Hello
Sorry for the newbie question that follows:
I am in the process of setting up shiro on my REST services on a jboss and I am
confused on how to design it in my somewhat complex situation.
Basically I have devices, that will connect to a front end using two way TLS.
I.e. they authenticate to the front-end with X.509 certificates.
The front-end will terminate TLS and reverse proxy the HTTP request to my
back-end. In the process the reverse proxy will add a few HTTP request headers
that will identify the device to the back-end. (The front-end is apache and the
back-end is jboss where I want to add shiro)
I think I need a "DeviceRealm", but how to automatically convert the extra HTTP
headers to permissions that shiro understands?
In addition a person/user can also use the "TLS session" and login using a
password, I think this is fairly straight forward.
In order to further complicate things, both devices and person/users will have
"reputation" that will decrease according to some business rules if the
device/person/user misbehaves. Decreasing reputation will impact also impact
effective permissions. I want to use shiro for this as well.
I would really be grateful if you could give me some design hints on the topic.
Thank you!
//Dave
