Hi all, I've been working on Shiro's internals today to simplify support for REST applications. My motivation is partially selfish, since I'm using Shiro to protect REST endpoints at work, and I'll need to ensure this all goes smoothly.
Before I get too far involved, I was wondering if anyone had any problems they've come across in the past and would like to share or any ideas in general that they think would make REST security easier. I have 2 things on my list that I think are relatively obvious: 1. Support authentication caching (key: AuthenticationToken, value: AuthenticationInfo). Since REST calls usually use HTTP BASIC authentication and assume no server state, it would be ideal if we didn't have a roundtrip to the datastore(s) for each REST call. 2. Support custom authentication 'binding'. Currently when Shiro authenticates a subject it puts the resulting PrincipalCollection and authentication state in the Session to ensure it is available for the remainder of the Subject's interaction with the application during that session. Of course, with REST being stateless, it would be ideal to turn this off for any authentication that occurred during a REST call. Anything else? Any ideas? Thanks, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com
