Return-Path: Delivered-To: apmail-incubator-shiro-user-archive@www.apache.org Received: (qmail 32274 invoked from network); 24 Aug 2010 00:31:34 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 24 Aug 2010 00:31:34 -0000 Received: (qmail 81836 invoked by uid 500); 24 Aug 2010 00:31:34 -0000 Delivered-To: apmail-incubator-shiro-user-archive@incubator.apache.org Received: (qmail 81809 invoked by uid 500); 24 Aug 2010 00:31:34 -0000 Mailing-List: contact shiro-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: shiro-user@incubator.apache.org Delivered-To: mailing list shiro-user@incubator.apache.org Received: (qmail 81801 invoked by uid 99); 24 Aug 2010 00:31:34 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Aug 2010 00:31:34 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of yowzator@gmail.com designates 74.125.82.43 as permitted sender) Received: from [74.125.82.43] (HELO mail-ww0-f43.google.com) (74.125.82.43) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Aug 2010 00:31:29 +0000 Received: by wwi14 with SMTP id 14so920625wwi.0 for ; Mon, 23 Aug 2010 17:31:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=uumziEqq2mlVbjUAEpYOvKOEmwGEb9QqMNnRIo38ICw=; b=dzAnBSzc0slEGSzSSEbXoCQFiRR0ZdkdfhVVqPs8ZZ+oGdI86bKbviYnQbhluqWRV0 ICFbuzbMJOn4WX4ew1bKr1V1+7dl74VUfwQnnKKmuDpHf/7owqRcyHqec7YWW5TigsK9 xJPYIDw9/vYY82mYlP6WxCPaBgKxOkoDJmcXc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=cCtRP1wxfFVia8r8mRk3AlbgEMfxPZcOPc01EYrfGxbniTzw/vBOIm9fy/lVHTGEg0 eU+HuG3KQGDsc8bSbnRP4j8oUSsDhF1K72w46KdQbKMFRbwHiqqUcscOcOZd0rceIDfN PvoTPnOyEHjL1D5eVUXOUcvUzCXJsOCIDH5PA= MIME-Version: 1.0 Received: by 10.227.138.6 with SMTP id y6mr5153656wbt.162.1282609867752; Mon, 23 Aug 2010 17:31:07 -0700 (PDT) Received: by 10.227.131.9 with HTTP; Mon, 23 Aug 2010 17:31:07 -0700 (PDT) In-Reply-To: <53d6e7831001210052j75c406f3pec63e9fe6624d3c@mail.gmail.com> References: <95773c800911290140m669dc1dbt11fc46f429e5a305@mail.gmail.com> <1259775887625-4101151.post@n2.nabble.com> <95773c801001201311j75fd38f0mf2bd4ec709189d17@mail.gmail.com> <53d6e7831001210052j75c406f3pec63e9fe6624d3c@mail.gmail.com> Date: Mon, 23 Aug 2010 17:31:07 -0700 Message-ID: Subject: Re: Integration with RESTful framework From: Tauren Mills To: shiro-user@incubator.apache.org Content-Type: multipart/alternative; boundary=0016e65684e68d8395048e86e17c --0016e65684e68d8395048e86e17c Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable There have been a few messages recently about Shiro and Jersey that prompte= d me to resurrect this old related thread. My application currently has some wicket pages for login, logout, account creation, and a few other things. It also uses a rememberme cookie for authentication. Once you are logged in, there is a section of the application that is entirely a single page javascript application. This JS app uses ajax calls to a RESTful jersey service hosted on the same server. The cookie works fine to authenticate for the jersey services as well. The problem is that I'd like to move my API from http://mysite.com/api to http://api.mysite.com/. If I do this, I won't be able to use the cookie aut= h anymore. Plus, as Tamas suggested below, it is probably best to be stateles= s on the server side and expect the user to auth for every REST call. Lastly, I intend to open up the API in the future, and I'm not sure relying on cookies is the best technique. So, I'm just trying to wrap my head around authenticating with every REST call. What are good methods of doing this? Does this mean you pass a username and password as query parameters or in post data? I don't necessarily want my JS app to have to ask for and store the user's password (they already authenticated in the wicket app), nor do I like sending passwords in the clear like this: http://localhost:8080/services/helloworld?user=3Dtauren&password=3Dsilly I've just started looking into the ways that others such as twitter, facebook, amazon, etc do this. So I'm reading up on OAuth and other techniques. The Shiro issue tracker has an feature request for OAuth, but i= t doesn't seem like it is a very high priority. I've also seen that many services issue an API public/private key that an application would use, which is an approach I might use down the road. I'd also like to support OpenID, Facebook Connect (or whatever they call it now), etc. At the momen= t I haven't yet grokked it all, so please let me know if I'm going down the wrong path! Currently, my API is in total flux and hasn't been opened up. It only needs to be usable by my own webapp for now, it doesn't need to be publicly accessible to other applications. But in the near future, parts of it will be opened up. I'll need to support JSONP at that point too. My goal is to have my RESTful URLs return different information depending upon who is accessing them. If the request is not from an authenticated user, then some URLs will return publicly available information only. Some URLs will return no data or an error if you are not logged in. If you are logged in, then you can request things about yourself. And if you are logged in and are a user with additional administrative privileges, then yo= u can request information about others that you have the right to see. But I can see problems with this approach too, so it isn't set in stone yet. Any advice or insights on how to proceed would be extremely helpful! Withou= t OAuth support, I'm unclear on the approaches that other are taking. It seem= s like a common enough use case that there must be others doing the same thing. Are there some good resources or open source tools I should be looking into? Thanks, Tauren 2010/1/21 Tam=E1s Cserven=E1k > Hi Tauren, > > we decided to be completely stateless on server side, and we do expect us= er > auth for _every_ REST call. > > ~t~ > > --0016e65684e68d8395048e86e17c Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable There have been a few messages recently about Shiro and Jersey that prompte= d me to resurrect this old related thread.

My appli= cation currently has some wicket pages for login, logout, account creation,= and a few other things. It also=A0uses a rememberme cookie for authenticat= ion. Once you are logged in, there is a section of the application that is = entirely a single page javascript application. This JS app=A0uses ajax call= s to a RESTful jersey service hosted on the same server. The cookie works f= ine to authenticate for the jersey services as well.

The problem is that I'd like to move my API from http://mysite.com/api to http://api.mysite.com/. If I do this, I won't = be able to use the cookie auth anymore. Plus, as Tamas suggested below, it = is probably best to be stateless on the server side and expect the user to = auth for every REST call. Lastly, I intend to open up the API in the future= , and I'm not sure relying on cookies is the best technique.

So, I'm just trying to wrap my head around authenticating with= every REST call. What are good methods of doing this? Does this mean you p= ass a username and password as query parameters or in post data? I don'= t necessarily want my JS app to have to ask for and store the user's pa= ssword (they already authenticated in the wicket app), nor do I like sendin= g passwords in the clear like this:

I'v= e just started looking into the ways that others such as twitter, facebook,= amazon, etc do this. So I'm reading up on OAuth and other techniques. = The Shiro issue tracker has an feature request for OAuth, but it doesn'= t seem like it is a very high priority. I've also seen that many servic= es issue an API public/private key that an application would use, which is = an approach I might use down the road. I'd also like to support =A0Open= ID, Facebook Connect (or whatever they call it now), etc. At the moment I h= aven't yet grokked it all, so please let me know if I'm going down = the wrong path!

Currently, my API is in total flux and hasn't been = opened up. It only needs to be usable by my own webapp for now, it doesn= 9;t need to be publicly accessible to other applications. But in the near f= uture, parts of it will be opened up. I'll need to support JSONP at tha= t point too.

My goal is to have my RESTful URLs return different inf= ormation depending upon who is accessing them. =A0If the request is not fro= m an authenticated user, then some URLs will return publicly available info= rmation only. =A0Some URLs will return no data or an error if you are not l= ogged in. =A0If you are logged in, then you can request things about yourse= lf. =A0And if you are logged in and are a user with additional administrati= ve=A0privileges, then you can request information about others that you hav= e the right to see. But I can see problems with this approach too, so it is= n't set in stone yet.

Any advice or insights on how to proceed would be extre= mely helpful! Without OAuth support, I'm unclear on the approaches that= other are taking. It seems like a common enough use case that there must b= e others doing the same thing. Are there some good resources or open source= tools I should be looking into?

Thanks,
Tauren


2010/1/21 Tam=E1s Cserven= =E1k <tamas@cservenak.net>
Hi Tauren,

we decided to = be completely stateless on server side, and we do expect user auth for _eve= ry_ REST call.

~t~

=
--0016e65684e68d8395048e86e17c--