How to use Shiro for authenticating cookie based or facebook user?

Question

In my web application, I do not have user registrations/login. What I have is the user account is automatically created when the user visits the site first time based on the cookie. How can I use Shiro for this purpose to authenticate such a user ( and also take advantage of its other web security features)?

If the user chooses to login via Facebook connect, then how can I use Shiro for this scenario?

Answer 1

Ok, after JohnS told me that the linked blog post doesn't work and some time passed by, I reworked my answer.

In my understanding, Apache Shiro doesn't support (at the time of this writing) OAuth, see SHIRO-21 and SHIRO-119 and also the comments on them.

There are two libraries which simplifie OAuth, Scribe and pac4j.

• Scribe is used by GAEShiro, which includes a bridge between scribe and Shiro.
• Pac4J is used by buji-pac4j, which is a web multi-protocols client for Apache Shiro. On the linked page is a demo with Facebook authentication available, see here. I suggest to use this demo as a start.

Please make sure to read Facebook OAuth 2.0 and Server-Side Authentication). If you want to enable your site to use OAuth 2.0 then you have to follow the guide on the links.

There is also the mentioned blog post and alternatively you can use Spring security and Spring social, see Signing in with Service Provider Accounts.