credentials in headers vs. token

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

credentials in headers vs. token

Joe Murray
Hi Shiro’ers,

        I have an application that uses the …web.jaxrs.ShiroFeature class to provide fine grained permissions control on my methods something like:

….

@GET
@Path("/gettest")
@RequiresPermissions("trooper:write”)
public List<Stuff> gettest() throws Exception {
        return listOfStuff;
}



In order to invoke those the API, the client has to put the credentials in headers - with Android/Volley for example something like this:

@Override
public Map<String, String> getHeaders() throws AuthFailureError {
   
    Map<String, String> headers = new HashMap<>();
    String credentials = "jlpicard:Changeme1";
    String auth = "Basic "
            + Base64.encodeToString(credentials.getBytes(), Base64.NO_WRAP);
   
    headers.put("Authorization", auth);
    return headers;
}

All works great. But I’m wondering if there’s any other way to pass/get credentials?  Maybe authenticate first, then set a bearer token in the headers instead of the credentials or something like that?

I know the Stormpath servlet can do it - but there are some simple instances where I might want to have just one or 2 user credentials in the shiro.ini file for example - rather then use Stormpath all time.

Possible?

-joe

...

[main]


# Shiro and the Stormpath API can use the same configured Cache Manager

#stormpathClient = com.stormpath.shiro.client.ClientFactory
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

stormpathClient = com.stormpath.shiro.client.ClientFactory
stormpathClient.cacheManager = $cacheManager

# we can disable session tracking completely, and have Stormpath manage it for us.
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionIdCookieEnabled = false
securityManager.sessionManager.sessionIdUrlRewritingEnabled = false

stormpathRealm = com.stormpath.shiro.realm.ApplicationRealm
stormpathRealm.client = $stormpathClient

stormpathRealm.groupRoleResolver.modeNames = name
securityManager.realm = $stormpathRealm

stormpathRealm.applicationRestUrl = https://api.stormpath.com/v1/applications/XXXXXXXXXXXXXX


[urls]
# use permissive to NOT require authentication, our resource Annotations will decide that

/** = noSessionCreation, authcBasic[permissive]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: credentials in headers vs. token

Brian Demers

On Thu, Feb 23, 2017 at 10:37 PM, Joe Murray <[hidden email]> wrote:
Hi Shiro’ers,

        I have an application that uses the …web.jaxrs.ShiroFeature class to provide fine grained permissions control on my methods something like:

….

@GET
@Path("/gettest")
@RequiresPermissions("trooper:write”)
public List<Stuff> gettest() throws Exception {
        return listOfStuff;
}



In order to invoke those the API, the client has to put the credentials in headers - with Android/Volley for example something like this:

@Override
public Map<String, String> getHeaders() throws AuthFailureError {

    Map<String, String> headers = new HashMap<>();
    String credentials = "jlpicard:Changeme1";
    String auth = "Basic "
            + Base64.encodeToString(credentials.getBytes(), Base64.NO_WRAP);

    headers.put("Authorization", auth);
    return headers;
}

All works great. But I’m wondering if there’s any other way to pass/get credentials?  Maybe authenticate first, then set a bearer token in the headers instead of the credentials or something like that?

I know the Stormpath servlet can do it - but there are some simple instances where I might want to have just one or 2 user credentials in the shiro.ini file for example - rather then use Stormpath all time.

Possible?

-joe

...

[main]


# Shiro and the Stormpath API can use the same configured Cache Manager

#stormpathClient = com.stormpath.shiro.client.ClientFactory
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

stormpathClient = com.stormpath.shiro.client.ClientFactory
stormpathClient.cacheManager = $cacheManager

# we can disable session tracking completely, and have Stormpath manage it for us.
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionIdCookieEnabled = false
securityManager.sessionManager.sessionIdUrlRewritingEnabled = false

stormpathRealm = com.stormpath.shiro.realm.ApplicationRealm
stormpathRealm.client = $stormpathClient

stormpathRealm.groupRoleResolver.modeNames = name
securityManager.realm = $stormpathRealm

stormpathRealm.applicationRestUrl = https://api.stormpath.com/v1/applications/XXXXXXXXXXXXXX


[urls]
# use permissive to NOT require authentication, our resource Annotations will decide that

/** = noSessionCreation, authcBasic[permissive]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: credentials in headers vs. token

Joe Murray
I was just reading that post!! 

OK, cool, it can be done if need be. Gunna use the stormpath one for now.

thx!

-joe



On Feb 24, 2017, at 9:46 AM, Brian Demers <[hidden email]> wrote:


On Thu, Feb 23, 2017 at 10:37 PM, Joe Murray <[hidden email]> wrote:
Hi Shiro’ers,

        I have an application that uses the …web.jaxrs.ShiroFeature class to provide fine grained permissions control on my methods something like:

….

@GET
@Path("/gettest")
@RequiresPermissions("trooper:write”)
public List<Stuff> gettest() throws Exception {
        return listOfStuff;
}



In order to invoke those the API, the client has to put the credentials in headers - with Android/Volley for example something like this:

@Override
public Map<String, String> getHeaders() throws AuthFailureError {

    Map<String, String> headers = new HashMap<>();
    String credentials = "jlpicard:Changeme1";
    String auth = "Basic "
            + Base64.encodeToString(credentials.getBytes(), Base64.NO_WRAP);

    headers.put("Authorization", auth);
    return headers;
}

All works great. But I’m wondering if there’s any other way to pass/get credentials?  Maybe authenticate first, then set a bearer token in the headers instead of the credentials or something like that?

I know the Stormpath servlet can do it - but there are some simple instances where I might want to have just one or 2 user credentials in the shiro.ini file for example - rather then use Stormpath all time.

Possible?

-joe

...

[main]


# Shiro and the Stormpath API can use the same configured Cache Manager

#stormpathClient = com.stormpath.shiro.client.ClientFactory
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

stormpathClient = com.stormpath.shiro.client.ClientFactory
stormpathClient.cacheManager = $cacheManager

# we can disable session tracking completely, and have Stormpath manage it for us.
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionIdCookieEnabled = false
securityManager.sessionManager.sessionIdUrlRewritingEnabled = false

stormpathRealm = com.stormpath.shiro.realm.ApplicationRealm
stormpathRealm.client = $stormpathClient

stormpathRealm.groupRoleResolver.modeNames = name
securityManager.realm = $stormpathRealm

stormpathRealm.applicationRestUrl = https://api.stormpath.com/v1/applications/XXXXXXXXXXXXXX


[urls]
# use permissive to NOT require authentication, our resource Annotations will decide that

/** = noSessionCreation, authcBasic[permissive]


Loading...