Sorry, I have no idea where the 302 might originate from. You would use the web form for the web client and BasicAuth for the requests from the desktop client to the REST services since the desktop client is probably not designed to handle web pages (string parsing is just sooo awful). If you have some service exposed via REST and secured through Shiro with BasicAuth, then a user with a valid session (previously acquired via the login form) will be able to call said REST service without any need to reauthenticate again via BasicAuth.
Sending username / password as a form request is done via HTTP POST, BasicAuth on the other hand can be used with anything (GET, PUT, HEAD, OPTIONS, DELETE, PROPFIND, MKCOL ...). Yes, we do Subject.login(token) in our backing bean manually because the FormAuthenticationFilter will always fail while trying to call login(token) automatically since our web page differs from what FormAuthenticationFilter expects. Shiro works with servlet spec 3+ so feel free to upgrade - we use Shiro on Wildfly 10 which comes with fairly recent libraries and we never had issues with Shiro. -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-should-we-go-about-configuring-a-Desktop-Client-with-Shiro-in-the-Server-tp7581322p7581393.html Sent from the Shiro User mailing list archive at Nabble.com.
