Hi, Dave. I am also new to Shiro, but have a similar problem of needing to have various applications authenticate with each other behind a reverse proxy (Nginx), in addition to having users log in with passwords. In our case we are giving out API keys to each application for working with each other application. The application name and API key are handled exactly like a username and password, but in a separate realm. This separation is essentially to keep the namespaces separate, but also always for special handling as needed. We store the separate realms in separate databases, but the schema is similar for both.
In our case, we have a base abstract resource class that the user and the app classes inherit from. The concrete classes just read credentials from different fields and pass them along to a common handler. For example: The concrete classes define the PRINCIPAL and CREDENTIAL constants differently. If you need to read from headers instead of JSON fields, you would change the method to do that. In the abstract class: Note here that we have methods isValidPrincipal(principal) in each concrete class to check as appropriate whether the username or application name are valid. There is also a lot of custom logging for each class. In our test shiro.ini, for the realms configuration: Note that I will be changing this in production so the passwords and keys are not stored in plaintext in the database, but this gives you the general idea of our prototype. I hope that gives you an idea for one approach to this problem. Good luck. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Architecture-Help-tp7578861p7578863.html Sent from the Shiro User mailing list archive at Nabble.com.
