credentials in headers vs. token

Thu, 23 Feb 2017 19:38:32 -0800 

Hi Shiro’ers,

        I have an application that uses the …web.jaxrs.ShiroFeature class to 
provide fine grained permissions control on my methods something like:

….

@GET
@Path("/gettest")
@RequiresPermissions("trooper:write”)
public List<Stuff> gettest() throws Exception {
        return listOfStuff; 
}



In order to invoke those the API, the client has to put the credentials in 
headers - with Android/Volley for example something like this:

@Override
public Map<String, String> getHeaders() throws AuthFailureError {
    
    Map<String, String> headers = new HashMap<>();
    String credentials = "jlpicard:Changeme1";
    String auth = "Basic "
            + Base64.encodeToString(credentials.getBytes(), Base64.NO_WRAP);
   
    headers.put("Authorization", auth);
    return headers;
}

All works great. But I’m wondering if there’s any other way to pass/get 
credentials?  Maybe authenticate first, then set a bearer token in the headers 
instead of the credentials or something like that?

I know the Stormpath servlet can do it - but there are some simple instances 
where I might want to have just one or 2 user credentials in the shiro.ini file 
for example - rather then use Stormpath all time.

Possible? 

-joe

...

[main]


# Shiro and the Stormpath API can use the same configured Cache Manager

#stormpathClient = com.stormpath.shiro.client.ClientFactory
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

stormpathClient = com.stormpath.shiro.client.ClientFactory
stormpathClient.cacheManager = $cacheManager

# we can disable session tracking completely, and have Stormpath manage it for 
us.
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionIdCookieEnabled = false
securityManager.sessionManager.sessionIdUrlRewritingEnabled = false

stormpathRealm = com.stormpath.shiro.realm.ApplicationRealm
stormpathRealm.client = $stormpathClient

stormpathRealm.groupRoleResolver.modeNames = name
securityManager.realm = $stormpathRealm

stormpathRealm.applicationRestUrl = 
https://api.stormpath.com/v1/applications/XXXXXXXXXXXXXX


[urls]
# use permissive to NOT require authentication, our resource Annotations will 
decide that

/** = noSessionCreation, authcBasic[permissive]

Reply via email to