Return-Path: X-Original-To: apmail-shiro-user-archive@www.apache.org Delivered-To: apmail-shiro-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DCE4710194 for ; Thu, 20 Mar 2014 22:48:11 +0000 (UTC) Received: (qmail 41505 invoked by uid 500); 20 Mar 2014 22:48:11 -0000 Delivered-To: apmail-shiro-user-archive@shiro.apache.org Received: (qmail 41486 invoked by uid 500); 20 Mar 2014 22:48:11 -0000 Mailing-List: contact user-help@shiro.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@shiro.apache.org Delivered-To: mailing list user@shiro.apache.org Received: (qmail 41478 invoked by uid 99); 20 Mar 2014 22:48:11 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Mar 2014 22:48:11 +0000 X-ASF-Spam-Status: No, hits=2.8 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,URI_HEX X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of dominicfarr@gmail.com designates 209.85.216.176 as permitted sender) Received: from [209.85.216.176] (HELO mail-qc0-f176.google.com) (209.85.216.176) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Mar 2014 22:48:05 +0000 Received: by mail-qc0-f176.google.com with SMTP id m20so1904386qcx.21 for ; Thu, 20 Mar 2014 15:47:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=qdoi7vBdsJvPdASeI5bKdDrQGIA8BIZCt3x0EE6SxB4=; b=ouyG8Aqy5CyvOSQN5Zgx1/0phScgGvhtcI3rgRk4iLRn1+vNSaoh4fKLsX+j0kiOtk V5UWzrzB47tU0QoDJiiii9297Xk5yfwPhCDbHp8gyLSep/LRVcMpRv2YnNdDWNT+miOw rMCbBs/ogFMopNZccN1Lp7qCWYJGWD36N1wuNUkI83wK91n6lDTuXSnu8Q/bRBmSLnZp SG0IjZUe+34+MnQWEhhMT9j2Jh8BiJKWQXhZGYSprWSH68fZlPYjevnwPV7h5ie2Wa1H ZoIPHGJE6Cu6+ryfz8W4EStcr7Zr/qNeD6vcpWlA5b+aETg9RJaNiBA9gEgLTZSo/jBx hxJA== X-Received: by 10.229.89.65 with SMTP id d1mr53799215qcm.14.1395355664166; Thu, 20 Mar 2014 15:47:44 -0700 (PDT) MIME-Version: 1.0 Received: by 10.224.182.5 with HTTP; Thu, 20 Mar 2014 15:47:24 -0700 (PDT) In-Reply-To: <1395342365122-7579814.post@n2.nabble.com> References: <1395342365122-7579814.post@n2.nabble.com> From: Dominic Farr Date: Thu, 20 Mar 2014 22:47:24 +0000 Message-ID: Subject: Re: Shiro and REST with HMAC Authentication Tokens To: shiro Content-Type: multipart/alternative; boundary=001a1133cbc8b2cef404f5118e26 X-Virus-Checked: Checked by ClamAV on apache.org --001a1133cbc8b2cef404f5118e26 Content-Type: text/plain; charset=UTF-8 Shiro correctly divides everything web/http away from authentication/authorization. separation of concerns. Your realm's doGetAuthenticationInfo method should gather information about the user, including what you need to match any password or hash. Returns a AuthenticationInfo. Your call to subject.login takes AuthenticationToken which is in your web layer, which has access to your http request. Both AuthenticationToken and AuthenticationInfo are passed to your CredentialsMatcher in the shiro classes when you call login As long as your tokens contain the right information to perform a match you should be able to create a CredentialsMatcher that works for you.....I think? Does that make sense? If not, sorry, it's late. -d On 20 March 2014 19:06, rawc wrote: > I'm am planning on using Shiro and an Amazon-like authentication scheme to > secure my REST API. My initial thoughts are to create a custom > authentication token and a custom realm that supports the custom > authentication token. The token will be an HMACAuthenticationToken and will > hold the client's API key and HMAC. In my custom realm I will retrieve the > client's API secret from a database based on the API key found in the > authentication token, then use the secret and information from the HTTP > request to verify that the HMAC value passed in from the client is correct. > The only problem is I don't see a way to access the HTTP Request from > within > the custom realm. Am I approaching this the right way? If so, how do I > access the HTTP request within the realm. If not, how should I be > approaching this? The only other way I've thought of doing this is adding a > third property to the HMACAuthenticationToken that will hold the message > string that will be used verify the HMAC value provided by the client (i.e. > instead of assembling the message string in the realm from information in > the HTTP request I would assemble the message string at the time the > HMACAuthenticationToken is created and add it into the token). Thanks in > advance. > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Shiro-and-REST-with-HMAC-Authentication-Tokens-tp7579814.html > Sent from the Shiro User mailing list archive at Nabble.com. > --001a1133cbc8b2cef404f5118e26 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Shiro correctly divides everything web/http away from auth= entication/authorization. separation of concerns.=C2=A0

= Your realm's doGetAuthenticationInfo method should gather information a= bout the user, including what you need to match any password or hash. Retur= ns a=C2=A0AuthenticationInfo.

Your call to subject.login takes=C2=A0AuthenticationTok= en which is in your web layer, which has access to your http request.
=

Both=C2=A0AuthenticationToken and AuthenticationInfo ar= e passed to your=C2=A0CredentialsMatcher in the shiro classes when you call= login=C2=A0

As long as your tokens contain the right information to= perform a match you should be able to create a=C2=A0CredentialsMatcher tha= t works for you.....I think?

Does that make sense?= If not, sorry, it's late.

-d


On 20 March 2014 19:06, rawc <rawlinc+shiro@gma= il.com> wrote:
I'm am planning on using Shiro and an Am= azon-like authentication scheme to
secure my REST API. My initial thoughts are to create a custom
authentication token and a custom realm that supports the custom
authentication token. The token will be an HMACAuthenticationToken and will=
hold the client's API key and HMAC. In my custom realm I will retrieve = the
client's API secret from a database based on the API key found in the authentication token, then use the secret and information from the HTTP
request to verify that the HMAC value passed in from the client is correct.=
The only problem is I don't see a way to access the HTTP Request from w= ithin
the custom realm. Am I approaching this the right way? If so, how do I
access the HTTP request within the realm. If not, how should I be
approaching this? The only other way I've thought of doing this is addi= ng a
third property to the HMACAuthenticationToken that will hold the message string that will be used verify the HMAC value provided by the client (i.e.=
instead of assembling the message string in the realm from information in the HTTP request I would assemble the message string at the time the
HMACAuthenticationToken is created and add it into the token). Thanks in advance.



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-REST-with-HMAC= -Authentication-Tokens-tp7579814.html
Sent from the Shiro User mailing list archive at Nabble.com.

--001a1133cbc8b2cef404f5118e26--