You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by Martin Asenov <mA...@velti.com> on 2010/02/01 09:19:42 UTC
RE: Some info needed regarding authentication config with JPA and
JSecurity
Thanks , Les!
Now I think I've got the basics on how to implement SHIRO on my webapp.
And remember that the only thing to fear is running out of beer ;)
Cheers,
Martin
-----Original Message-----
From: les.hazlewood@anjinllc.com [mailto:les.hazlewood@anjinllc.com] On Behalf Of Les Hazlewood
Sent: Thursday, January 28, 2010 5:01 PM
To: shiro-dev@incubator.apache.org
Subject: Re: Some info needed regarding authentication config with JPA and JSecurity
Hi Martin,
Have you looked at the Shiro Spring/Hibernate sample application? It
shows how authentication and authorization occur with Shiro when using
Hibernate, but trivial substitutions can be made for JPA.
> Well I wasn't talking only about page instantiation permissions, but metadataroleauthorizationstrategy permissions, also creating my own UserContext object, which is session specific (which tells me about roles, usernames), etc. etc.
Shiro already handles this for you, but does it in a much more
efficient manner by using an authorization cache that you can
configure. Session objects should be kept as lightweight as possible,
typically only storing pointers to get to the data you need (user IDs,
usernames, etc).
> I'm wondering if SHIRO is the most convenient framework for usage in my case. I've already done authz in Wicket manner, so it's lot of work to convert it into a SHIRO one. Just can't think of an alternative.
Yep, you can use Shiro for only authentication if you want -
authorization and authentication are orthogonal and have no dependency
on each other so you can use one or both depending on your needs.
> I'm using JPA persistency layer for obtaining User objects and I still don't know how to import this in my webapp for authc. Wonder if I could write myself some authc module...
Yep, check out the Spring/Hibernate sample app - you'll see that it is
mostly finished already :)
Cheers,
Les
>
> What do you say?
>
> BR,
> Martin
>
> -----Original Message-----
> From: Tauren Mills [mailto:yowzator@gmail.com]
> Sent: Tuesday, January 26, 2010 11:53 AM
> To: shiro-dev@incubator.apache.org
> Subject: Re: Some info needed regarding authentication config with JPA and JSecurity
>
> When you say "use wicket for authorization", what exactly do you mean? What
> I'm envisioning is you hard-coding lots of permissions logic into your
> pages. If you have shiro's authentication already going, it isn't hard to
> add the authorization as well.
>
> Using the wicket-shiro project, you can add something like this to the top
> of your page and only authenticated users will be able to access that page:
>
> @ShiroSecurityConstraint(
> constraint = ShiroConstraint.HasRole,
> value = "member",
> loginMessage = "You must be member to view this page",
> unauthorizedMessage = "You need to be a member"
> )
> public abstract class SiteBasePage<T> extends BasePage<T> implements
> IAjaxIndicatorAware {
> ...
> }
>
> If I was in your shoes, I'd start with the wicket-shiro examples. Just
> check them out, use maven to build, and then run them. They should run
> without any hassles and show you what it can do as far as authc goes. There
> isn't a whole lot in the samples in regards to authz, which is why I posted
> that tutorial.
>
> Hope this helps!
> Tauren
>
>
>
>
> On Tue, Jan 26, 2010 at 1:46 AM, Martin Asenov <mA...@velti.com> wrote:
>
>> Great, Tauren, thx for the article! However, I'm planning to rely on wicket
>> for authorization, and only do authentication through jSecurity. I guess I
>> could use the very first snippet of code in your article? Do you encourage
>> me to do so? :)
>>
>> Thank you,
>> Martin
>>
>> -----Original Message-----
>> From: Tauren Mills [mailto:yowzator@gmail.com]
>> Sent: Tuesday, January 26, 2010 11:33 AM
>> To: shiro-dev@incubator.apache.org
>> Subject: Re: Some info needed regarding authentication config with JPA and
>> JSecurity
>>
>> Martin,
>>
>> I started to write a long response to you, but decided it made a better
>> blog
>> post. So I just posted a tutorial on using Shiro with Wicket. It includes
>> code samples for doing dynamic permissions-based authorization as well. You
>> might want to take a look at it:
>> http://blog.tauren.com/2010/01/using-wicket-with-shiro-for.html
>>
>> I'm still using blogger, so the code snippets are not formatted well at
>> all.
>> Sorry, I know I really need to take some time to change...
>>
>> Tauren
>>
>>
>>
>> On Mon, Jan 25, 2010 at 11:50 PM, Martin Asenov <mA...@velti.com> wrote:
>>
>> > Hello, Les! :)
>> >
>> > As I said I've got a wicket webapp, which stores objects in session. But
>> it
>> > complains about the JSecurity objects, since they are not serializable.
>> >
>> > I'm thinking of authenticating through JSecurity and authorizing through
>> > Wicket.
>> > I just want to create an authenticated realm with JSecurity and somehow
>> > avoid the serialization issues with Wicket.
>> >
>> > Can someone tell me what's the most safe and easy method to achieve that,
>> > since I don't need any super-hyper security restrictions and checks...
>> Using
>> > AuthorizingRealm only?
>> >
>> > Thanks in advance!
>> >
>> > Regards,
>> > Martin
>> >
>> > -----Original Message-----
>> > From: les.hazlewood@anjinllc.com [mailto:les.hazlewood@anjinllc.com] On
>> > Behalf Of Les Hazlewood
>> > Sent: Thursday, January 07, 2010 4:44 PM
>> > To: shiro-dev@incubator.apache.org
>> > Subject: Re: Some info needed regarding authentication config with JPA
>> and
>> > JSecurity
>> >
>> > If you're doing authentication only, then yes, you can subclass
>> > AuthenticatingRealm.
>> >
>> > However, it is usually better to subclass AuthorizingRealm so you only
>> > have 2 methods to implement: doGetAuthenticationInfo and
>> > doGetAuthorizationInfo. Then you'll have everything you need for both
>> > authentication and authorization in very short order.
>> >
>> > You would only need to override any of the Authorizer methods on your
>> > Realm implementation if you want more control over how an access check
>> > happens beyond what the SimpleAuthorizationInfo class can do (an
>> > instance of which is usually returned from the doGetAuthorizationInfo
>> > method).
>> >
>> > Cheers,
>> >
>> > Les
>> >
>> > On Thu, Jan 7, 2010 at 7:13 AM, Martin Asenov <mA...@velti.com> wrote:
>> > > Hello, everyone.. I need to implement
>> > > authentication module in my webapp and I want to use JSecyrity, but I
>> > can't
>> > > figure out how to connect the authc process with my JPA module I use
>> for
>> > > accessing user details (i.e. username, password, roles, etc..). Suppose
>> I
>> > > have to set AuthenticatingRealm to my SecurityManager and implemenent
>> all
>> > > these methods, inherited from Authorizer interface, but since I'll do
>> > authr
>> > > in my Wicket app, I suppose i just need to implement the
>> > > 'doGetAuthenticationInfo(AuthenticationToken token)' method with the
>> > means
>> > > of the JPA implementation I have. Am I right? :)
>> > >
>> > > Thank you in advance for your time! :)
>> > >
>> > >
>> >
>>
>
Re: Some info needed regarding authentication config with JPA and
JSecurity
Posted by Les Hazlewood <lh...@apache.org>.
Hi Martin,
I just added this:
http://cwiki.apache.org/confluence/display/SHIRO/Web
Cheers,
Les
2010/2/1 Martin Asenov <mA...@velti.com>:
> Les, I'm going through the sample hibernate-spring app and I can't see where the sampleRealm class is referenced, since it's everything I need. I need to set such realm in my webapp, so I want to ask where do I do so? in web.xml, or somewhere else?
>
> Thanks,
> Martin
>
> -----Original Message-----
> From: Martin Asenov [mailto:mAsenov@velti.com]
> Sent: Monday, February 01, 2010 10:20 AM
> To: shiro-dev@incubator.apache.org
> Subject: RE: Some info needed regarding authentication config with JPA and JSecurity
>
> Thanks , Les!
>
> Now I think I've got the basics on how to implement SHIRO on my webapp.
> And remember that the only thing to fear is running out of beer ;)
>
> Cheers,
> Martin
>
> -----Original Message-----
> From: les.hazlewood@anjinllc.com [mailto:les.hazlewood@anjinllc.com] On Behalf Of Les Hazlewood
> Sent: Thursday, January 28, 2010 5:01 PM
> To: shiro-dev@incubator.apache.org
> Subject: Re: Some info needed regarding authentication config with JPA and JSecurity
>
> Hi Martin,
>
> Have you looked at the Shiro Spring/Hibernate sample application? It
> shows how authentication and authorization occur with Shiro when using
> Hibernate, but trivial substitutions can be made for JPA.
>
>> Well I wasn't talking only about page instantiation permissions, but metadataroleauthorizationstrategy permissions, also creating my own UserContext object, which is session specific (which tells me about roles, usernames), etc. etc.
>
> Shiro already handles this for you, but does it in a much more
> efficient manner by using an authorization cache that you can
> configure. Session objects should be kept as lightweight as possible,
> typically only storing pointers to get to the data you need (user IDs,
> usernames, etc).
>
>> I'm wondering if SHIRO is the most convenient framework for usage in my case. I've already done authz in Wicket manner, so it's lot of work to convert it into a SHIRO one. Just can't think of an alternative.
>
> Yep, you can use Shiro for only authentication if you want -
> authorization and authentication are orthogonal and have no dependency
> on each other so you can use one or both depending on your needs.
>
>> I'm using JPA persistency layer for obtaining User objects and I still don't know how to import this in my webapp for authc. Wonder if I could write myself some authc module...
>
> Yep, check out the Spring/Hibernate sample app - you'll see that it is
> mostly finished already :)
>
> Cheers,
>
> Les
>
>>
>> What do you say?
>>
>> BR,
>> Martin
>>
>> -----Original Message-----
>> From: Tauren Mills [mailto:yowzator@gmail.com]
>> Sent: Tuesday, January 26, 2010 11:53 AM
>> To: shiro-dev@incubator.apache.org
>> Subject: Re: Some info needed regarding authentication config with JPA and JSecurity
>>
>> When you say "use wicket for authorization", what exactly do you mean? What
>> I'm envisioning is you hard-coding lots of permissions logic into your
>> pages. If you have shiro's authentication already going, it isn't hard to
>> add the authorization as well.
>>
>> Using the wicket-shiro project, you can add something like this to the top
>> of your page and only authenticated users will be able to access that page:
>>
>> @ShiroSecurityConstraint(
>> constraint = ShiroConstraint.HasRole,
>> value = "member",
>> loginMessage = "You must be member to view this page",
>> unauthorizedMessage = "You need to be a member"
>> )
>> public abstract class SiteBasePage<T> extends BasePage<T> implements
>> IAjaxIndicatorAware {
>> ...
>> }
>>
>> If I was in your shoes, I'd start with the wicket-shiro examples. Just
>> check them out, use maven to build, and then run them. They should run
>> without any hassles and show you what it can do as far as authc goes. There
>> isn't a whole lot in the samples in regards to authz, which is why I posted
>> that tutorial.
>>
>> Hope this helps!
>> Tauren
>>
>>
>>
>>
>> On Tue, Jan 26, 2010 at 1:46 AM, Martin Asenov <mA...@velti.com> wrote:
>>
>>> Great, Tauren, thx for the article! However, I'm planning to rely on wicket
>>> for authorization, and only do authentication through jSecurity. I guess I
>>> could use the very first snippet of code in your article? Do you encourage
>>> me to do so? :)
>>>
>>> Thank you,
>>> Martin
>>>
>>> -----Original Message-----
>>> From: Tauren Mills [mailto:yowzator@gmail.com]
>>> Sent: Tuesday, January 26, 2010 11:33 AM
>>> To: shiro-dev@incubator.apache.org
>>> Subject: Re: Some info needed regarding authentication config with JPA and
>>> JSecurity
>>>
>>> Martin,
>>>
>>> I started to write a long response to you, but decided it made a better
>>> blog
>>> post. So I just posted a tutorial on using Shiro with Wicket. It includes
>>> code samples for doing dynamic permissions-based authorization as well. You
>>> might want to take a look at it:
>>> http://blog.tauren.com/2010/01/using-wicket-with-shiro-for.html
>>>
>>> I'm still using blogger, so the code snippets are not formatted well at
>>> all.
>>> Sorry, I know I really need to take some time to change...
>>>
>>> Tauren
>>>
>>>
>>>
>>> On Mon, Jan 25, 2010 at 11:50 PM, Martin Asenov <mA...@velti.com> wrote:
>>>
>>> > Hello, Les! :)
>>> >
>>> > As I said I've got a wicket webapp, which stores objects in session. But
>>> it
>>> > complains about the JSecurity objects, since they are not serializable.
>>> >
>>> > I'm thinking of authenticating through JSecurity and authorizing through
>>> > Wicket.
>>> > I just want to create an authenticated realm with JSecurity and somehow
>>> > avoid the serialization issues with Wicket.
>>> >
>>> > Can someone tell me what's the most safe and easy method to achieve that,
>>> > since I don't need any super-hyper security restrictions and checks...
>>> Using
>>> > AuthorizingRealm only?
>>> >
>>> > Thanks in advance!
>>> >
>>> > Regards,
>>> > Martin
>>> >
>>> > -----Original Message-----
>>> > From: les.hazlewood@anjinllc.com [mailto:les.hazlewood@anjinllc.com] On
>>> > Behalf Of Les Hazlewood
>>> > Sent: Thursday, January 07, 2010 4:44 PM
>>> > To: shiro-dev@incubator.apache.org
>>> > Subject: Re: Some info needed regarding authentication config with JPA
>>> and
>>> > JSecurity
>>> >
>>> > If you're doing authentication only, then yes, you can subclass
>>> > AuthenticatingRealm.
>>> >
>>> > However, it is usually better to subclass AuthorizingRealm so you only
>>> > have 2 methods to implement: doGetAuthenticationInfo and
>>> > doGetAuthorizationInfo. Then you'll have everything you need for both
>>> > authentication and authorization in very short order.
>>> >
>>> > You would only need to override any of the Authorizer methods on your
>>> > Realm implementation if you want more control over how an access check
>>> > happens beyond what the SimpleAuthorizationInfo class can do (an
>>> > instance of which is usually returned from the doGetAuthorizationInfo
>>> > method).
>>> >
>>> > Cheers,
>>> >
>>> > Les
>>> >
>>> > On Thu, Jan 7, 2010 at 7:13 AM, Martin Asenov <mA...@velti.com> wrote:
>>> > > Hello, everyone.. I need to implement
>>> > > authentication module in my webapp and I want to use JSecyrity, but I
>>> > can't
>>> > > figure out how to connect the authc process with my JPA module I use
>>> for
>>> > > accessing user details (i.e. username, password, roles, etc..). Suppose
>>> I
>>> > > have to set AuthenticatingRealm to my SecurityManager and implemenent
>>> all
>>> > > these methods, inherited from Authorizer interface, but since I'll do
>>> > authr
>>> > > in my Wicket app, I suppose i just need to implement the
>>> > > 'doGetAuthenticationInfo(AuthenticationToken token)' method with the
>>> > means
>>> > > of the JPA implementation I have. Am I right? :)
>>> > >
>>> > > Thank you in advance for your time! :)
>>> > >
>>> > >
>>> >
>>>
>>
>
RE: Some info needed regarding authentication config with JPA and
JSecurity
Posted by Martin Asenov <mA...@velti.com>.
Les, I'm going through the sample hibernate-spring app and I can't see where the sampleRealm class is referenced, since it's everything I need. I need to set such realm in my webapp, so I want to ask where do I do so? in web.xml, or somewhere else?
Thanks,
Martin
-----Original Message-----
From: Martin Asenov [mailto:mAsenov@velti.com]
Sent: Monday, February 01, 2010 10:20 AM
To: shiro-dev@incubator.apache.org
Subject: RE: Some info needed regarding authentication config with JPA and JSecurity
Thanks , Les!
Now I think I've got the basics on how to implement SHIRO on my webapp.
And remember that the only thing to fear is running out of beer ;)
Cheers,
Martin
-----Original Message-----
From: les.hazlewood@anjinllc.com [mailto:les.hazlewood@anjinllc.com] On Behalf Of Les Hazlewood
Sent: Thursday, January 28, 2010 5:01 PM
To: shiro-dev@incubator.apache.org
Subject: Re: Some info needed regarding authentication config with JPA and JSecurity
Hi Martin,
Have you looked at the Shiro Spring/Hibernate sample application? It
shows how authentication and authorization occur with Shiro when using
Hibernate, but trivial substitutions can be made for JPA.
> Well I wasn't talking only about page instantiation permissions, but metadataroleauthorizationstrategy permissions, also creating my own UserContext object, which is session specific (which tells me about roles, usernames), etc. etc.
Shiro already handles this for you, but does it in a much more
efficient manner by using an authorization cache that you can
configure. Session objects should be kept as lightweight as possible,
typically only storing pointers to get to the data you need (user IDs,
usernames, etc).
> I'm wondering if SHIRO is the most convenient framework for usage in my case. I've already done authz in Wicket manner, so it's lot of work to convert it into a SHIRO one. Just can't think of an alternative.
Yep, you can use Shiro for only authentication if you want -
authorization and authentication are orthogonal and have no dependency
on each other so you can use one or both depending on your needs.
> I'm using JPA persistency layer for obtaining User objects and I still don't know how to import this in my webapp for authc. Wonder if I could write myself some authc module...
Yep, check out the Spring/Hibernate sample app - you'll see that it is
mostly finished already :)
Cheers,
Les
>
> What do you say?
>
> BR,
> Martin
>
> -----Original Message-----
> From: Tauren Mills [mailto:yowzator@gmail.com]
> Sent: Tuesday, January 26, 2010 11:53 AM
> To: shiro-dev@incubator.apache.org
> Subject: Re: Some info needed regarding authentication config with JPA and JSecurity
>
> When you say "use wicket for authorization", what exactly do you mean? What
> I'm envisioning is you hard-coding lots of permissions logic into your
> pages. If you have shiro's authentication already going, it isn't hard to
> add the authorization as well.
>
> Using the wicket-shiro project, you can add something like this to the top
> of your page and only authenticated users will be able to access that page:
>
> @ShiroSecurityConstraint(
> constraint = ShiroConstraint.HasRole,
> value = "member",
> loginMessage = "You must be member to view this page",
> unauthorizedMessage = "You need to be a member"
> )
> public abstract class SiteBasePage<T> extends BasePage<T> implements
> IAjaxIndicatorAware {
> ...
> }
>
> If I was in your shoes, I'd start with the wicket-shiro examples. Just
> check them out, use maven to build, and then run them. They should run
> without any hassles and show you what it can do as far as authc goes. There
> isn't a whole lot in the samples in regards to authz, which is why I posted
> that tutorial.
>
> Hope this helps!
> Tauren
>
>
>
>
> On Tue, Jan 26, 2010 at 1:46 AM, Martin Asenov <mA...@velti.com> wrote:
>
>> Great, Tauren, thx for the article! However, I'm planning to rely on wicket
>> for authorization, and only do authentication through jSecurity. I guess I
>> could use the very first snippet of code in your article? Do you encourage
>> me to do so? :)
>>
>> Thank you,
>> Martin
>>
>> -----Original Message-----
>> From: Tauren Mills [mailto:yowzator@gmail.com]
>> Sent: Tuesday, January 26, 2010 11:33 AM
>> To: shiro-dev@incubator.apache.org
>> Subject: Re: Some info needed regarding authentication config with JPA and
>> JSecurity
>>
>> Martin,
>>
>> I started to write a long response to you, but decided it made a better
>> blog
>> post. So I just posted a tutorial on using Shiro with Wicket. It includes
>> code samples for doing dynamic permissions-based authorization as well. You
>> might want to take a look at it:
>> http://blog.tauren.com/2010/01/using-wicket-with-shiro-for.html
>>
>> I'm still using blogger, so the code snippets are not formatted well at
>> all.
>> Sorry, I know I really need to take some time to change...
>>
>> Tauren
>>
>>
>>
>> On Mon, Jan 25, 2010 at 11:50 PM, Martin Asenov <mA...@velti.com> wrote:
>>
>> > Hello, Les! :)
>> >
>> > As I said I've got a wicket webapp, which stores objects in session. But
>> it
>> > complains about the JSecurity objects, since they are not serializable.
>> >
>> > I'm thinking of authenticating through JSecurity and authorizing through
>> > Wicket.
>> > I just want to create an authenticated realm with JSecurity and somehow
>> > avoid the serialization issues with Wicket.
>> >
>> > Can someone tell me what's the most safe and easy method to achieve that,
>> > since I don't need any super-hyper security restrictions and checks...
>> Using
>> > AuthorizingRealm only?
>> >
>> > Thanks in advance!
>> >
>> > Regards,
>> > Martin
>> >
>> > -----Original Message-----
>> > From: les.hazlewood@anjinllc.com [mailto:les.hazlewood@anjinllc.com] On
>> > Behalf Of Les Hazlewood
>> > Sent: Thursday, January 07, 2010 4:44 PM
>> > To: shiro-dev@incubator.apache.org
>> > Subject: Re: Some info needed regarding authentication config with JPA
>> and
>> > JSecurity
>> >
>> > If you're doing authentication only, then yes, you can subclass
>> > AuthenticatingRealm.
>> >
>> > However, it is usually better to subclass AuthorizingRealm so you only
>> > have 2 methods to implement: doGetAuthenticationInfo and
>> > doGetAuthorizationInfo. Then you'll have everything you need for both
>> > authentication and authorization in very short order.
>> >
>> > You would only need to override any of the Authorizer methods on your
>> > Realm implementation if you want more control over how an access check
>> > happens beyond what the SimpleAuthorizationInfo class can do (an
>> > instance of which is usually returned from the doGetAuthorizationInfo
>> > method).
>> >
>> > Cheers,
>> >
>> > Les
>> >
>> > On Thu, Jan 7, 2010 at 7:13 AM, Martin Asenov <mA...@velti.com> wrote:
>> > > Hello, everyone.. I need to implement
>> > > authentication module in my webapp and I want to use JSecyrity, but I
>> > can't
>> > > figure out how to connect the authc process with my JPA module I use
>> for
>> > > accessing user details (i.e. username, password, roles, etc..). Suppose
>> I
>> > > have to set AuthenticatingRealm to my SecurityManager and implemenent
>> all
>> > > these methods, inherited from Authorizer interface, but since I'll do
>> > authr
>> > > in my Wicket app, I suppose i just need to implement the
>> > > 'doGetAuthenticationInfo(AuthenticationToken token)' method with the
>> > means
>> > > of the JPA implementation I have. Am I right? :)
>> > >
>> > > Thank you in advance for your time! :)
>> > >
>> > >
>> >
>>
>