Hi Tim, As Brian mentioned, check out the BasicHttpAuthenticationFilter (available as the 'authcBasic' default filter). Most REST apps use that one for authentication and this performs the challenge/response logic you mentioned (HTTP 401, etc). You might also want to look in to the HttpMethodPermissionFilter for authorization. They're both linked from the page Brian included.
HTH! Les On Thu, Sep 16, 2010 at 11:19 AM, tim.sparg <[email protected]> wrote: > > okay I think that what I'm trying to understand is how the client is told > that he needs to authenticate. > > Does the server send a HTTP 401 response telling the client to authenticate, > at which point the client resends the request with the auth details in the > header? (would this happen on every message?) > > And on the server side all of this is handled by the Shiro interceptor and > and your Authentication realm..? > > How would I then get hold of the Subject/user information within the > webservice? > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Shiro-and-RESTful-web-services-tp5539212p5539787.html > Sent from the Shiro User mailing list archive at Nabble.com. >
