> I actually want to use automatic authentication based on cookies and REST > resources authorization with AOP. This means I need to hook somehow in the > RequestHandler and authenticate the user before it reaches the resources. As > far as I know this is not supported by Shiro, but it is a real use case and > I would like to use Shiro because of all the cool features it has.
Could you describe exactly what you're trying to do here? All of my applications actually do authentication based on headers and uses AOP for authorization on JAXRS resource methods. I use basic Shiro AOP for the authorization piece and a custom servlet filter for the header-based authentication. Cookie-based authentication shouldn't be entirely different...just a different servlet filter. -Jared
