You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@isis.apache.org by "Daniel Keir Haywood (Jira)" <ji...@apache.org> on 2019/10/24 18:26:00 UTC

[jira] [Assigned] (ISIS-1297) Integrate with Keycloak

     [ https://issues.apache.org/jira/browse/ISIS-1297?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daniel Keir Haywood reassigned ISIS-1297:
-----------------------------------------

    Assignee: Daniel Keir Haywood

> Integrate with Keycloak
> -----------------------
>
>                 Key: ISIS-1297
>                 URL: https://issues.apache.org/jira/browse/ISIS-1297
>             Project: Isis
>          Issue Type: New Feature
>            Reporter: Daniel Keir Haywood
>            Assignee: Daniel Keir Haywood
>            Priority: Major
>             Fix For: 2.6.0
>
>
> As suggested on the Apache Isis mailing list.
> http://markmail.org/message/6jwghlmyravuxfbx
> There are several approaches ...
> As described in our security guide [1] Apache Isis has a pluggable API for
> both authentication and authorization, so at the lowest level one could
> take implement either/both of these plugin points.
> Apache Isis has two integrations, one for Shiro and one called "bypass"
> (which basically disables security).  So one could ignore Apache Isis'
> Shiro integration and implement everything yourself.
> However, it would probably make more sense to build
> upon the Isis Add-ons security module [2], which builds upon the Shiro
> integration by providing an implementation of a Shiro Realm.  This is
> described in [3].  In fact, I would suggest that keycloak would be used as
> a delegate realm within the Isis addons' security module.
> In other words, the design that we could use is:
>         Apache Isis -> Shiro -> Isis addons security realm -> Isis addons
> delegate realm
> This last realm would be implemented using Keycloak.
> The documentation in the security module [4] and [5] might also help to
> explain this.
> Note that this design would use Keycloak for authentication (validate
> credentials and lookup roles), with the security module taking
> responsibility for authorization. 
> [1] http://isis.apache.org/guides/ugsec.html
> [2] https://github.com/isisaddons/isis-module-security
> [3]
> http://isis.apache.org/guides/ugsec.html#_ugsec_shiro-isisaddons-security-module-realm
> [4] https://github.com/isisaddons/isis-module-security#application-users
> [5]
> https://github.com/isisaddons/isis-module-security#shiro-configuration-shiroini



--
This message was sent by Atlassian Jira
(v8.3.4#803005)