Hello, I have used shiro for a couple of projects now, I generally reuse a AuthorizingRealm that implements salting and multiple hash iterations but I would like to build a filter that can authenticate rest access.
Ideally the user would use an inline form on the page to authenticate and some kind of hash would be used in each subsequent request to verify the user. >From what I can see in the tracker and the forum there seems to have been some investigation into implementing something a while ago but nothing seems to have materialised, so... I have tried to understand HMAC (I read the wiki page and the rfc!) but I still have a few questions. 1. The users password, from what I gather this is never transmitted over the wire (assuming the user already exists on the server)? 2. What are the requirements on what should be in the content portion used to generate the hash? message body, url, timestamp? -- View this message in context: http://shiro-user.582556.n2.nabble.com/REST-HMAC-digest-support-tp7578584.html Sent from the Shiro User mailing list archive at Nabble.com.
