Is it possible to get the URL in doGetAuthenticationInfo()

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

Is it possible to get the URL in doGetAuthenticationInfo()

This post has NOT been accepted by the mailing list yet.

I am just starting off with Apache Shiro.
I have created a RESTful web service in Java using Jersey Framework and deployed it on Google AppEngine, and I want to add authentication and authorization to my APIs using shiro.
I have actually added Shiro (shiro guice), in my web service and I am able to perform authentication based on the username and password.

My query is that is it possible to know the URL in the function doGetAuthenticationInfo(AuthenticationToken authToken) (present in the class where I extend AuthorizingRealm)

The reason I need to know this are:

1. I have two types of clients using my REST APIs. Let's say one set of users are devices and the other set is the device owners. Now both of these are stored in different tables/repositories in my database, since their properties are very different. The APIs for devices are of the form /devices and those for device owners are of the form /users . So when I get a call to doGetAuthenticationInfo(), I need to have a way to figure out the URL in order to know which credentials to match "authToken" passed in the function with.

2. Even within the same of users, I would typically want a case where there is an API say GET /tokenInfo  for which the credential should be username and password (and which returns token information in the response body) and all other APIs would be authenticated with the token. Here also it would make sense to get the URL so the I can figure out what to validate the credentials passed in the function against( username-password or token)

I guess both the points mentioned above would be common use cases.
Therefore, is there a way to find out which URL/API has been called while performing authentication. If not, then what are the other (preferably simple) ways to achieve it?

Archit Sinha
Reply | Threaded
Open this post in threaded view

Re: Is it possible to get the URL in doGetAuthenticationInfo()

Hey there

There is never or no need to know the URL in realm ...
you wil have to rething the logic.
why ? Because realm is just a stupid back-end code to load auth or authz data for "someone" ...
So all the logic must be done in your rest methods should you require it:

for example:
Subject s = SecurityUtils.getSubject();
this is all you need ...

athough you must provide the "login" url so the realms are called and auth and authz code is executed ...

So for your case ...

1. Create UsersRealm and DevicesRealm - Users, devices realm

Write your own AutorizationFilter and set it to your urls in ini  ...
/devices/** = myDevicesFilter
/users/** = myUsersFilter

myDevicesFilter should create DeviceAuthToken  and your DevicesRealm should return DeviceAuthToken class as it's token class
myUsersFilter should create UserAuthToken  and your UserRealm should return UserAuthToken class as it's token class

2. when you protect your URLs in shiro.ini you can get authenticated user with
Subject s = SecurityUtils.getSubject();
s.getPrincipal() or s.getPrincipals();
that's all you need .. to get suibject data load it when appropriate ;)

This should do it ;)

but for the sake of understanding ... please re-read the docs .. and do ask if anything is unclear. We will be glad to help you!