Shiro and JEE

[pierre devreux <me...@yahoo.fr>]

Hi,

I'm evaluating Shiro and I would like to know if Shiro is compatible with
JEE Environment.

My JEE application is built like this :
- Presentation layer: Tapestry.
- Batch layer (though JMX, launch some standard java process calling service
layer)
- Service layer : EJB Stateless, EJB Web Services.
- Business layer : EJB stateless (+ JPA).

All layers are secured (authZ or/and authN).

What about Shiro running in a such environment, one user coming from
Tapestry, another for Batch layer, a third from a Web service client ?
Does Shiro handle WebService security (JAX-WS security) ?
Does shiro handle Identity propagation between JVM ?

When differents layers are not co-localized (i.e. not in same JVM), how
Shiro manages this ?
Regards.
Pierre




--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-JEE-tp6306065p6306065.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Shiro and JEE

[Les Hazlewood <lh...@apache.org>]

Hi Pierre,

Shiro is certainly compatible in a JEE environment - it is not limited
or restricted to a particular specification.  Being POJO-based, it
will work in essentially an JVM environment (JEE, Spring, Groovy,
JRuby, etc).

The key with a JEE environment is exactly how you go about setting it
up.  For example, you can use Shiro's annotations, but you'll need to
use an AOP framework supported by your JEE container or use AspectJ
(there is a sample AspectJ application in the Shiro project's samples
directory).  You'll also need to decide if the Shiro SecurityManager
should reside in JNDI or not.  These things are up for discussion as
to what are best practices.

Shiro does not currently have out-of-the-box support for non-colocated
code layers - that is a very old way of deploying applications and our
user community hasn't asked for such support.   It would probably be
possible using a security token to pass between layers, but this would
require some custom coding.  I'm not sure that the Shiro community as
a whole would benefit from something like this or not - people would
have to speak up to let us know if this is needed by more than just a
handful of people.

Regards,

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com

On Tue, Apr 26, 2011 at 8:02 AM, pierre devreux <me...@yahoo.fr> wrote:
> Hi,
>
> I'm evaluating Shiro and I would like to know if Shiro is compatible with
> JEE Environment.
>
> My JEE application is built like this :
> - Presentation layer: Tapestry.
> - Batch layer (though JMX, launch some standard java process calling service
> layer)
> - Service layer : EJB Stateless, EJB Web Services.
> - Business layer : EJB stateless (+ JPA).
>
> All layers are secured (authZ or/and authN).
>
> What about Shiro running in a such environment, one user coming from
> Tapestry, another for Batch layer, a third from a Web service client ?
> Does Shiro handle WebService security (JAX-WS security) ?
> Does shiro handle Identity propagation between JVM ?
>
> When differents layers are not co-localized (i.e. not in same JVM), how
> Shiro manages this ?
> Regards.
> Pierre
>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-JEE-tp6306065p6306065.html
> Sent from the Shiro User mailing list archive at Nabble.com.