Hi Sean,
I would suggest applying a custom filter on the “login” url that can check the request, login and return a token in the response. Other urls would be secured with another filter (or the same one if you want to make it aware of your login mechanism) that checks for the token, that much you know already. Whether or not to use a session depends upon whether you wish to authenticate on every request vs. maintaining a logged in session.. since the subject has logged in and received a token it seems almost pointless to not maintain a session (regardless of where you store it) since you will want it to expire (session timeout) and you can use Shiro for this aspect even if nothing else goes into it, thus separate authentication with the token becomes redundant. As for the noSessionCreation filter, I only use this when authenticating on EVERY request, however as suggested above a token could reference an authenticated session so you wouldn’t use it. Regards, Marcus From: Sean Blaes [mailto:[email protected]] Sent: 06 August 2012 22:29 To: [email protected] Subject: REST based token auth approach I've been doing a ton of research on this and just want to validate the best approach before I move forward... My requirement is that I do token based authentication for a REST/Jersey service that is also integrated with Spring. This means that there is an "authenticate" service to which the username/password will be posted, which will respond with a string token. That token can be whatever I want. All other method request will pass the token in an HTTP header. This is the requirement because we support several existing clients and cannot expect them to change at our whim, and this is how the current service works that is using a home-grown auth framework. I'm looking at disabling session creation, as described at: <https://cwiki.apache.org/confluence/display/SHIRO/Session+Management#SessionManagement-StatelessApplications%28Sessionless%29> https://cwiki.apache.org/confluence/display/SHIRO/Session+Management#SessionManagement-StatelessApplications%28Sessionless%29 Specifically with /rest/** = noSessionCreation, anon The question then is how do I best store and retrieve the fact that the user with a given token has been authenticated? Should I just store it in ehcache and and retrieve it with a "remember me manager" upon each request? Or, do I need to implement a secondary realm that logs in by the stored auth token rather than the user/password. Lastly, I could keep sessions enabled but I really don't need anything from the session other than this token, I don't think. -- Sean Blaes Sent with Sparrow <http://www.sparrowmailapp.com/?sig>
