Saad, after reading this (great!) article, I found the best alternative to use API keys instead of username/password pairs.
>From the article: "Best practices say to encrypt your passwords in the database to limit a potential data breach. This increases overhead for each request when authenticating a user. Unique API keys authentication skips the hashing step and therefore speeds up your calls. If you want to know more about storing passwords". -- D. Reinert On Fri, Nov 8, 2013 at 12:55 PM, saadmufti <[email protected]> wrote: > I agree with Josh that sounds reasonable. And really, if the data and > changes > you're exposing via your API require more stringent security, you shouldn't > be using HTTP-Basic as your auth scheme anyway. Probably something like > OAuth or some custom signing scheme. See long discussion at > http://www.stormpath.com/blog/secure-your-rest-api-right-way . > > Thanks for the enlightening discussion guys. > > ---- > Saad > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Shiro-Auth-On-REST-API-Killing-CPU-tp7579340p7579359.html > Sent from the Shiro User mailing list archive at Nabble.com. >
