You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Johannes Lehmann <jo...@numericalmethod.com> on 2013/01/21 11:37:08 UTC
Securing a Spring MVC web service in a platform-independent way
Hey everyone,
I am trying to do something that I thought would be a common use case,
yet I cannot seem to find any answers to my problem.
I am building a web service using Spring MVC. I will also be building
multiple GWT front-ends and eventually mobile apps and perhaps native
applications too. Hence I can't rely on a framework such as Shiro or
Spring Security entirely without understanding what's going on, because
it doesn't generalize to all platforms.
The way I would like things to work is that the client (via HTTPS) sends
his username and password, and receives back a session ID, which it can
then add to each request's payload, to authenticate the request. For now
it is not so important whether this is particularly secure, only that it
will work cross-platform. All articles seem to assume that the login
page is rendered by the web service, which in my case it is not.
First question: Is any of this a really bad idea? I am surprised that I
didn't find any resources on this...
Secondly my approach was this:
1.) Login is a normal service method (called by a @Controller), that
returns the session ID, obtained by currentUser.getSession().getId(),
back to the user application.
2.) I add an interceptor in Spring that intercepts each request, looks
for a session ID inside the request and sets the authenticated subject
accordingly
3.) I can add annotations to my service level methods to secure them
(since I have previously set the authenticated subject)
Implementing a realm and setting it all up seems straightforward but I
currently have no idea how to do step 2.). Automatic Association
(subject.execute) is out the door because the interceptor doesn't know
what to call. The documentation says I am not allowed to do Manual
Association (threadState.bind()) in a web service.
To me the real question is why both Shiro and Spring Security seem to
resist so much against what I am trying to do. I can't imagine my
original intent is so unusual, so I would welcome any suggestions as to
why I am going about this the wrong way entirely!
Thanks in advance,
Johannes