>>>>> Brian Demers <brian.demers-re5jqeeqqe8avxtiumw...@public.gmane.org>:
> This post is a little old (dependency wise), but it should still be accurate. Hm... I'm on shiro-1.7.0 currently, so the mentioned shiro-jaxrs should be available...? (and currently on jersey 1.8.4, if that matters...?) > See the bit about the "permissive" filter. > https://stormpath.com/blog/protecting-jax-rs-resources-rbac-apache-shiro Interesting! > If you go this route, you will need to ensure you are checking access > another way: annotation, another filter, etc. Ie. the idea is to let everything to the API through untouched and then use annotations to set permissions on the jersey resources, and then let shiro-jax handle access control? Is it possible to split the handling? I.e. to use regular handling on the frontend and shiro-jaxrs and annotations on the REST API? Will something like this work as expected? [main] authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter shiro.loginUrl = /login shiro.unauthorizedUrl = /unauthorized [urls] /api/** = anon /** = authc, role[myapprole] "work as expected" means: 1. /** will be handled with redirect to /login when not logged in 2. /api/** will pass through, but shiro-jaxrs handling will work Or will shiro-jaxrs be affected by the shiro.ini config and let everything though, whatever the @RequiresPermission() says? Thanks! - Steinar
