P.S. In a stateless scenario (like REST), you might also wish to enable Authentication Caching for the realm(s) consulted during an authentication attempt, e.g.:
[main] myRealm.authenticationCachingEnabled = true This ensures that authentication attempts for frequently authenticating accounts (as would be the case with a REST client that authenticates on every request) remain fast without needing to 'hit' the backing datastore every time. Only enable this if it is 'safe' to do so however, as documented here: http://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/AuthenticatingRealm.html These two things (authentication caching + noSessionCreation filter) are used for stateless authc. HTH, Les Hazlewood CTO, Stormpath | http://stormpath.com <http://www.stormpath.com/> | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood blog: http://leshazlewood.com stormpath blog: http://www.stormpath.com/blog<http://www.stormpath.com/blog/index> On Tue, May 8, 2012 at 11:42 AM, Les Hazlewood <[email protected]>wrote: > Hi Will, > > I assume when you say 'auth' you mean AuthC, aka Authentication and not > AuthZ, Authorization. If so, there isn't any current docs on it, but it is > super simple. Here is how you do it in shiro.ini (for example, assuming > /rest/** endpoints are stateless): > > > [urls] > /rest/** = noSessionCreation,authcBasic > > The 'noSessionCreation' filter ensures that Shiro (or anyone else further > down the filter chain) won't create a new Http Session, enforcing > statelessness. The authcBasic is a typical HTTP Basic Authentication > filter that calls subject.login. > > HTH, > > -- > Les Hazlewood > CTO, Stormpath | http://stormpath.com <http://www.stormpath.com/> | > 888.391.5282 > twitter: @lhazlewood | http://twitter.com/lhazlewood > blog: http://leshazlewood.com > stormpath blog: > http://www.stormpath.com/blog<http://www.stormpath.com/blog/index> > > > On Tue, May 8, 2012 at 2:23 AM, Will Sargent <[email protected]>wrote: > >> I've updated the play-shiro project to use 1.2.0 and Play 2.0.1. >> >> Is there an example for how to use stateless auth in the shiro docs? I >> was never quite sure about that. >> >> Will. >> >> On Wed, May 2, 2012 at 6:35 PM, Claire Hunsaker <[email protected]>wrote: >> >>> Hi All - >>> >>> There has been a lot of good Shiro action on GitHub recently, including >>> some worthy, in-progress projects that could use some extra hands (marked >>> below with **). >>> >>> In case you want to jump in, I posted a roundup on the Stormpath blog: >>> http://www.stormpath.com/blog/github-roundup-new-apache-shiro-projects >>> >>> Included: >>> -- Grails Integration >>> -- Play/Shiro Integration** >>> -- Spring MVC + Shiro + myBatis + JSR-303 Validation from Bubba** >>> -- Shiro on Google App Engine >>> -- OAuth for Shiro >>> -- Lift Integration for Apache Shiro >>> -- 55 Minutes Wicket >>> >>> Please let me know if I missed any! >>> Claire >>> >>> -- >>> Claire Hunsaker >>> VP Community and Marketing, Stormpath >>> [email protected] >>> www.stormpath.com >>> Follow us: @goStormpath >>> >>
