Hello,
We have roughly the same use case, and decided to store
client certificates in a database, used by the device realm.
FYI we use the following shiro extension :
https://github.com/eskatos/shiro-ext
Regarding the two authentication methods, you can use
optional client cert auth (if your _whole_ front-end is not used
by regular browsers as this may trigger a client cert selection).
For this reason we had to distinguish client cert URL from
login/pw URL.
Or did you ask for a pw _after_ client cert auth ?
my 2 cents...
MM
Le 20/06/2013 08:59, Dave Davester a écrit :
Hello
Sorry for the newbie question that follows:
I am in the process of setting up shiro on my REST services on a jboss
and I am confused on how to design it in my somewhat complex situation.
Basically I have devices, that will connect to a front end using two
way TLS. I.e. they authenticate to the front-end with X.509 certificates.
The front-end will terminate TLS and reverse proxy the HTTP request to
my back-end. In the process the reverse proxy will add a few HTTP
request headers that will identify the device to the back-end. (The
front-end is apache and the back-end is jboss where I want to add shiro)
I think I need a "DeviceRealm", but how to automatically convert the
extra HTTP headers to permissions that shiro understands?
In addition a person/user can also use the "TLS session" and login
using a password, I think this is fairly straight forward.
In order to further complicate things, both devices and person/users
will have "reputation" that will decrease according to some business
rules if the device/person/user misbehaves. Decreasing reputation will
impact also impact effective permissions. I want to use shiro for this
as well.
I would really be grateful if you could give me some design hints on
the topic.
Thank you!
//Dave
