Need help configuring Apache Shiro to split authentication (multiple REST APIs)

I am creating a web application using AngularJS front-end and Spring Boot REST back-end (they run on separate servers i.e. on port 3000 and on port 8443). The server is expected to connect to multiple external services (with separate authentication) and provide endpoints for the interface to use.

For security purposes, I decided to use Apache Shiro. For the sake of simplicity, I'll pretend there are only 2 external services (ES1 and ES2).

I created 2x AuthorizingRealm

's that connect to the appropriate external services and try to authenticate with the provided tokens.

In the method doGetAuthenticationInfo

, if the login succeeds, I return SimpleAuthenticationInfo

with the principal, credentials, and realm name.

In the method, doGetAuthorizationInfo

I check the principal's domain name, and if it does, I return SimpleAuthorizationInfo

with the USER role and permission (eg ES1_permitted).

I also extended the class UsernamePasswordToken

for each sphere to use it even more (by method supports

).

In the config class, I create a bean for DefaultWebSecurityManager

that uses my two realms and a bean for the Shiro filter. I added 4 filters:

• anon AnonymousFilter
  
  
• perm PermissionsAuthorizationFilter
  
  
• es1 ES1Filter
  
  
• es2 ES2Filter
  
  

My filter chain looks something like this:

/api/es1/login  -> anon
/api/es1/**     -> es1, perms[ES1_permitted]
/api/es2/login  -> anon
/api/es2/**     -> es2, perms[ES2_permitted]
/**             -> anon

      

        
        
        
      

    

Somehow when I was working with frontend and server from the same server (no CORS) it worked. However, now that CORS is an issue, I cannot get this to work as expected.

Is there an easier way to achieve complete separation of authentication / authorization? I am ready to upgrade to Spring Security if it can be done there.

PS: I am using Java API, not config files (spring xml or shiro.ini).