I'm really sorry it took me awhile to get back to you, I greatly appreciate your time and patience with my questions.
I tried to do /** = authc and got an issue where my Status code changed from a 200 OK to a 302 "FOUND" but I couldn't log in with the changes. I am able to log in just fine using my own manual login attempt, but not sure if t is recommended, even though it works and is parft of Shiro's login scheme. Yeah, I didn't realize that I could just called "SecurityUtils" until the end when looking at my code, and I thought I had to call a Factory in order to manipulate the subjetcs and such, which I was wrong. Everything is setup in the web.xml file as shown in the docs. Yeah, I have a login page setup for the browsers. I notice that I get a 500 Internal server error whenever I am not logged in and try to do something. Should I change that to a 401, or just leave it as a 500 error? Nothing gets sent to the client, so I assume it's okay to just leave it as is? Hmm, so with REST we want to use the built in Authentication? Ia m using Apache HTTPClient, and there is a ecample for Basic Auth, but i thought the point is to send the credentials to Shiro, and then log into the application that way? What is the point of the Basic Authentication? Maybe I'm confused what exactly "Basic Authentication" requires. Maybe this has something to do with SSL then, sinc eI haven't done the SSL portion for my Shiro config yet.... Is there specific ports we should use for TLS connections? I believe I've seen 8443 used, so is that the default we should be using? What's the difference between PassThrough and Form? I'll check the docs also for that, but figured I would ask. I don't think I need something different, since the Form works, but maybe there are better option for my need. Now normally authc is default to the FormAuthetnicationFilter right? I've had issues where adding the line would make a comment about it already existing, and sometimes it would ask me to add the authc = (when I was recreating the factory which was the wrong thing to do). Thanks for the URL info, I still need to set taht up fully, but I think everything is okay. I should try to see what would happen if I do my servlet page = autnc instead of /**. I'm pretty sure I tried that also and still got the 302 FOUND status code.. Thanks a ton for the help, you're truly a lifesaver, I appreciate it., I've learned a lot. ________________________________ From: scSynergy <[email protected]> Sent: Monday, October 31, 2016 2:20 AM To: [email protected] Subject: Re: How should we go about configuring a Desktop Client with Shiro in the Server? If you configure the FormAuthenticationFilter to protect every HTTP request in the [urls] section (/** = authc) then users would not be able to access your login page without being authenticated. So, in order to let users access the login page you specify it in the ini file which causes Shiro to exempt it from access restrictions and also do an automatic redirect to the login page whenever someone tries to navigate to an URL without being authenticated. You only need to enable Shiro via web.xml file as described here https://shiro.apache.org/webapp-tutorial.html#step1, chapter 1b: Enable Shiro in web.xml and configure Shiro via ini file and everything is ready to work. You do *not* need manipulate any SecurityManager, token, factory or whatsoever. You need to supply a login page for browsers to authenticate through and some server side code (JSF, servlet, jax-rs ...) to handle requests and deliver data from the database to the client or trigger business methods on the database. This server side code must check whether SecurityUtils.getSubject().isAuthenticated() == true to execute the code or return an HTTP 401 otherwise. For REST requests you should use BasicAuthentication over TLS because it is built into Shiro. You can also use other authentication methods like OAuth tokens or something completely different but that is not provided out of the box and therefore must be somehow implemented by you beforehand. This is what part of our ini file looks like - we only accept TLS connections to port 8443 and do not use a FormAuthenticationFilter but instead use a PassThroughAuthenticationFilter in combination with our own login page which differs from what the FormAuthenticationFilter would require: [main] ... authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter logout=org.apache.shiro.web.filter.authc.LogoutFilter authc.loginUrl = /login.xhtml authc.successUrl = /welcome.xhtml logout.redirectUrl = /login.xhtml [urls] /login.xhtml = ssl[8443], authc /logout = logout # the next line is needed to retrieve jsf resources from jar library /javax.faces.resource/** = ssl[8443], anon /rest/** = noSessionCreation, ssl[8443], authcBasic /SoapService/** = noSessionCreation, ssl[8443], authcBasic /** = ssl[8443], authc -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-should-we-go-about-configuring-a-Desktop-Client-with-Shiro-in-the-Server-tp7581322p7581359.html[https://gc.kis.v2.scr.kaspersky-labs.com/C9E11F2E244D-C389-B41C-613F-DD68A941/ua/UrlAdvisorGoodImage.png] Shiro User - How should we go about configuring a Desktop Client with Shiro in the Server?<http://shiro-user.582556.n2.nabble.com/How-should-we-go-about-configuring-a-Desktop-Client-with-Shiro-in-the-Server-tp7581322p7581359.html>[https://gc.kis.v2.scr.kaspersky-labs.com/C9E11F2E244D-C389-B41C-613F-DD68A941/ua/UrlAdvisorGoodImage.png] shiro-user.582556.n2.nabble.com How should we go about configuring a Desktop Client with Shiro in the Server?. Hello I am a bit confused on the paradigm on how we are supposed to work our Application when we have 2 parts, a... Sent from the Shiro User mailing list archive at Nabble.com.
