Apache Shiro – HTTP auth and Form auth in same project

I wanted a way to do regular form auth with an application. The idea is that regular users would use form authentication, and API users could use Simple HTTP authorization.

I had a REST service that I exposed at 2 different URLs by creating 2 Application classes extending javax.ws.rs.Application and using


to expose 2 different URLs. The first is at /rest and the second is at /api. Now, in the shiro.ini I setup a different filter for each path, and to access /rest you have to be logged in via form auth, and to access /api you must be logged in with HTTP Simple authentication.

I implemented a custom AuthorizationRealm and added the api role to the users that can access the API.

That works great, and simplifies any API connections by allowing Simple auth. Simple auth should also force SSH because it is not secure over clear HTTP, but that’s well documented by the Shiro project. There will be a post coming soon about how to implement a custom AuthorizingRealm to use your own DAOs to lookup users, but it is only 3 methods and is pretty straightforward.

Leave a Reply

Your email address will not be published. Required fields are marked *