Hey Joe, Not without a bit of custom work.
See: http://shiro-user.582556.n2.nabble.com/REST-based-token-auth-approach-td7577677.html On Thu, Feb 23, 2017 at 10:37 PM, Joe Murray <[email protected]> wrote: > Hi Shiro’ers, > > I have an application that uses the …web.jaxrs.ShiroFeature class > to provide fine grained permissions control on my methods something like: > > …. > > @GET > @Path("/gettest") > @RequiresPermissions("trooper:write”) > public List<Stuff> gettest() throws Exception { > return listOfStuff; > } > > > > In order to invoke those the API, the client has to put the credentials in > headers - with Android/Volley for example something like this: > > @Override > public Map<String, String> getHeaders() throws AuthFailureError { > > Map<String, String> headers = new HashMap<>(); > String credentials = "jlpicard:Changeme1"; > String auth = "Basic " > + Base64.encodeToString(credentials.getBytes(), > Base64.NO_WRAP); > > headers.put("Authorization", auth); > return headers; > } > > All works great. But I’m wondering if there’s any other way to pass/get > credentials? Maybe authenticate first, then set a bearer token in the > headers instead of the credentials or something like that? > > I know the Stormpath servlet can do it - but there are some simple > instances where I might want to have just one or 2 user credentials in the > shiro.ini file for example - rather then use Stormpath all time. > > Possible? > > -joe > > ... > > [main] > > > # Shiro and the Stormpath API can use the same configured Cache Manager > > #stormpathClient = com.stormpath.shiro.client.ClientFactory > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager > securityManager.cacheManager = $cacheManager > > stormpathClient = com.stormpath.shiro.client.ClientFactory > stormpathClient.cacheManager = $cacheManager > > # we can disable session tracking completely, and have Stormpath manage it > for us. > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > securityManager.sessionManager = $sessionManager > securityManager.sessionManager.sessionIdCookieEnabled = false > securityManager.sessionManager.sessionIdUrlRewritingEnabled = false > > stormpathRealm = com.stormpath.shiro.realm.ApplicationRealm > stormpathRealm.client = $stormpathClient > > stormpathRealm.groupRoleResolver.modeNames = name > securityManager.realm = $stormpathRealm > > stormpathRealm.applicationRestUrl = https://api.stormpath.com/v1/ > applications/XXXXXXXXXXXXXX > > > [urls] > # use permissive to NOT require authentication, our resource Annotations > will decide that > > /** = noSessionCreation, authcBasic[permissive]
