Securing RESTful web service using Apache Shiro

1
votes

I am currently in the process of building RESTful web services using Jersey framework as a backend (for an Ipad\Iphone application) using Java, at the POINT I was trying to figure out a security( Authentication and Authorization) implementation of my the API, I came across Basic, digest and Oauth but at the point as my APIs are still not fully developed so I think Oauth seems to be a bit of an overkill to me...

My question is though Apache Shiro looks easy to grasp and start with is something that can usedfor securing RESTful web services like in the long run as my APIs logic grows?

1
apachesecurityrestjerseyshiro
Curious question: what's driving you to build the entire API platform from scratch? - brandonscript
Well the API is actually the back end of an Ipad app being developed in my company..so it just provides service to front end, if not from the scratch then what else? - Anirudh
Lots of great options out there vs. building from scratch: Open source projects like Sails.js or free API back-end providers like Apigee; both are already set up and ready to go to manage things like authentication. - brandonscript
Thanks! Humm that's cool I would like to look into Apigee if it saves me time for development and setting it up from scratch, would be really helpful if you could suggest a place for a fresher like me to get me started on this? - Anirudh
It really will actually -- kind of a life saver. They're docs are better now. Start here: apigee.com/usergrid You can play around in a sandbox collection and start adding data/users/whatever that way. - brandonscript

1 Answers

3
votes

Shiro is very customizable. It provides interfaces for doing your Authentication and Authorization. If you ever need to change your authentication from Basic to Oauth, all you have to do is implement a new class and plug it in.

The interfaces to look into are Realm, AuthenticatingRealm, AuthorizingRealm, Subject, AuthenticationToken and SimpleAuthorizationInfo.