
cookies. See Here <http://en.wikipedia.org/wiki/Basic_access_authentication>

Yes, Shiro can handle security for ajax stacks like AngularJS, but it all
depends on your security requirements; Basic, Session based cookies,
or Token based authentication (sometimes called Bearer Token.)

OAuth did a nice break down for AngularJS and security, you can read that
here
<https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/>

Best of luck.

Dom
On 2 Sep 2014 03:26, "Brian Demers" <br...@gmail.com> wrote:

> You could use BASIC auth (and check for a cookie)
>
> -Brian
>
> On Sep 1, 2014, at 11:03 AM, Anant Rao <ra...@yahoo.com> wrote:
>
> Hi,
>
> I am a backend developer. Using Shiro, I implemented a form-based
> authenticator with SHA256 salted password hasher. All of this works great.
> Now, the front-end developer says he is using angularJS and he's unable to
> mix form-based auth with the rest of his stuff and asked me to figure out
> if I can support AJAX based thing for Auth also.
>
> I'm not familiar with the front-end technologies. Could you help me
> understand if Shiro supports such AJAX-based authentication.
> Thanks!
> Anant
>
>
>

Re: AJAX

Posted by Brian Demers <br...@gmail.com>.

You could use BASIC auth (and check for a cookie)

-Brian

> On Sep 1, 2014, at 11:03 AM, Anant Rao <ra...@yahoo.com> wrote:
> 
> Hi,
> 
> I am a backend developer. Using Shiro, I implemented a form-based authenticator with SHA256 salted password hasher. All of this works great.
> Now, the front-end developer says he is using angularJS and he's unable to mix form-based auth with the rest of his stuff and asked me to figure out if I can support AJAX based thing for Auth also.
> 
> I'm not familiar with the front-end technologies. Could you help me understand if Shiro supports such AJAX-based authentication.
> Thanks!
> Anant
>

Re: AJAX

Posted by juan manuel rojas ronquillo <ju...@rhemsolutions.com>.

You can use the shiro API for user authentication

http://shiro.apache.org/authentication.html#Authentication-Authenticating%7B%7BSubjects%7D%7D
http://shiro.apache.org/authentication.html#Authentication-LoggingOut

Login

Subject currentUser = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(
    username.getValue(), password.getValue());
try {
  currentUser.login(token);

  //user logged
} catch (Exception e) {
  username.setValue("");
  password.setValue("");
  //Not logged!;
}

Logout

currentUser.logout();

Shiro.ini


The shiro filer "authc" redirect the user to a login url. If you don't
want redirection you should not use authc
http://shiro.apache.org/web.html#Web-DefaultFilters


#authc.loginUrl = /login.jsp
#authc.usernameParam = user
#authc.passwordParam = pass

#logout.redirectUrl = /login.jsp

[urls]
#The logout filter makes a redirection
#/logout = logout, anon
#/favicon.ico = anon
/#logo.jpg = anon
#/js/** =anon
#/resources/** =anon
#auth filter makes a redirection
#/** = authc

2014-09-01 10:03 GMT-05:00 Anant Rao <ra...@yahoo.com>:
> Hi,
>
> I am a backend developer. Using Shiro, I implemented a form-based
> authenticator with SHA256 salted password hasher. All of this works great.
> Now, the front-end developer says he is using angularJS and he's unable to
> mix form-based auth with the rest of his stuff and asked me to figure out if
> I can support AJAX based thing for Auth also.
>
> I'm not familiar with the front-end technologies. Could you help me
> understand if Shiro supports such AJAX-based authentication.
> Thanks!
> Anant
>