If you cannot log in then something is wrong - did an exception get thrown or some other hint show up as to what might be the cause?
A failed login attempt should return an HTTP 401 response so as to behave in a way that most people would expect - but there is no technical reason for it. Basic Authentication <https://en.wikipedia.org/wiki/Basic_access_authentication> is the most simple and widespread means for authentication with REST services but it is definitely not a must. Also, BasicAuth sends username and password in clear text (base64 encoded is *not* encrypted) so in a production environment you should only use it in conjunction with TLS to prevent passwords from getting stolen. Depending on your needs and preferences you may want to use a different secure alternative instead, but that is totally up to you. I only recommend BasicAuth because it is easy to do since it is part of the HTTP specification and comes with lots of examples on the internet. The port most people use for TLS is 443, we only use 8443 to prevent port conflicts with other applications running on the same server and because having non-root users open ports to listen below 1024 requires additional magic under unix. Yes, FormAuthenticationFilter defaults to authc with Shiro. We only use the PassThruAuthenticationFilter because we do not need the additional features that FormAuthenticationFilter offers. PassThruAuthenticationFilter <https://shiro.apache.org/static/1.3.2/apidocs/org/apache/shiro/web/filter/authc/PassThruAuthenticationFilter.html> -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-should-we-go-about-configuring-a-Desktop-Client-with-Shiro-in-the-Server-tp7581322p7581390.html Sent from the Shiro User mailing list archive at Nabble.com.