You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Johannes Lehmann <jo...@numericalmethod.com> on 2013/01/21 11:37:08 UTC

Securing a Spring MVC web service in a platform-independent way

Hey everyone,

I am trying to do something that I thought would be a common use case, 
yet I cannot seem to find any answers to my problem.

I am building a web service using Spring MVC. I will also be building 
multiple GWT front-ends and eventually mobile apps and perhaps native 
applications too. Hence I can't rely on a framework such as Shiro or 
Spring Security entirely without understanding what's going on, because 
it doesn't generalize to all platforms.

The way I would like things to work is that the client (via HTTPS) sends 
his username and password, and receives back a session ID, which it can 
then add to each request's payload, to authenticate the request. For now 
it is not so important whether this is particularly secure, only that it 
will work cross-platform. All articles seem to assume that the login 
page is rendered by the web service, which in my case it is not.

First question: Is any of this a really bad idea? I am surprised that I 
didn't find any resources on this...

Secondly my approach was this:
1.) Login is a normal service method (called by a @Controller), that 
returns the session ID, obtained by currentUser.getSession().getId(), 
back to the user application.
2.) I add an interceptor in Spring that intercepts each request, looks 
for a session ID inside the request and sets the authenticated subject 
accordingly
3.) I can add annotations to my service level methods to secure them 
(since I have previously set the authenticated subject)

Implementing a realm and setting it all up seems straightforward but I 
currently have no idea how to do step 2.). Automatic Association 
(subject.execute) is out the door because the interceptor doesn't know 
what to call. The documentation says I am not allowed to do Manual 
Association (threadState.bind()) in a web service.

To me the real question is why both Shiro and Spring Security seem to 
resist so much against what I am trying to do. I can't imagine my 
original intent is so unusual, so I would welcome any suggestions as to 
why I am going about this the wrong way entirely!

Thanks in advance,
Johannes