You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by mksong <hi...@gmail.com> on 2009/06/28 05:26:34 UTC
About JSecurity's bytecode engineering
Hello, All
I am carring out an experiment on JSecurity's bytecode engineering.
I tested JSecurity to see if the framework would generate any
bytecode related to security or add anything to the existing ones.
With the attached log file, I am not sure if JSecurity does bytecode
engineering or not.
(Here are the log file at loading time and the slide file explaing what I
did:
http://people.cs.vt.edu/~mksong/jsecurity/
http://people.cs.vt.edu/~mksong/jsecurity/ )
Is it true?
--
View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: About JSecurity's bytecode engineering
Posted by Ryan McKinley <ry...@gmail.com>.
no -- Apache Shiro (jsecurity / ki) does not do bytecode manipulation.
With Shiro, you need to use java apis to manage authentication/
authorization.
On Jun 28, 2009, at 8:54 PM, mksong wrote:
>
> Hello, Manoj
>
> I am searching a framework which changes the bytecode directly,
> without modifying source code. As you knew, this is bytecode
> engineering or enhancement. Based on this idea, I thought JSecurity
> modified bytecode in order to support a security functionality
> relieving a programmer from the burden of having to implement
> important security concerns by hand.
>
> So, is the method of supporting the security functionality a type
> of API at JSecurity (or Apache Ki)?
>
> Myoungkyu
>
>
>
> Manoj Khangaonkar wrote:
>>
>> Hi Myoungkyu,
>>
>> Just curious, what kind of security policies are you interested in ?
>> Can you give an example.
>>
>> Authorization policies ( role based or other ) that shiro supports
>> does not necessarily require any byte code manipulation.
>>
>> thanks
>>
>> Manoj
>>
>> On 6/28/09, mksong <hi...@gmail.com> wrote:
>>>
>>> Thanks for your reply.
>>>
>>> For example, Hibernate does not perform any bytecode
>>> manipulation on its own, but it uses a proxying library that
>>> creates proxies at the bytecode level.
>>>
>>> If you do not manipulate bytecode,
>>> how do you enforce security policies then?
>>>
>>> Regards,
>>> Myoungkyu
>>>
>>>
>>>
>>> Les Hazlewood-2 wrote:
>>>>
>>>> Hiya,
>>>>
>>>> The project (now named Shiro) does not perform bytecode
>>>> manipulation of
>>>> any
>>>> sort.
>>>>
>>>> Regards,
>>>>
>>>> Les
>>>>
>>>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <hi...@gmail.com> wrote:
>>>>
>>>>>
>>>>> Hello, All
>>>>>
>>>>> I am carring out an experiment on JSecurity's bytecode
>>>>> engineering.
>>>>>
>>>>> I tested JSecurity to see if the framework would generate any
>>>>>
>>>>> bytecode related to security or add anything to the existing ones.
>>>>>
>>>>> With the attached log file, I am not sure if JSecurity does
>>>>> bytecode
>>>>> engineering or not.
>>>>> (Here are the log file at loading time and the slide file
>>>>> explaing what
>>>>> I
>>>>> did:
>>>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/
>>>>> >
>>>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/
>>>>> >)
>>>>>
>>>>> Is it true?
>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
>>>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> --
>>> View this message in context:
>>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>
>>>
>>
>>
>
> --
> View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171906.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: About JSecurity's bytecode engineering
Posted by mksong <hi...@gmail.com>.
Hello, Manoj
I am searching a framework which changes the bytecode directly,
without modifying source code. As you knew, this is bytecode
engineering or enhancement. Based on this idea, I thought JSecurity
modified bytecode in order to support a security functionality
relieving a programmer from the burden of having to implement
important security concerns by hand.
So, is the method of supporting the security functionality a type
of API at JSecurity (or Apache Ki)?
Myoungkyu
Manoj Khangaonkar wrote:
>
> Hi Myoungkyu,
>
> Just curious, what kind of security policies are you interested in ?
> Can you give an example.
>
> Authorization policies ( role based or other ) that shiro supports
> does not necessarily require any byte code manipulation.
>
> thanks
>
> Manoj
>
> On 6/28/09, mksong <hi...@gmail.com> wrote:
>>
>> Thanks for your reply.
>>
>> For example, Hibernate does not perform any bytecode
>> manipulation on its own, but it uses a proxying library that
>> creates proxies at the bytecode level.
>>
>> If you do not manipulate bytecode,
>> how do you enforce security policies then?
>>
>> Regards,
>> Myoungkyu
>>
>>
>>
>> Les Hazlewood-2 wrote:
>>>
>>> Hiya,
>>>
>>> The project (now named Shiro) does not perform bytecode manipulation of
>>> any
>>> sort.
>>>
>>> Regards,
>>>
>>> Les
>>>
>>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <hi...@gmail.com> wrote:
>>>
>>>>
>>>> Hello, All
>>>>
>>>> I am carring out an experiment on JSecurity's bytecode engineering.
>>>>
>>>> I tested JSecurity to see if the framework would generate any
>>>>
>>>> bytecode related to security or add anything to the existing ones.
>>>>
>>>> With the attached log file, I am not sure if JSecurity does bytecode
>>>> engineering or not.
>>>> (Here are the log file at loading time and the slide file explaing what
>>>> I
>>>> did:
>>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>)
>>>>
>>>> Is it true?
>>>>
>>>> --
>>>> View this message in context:
>>>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
>>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>>
>>>>
>>>
>>>
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171906.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Grails + ZK + JSecurity
Posted by Les Hazlewood <lh...@apache.org>.
Hi John,
I'm not sure that a lot of users on this list are very knowledgeable of how
the Grails plugin operates (it would be nice if I was wrong though ;)).
Have you tried the grails-user mailing list? That is typically where people
ask the JSecurity(now Shiro) Grails plugin questions.
However, I'll do my best with regards to your question here.
Shiro can check permissions in two formats - either implementations of the
Permission interface, or a simple String formatted according to the
WildcardPermission javadoc.
It appears that the Grails plugin stores instances of the Permission
interface in the database. That means you can do things like:
if ( SecurityUtils.subject.isPermitted(aPermissionInstance) ) {
//do something
}
But I don't know how to instantiate 'aPermissionInstance' based on what the
Grails plugin would expect. Would it be new
JsecBasicPermission("something"); ? or another subclass? I'm not sure.
You can check a String permission as well, but all Strings need to be
converted to a Permission instance in order to perform permission
implication logic (See Permission.implies(permission) JavaDoc). Shiro does
this via a PermissionResolver.
So, you can do this:
if ( SecurityUtils.subject.isPermitted("printer:print") ) {
//print
}
But to make this work, you would need to register a PermissionResolver that
accepts a string and instantiates a Permission instance based on that
String. That permission would then be checked against the persistent
Permission instances managed by the Grails plugin/Hibernate. For example:
Permission toCheck = permissionResolver.resolvePermission(permString);
if ( Permission perm : hibernatedPermissions ) {
if ( perm.implies(toCheck) ) {
return true; //they are permitted to do what is described by
'toCheck'
}
}
return false; //not permitted
I don't know how to register a custom PermissionResolver with the Grails
plugin to make this work, or if this is even necessary in the first place.
Hopefully another Grails user could shed light on the issue, or Peter
Ledbrook, the original author of the plugin could help. He's been very busy
the last few months writing a book or two, so I don't know how accessible he
is though.
Regards,
Les
On Tue, Jun 30, 2009 at 12:55 PM, John Cladmore <ju...@lorrev.org> wrote:
> Hi all,
>
> Anyone here using jsec in a Grails + Zk-plugin application?
>
> My problem is that the jsec plugin for grails provides several class for
> user, role, permission, and their relationships. i have sucessfully tested
> authentication and verifying the user's role. However, I want to know how i
> can check for permission in code. I know I have to call isPermitted() on the
> current subject, but I don't know how that string parameter should be
> formatted.
>
> I think the plugin is setup for grails view technology with
> controller/action. Whereas, I just want to simply check for permission in
> the wildcard way as documented for jsec WildcardPermission class.
>
> I won't mind the way the jsec plugins for grials has permission setup, if I
> can only figure out how to check it in code.
>
> Here is what I have done so far using fixtures:
> // create a permission
> "aPerm"(JsecPermission){
> type = "org.jsecurity.grails.JsecBasicPermission"
> possibleActions = "*"
> }
>
> menuPerm0(JsecRolePermissionRel){
> role = adminRole // JsecRole instance reference, users and roles already
> created
> permission = ref("aPerm") // the permission above
> target = "User" // name of menu I want permission for, remember, this is
> not grails controller
> actions = "view"
> }
>
> Now, in code, I get the current subject and call isPermitted(). I have
> tired "User", "User:*", and "User:view". but nothing successful yet.
>
> Thanks for your help or pointers to info.
>
>
> .v
>
Grails + ZK + JSecurity
Posted by John Cladmore <ju...@lorrev.org>.
Hi all,
Anyone here using jsec in a Grails + Zk-plugin application?
My problem is that the jsec plugin for grails provides several class for
user, role, permission, and their relationships. i have sucessfully
tested authentication and verifying the user's role. However, I want to
know how i can check for permission in code. I know I have to call
isPermitted() on the current subject, but I don't know how that string
parameter should be formatted.
I think the plugin is setup for grails view technology with
controller/action. Whereas, I just want to simply check for permission
in the wildcard way as documented for jsec WildcardPermission class.
I won't mind the way the jsec plugins for grials has permission setup,
if I can only figure out how to check it in code.
Here is what I have done so far using fixtures:
// create a permission
"aPerm"(JsecPermission){
type = "org.jsecurity.grails.JsecBasicPermission"
possibleActions = "*"
}
menuPerm0(JsecRolePermissionRel){
role = adminRole // JsecRole instance reference, users and roles already
created
permission = ref("aPerm") // the permission above
target = "User" // name of menu I want permission for, remember, this is
not grails controller
actions = "view"
}
Now, in code, I get the current subject and call isPermitted(). I have
tired "User", "User:*", and "User:view". but nothing successful yet.
Thanks for your help or pointers to info.
.v
Re: About JSecurity's bytecode engineering
Posted by Les Hazlewood <lh...@apache.org>.
Your results show the use of Annotations in a sample application which uses
Spring-created JDK runtime proxies and does not perform bytecode
manipulation.
I don't think of JDK runtime proxies much as 'bytecode engineering'. I tend
to think of bytecode engineering as some mechanism (for example, AspectJ)
that manipulates bytecode directly, either during build or runtime.
The Spring-based sample application where you found those annotations does
not use AspectJ or bytecode manipulation of any sort. It instead uses the
built-in JDK runtime proxying mechanism via Spring's default AOP (AOP
Alliance) support.
Regards,
Les
On Tue, Jun 30, 2009 at 12:21 PM, mksong <hi...@gmail.com> wrote:
>
> Thanks, David
>
> Do you think this example has something to do with bytecode engineering by
> the Spring framework using JSecurity?
>
> $ find . -exec grep "@RequiresRole" '{}' \; -print
> @RequiresRoles("role1")
> @RequiresRoles("role2")
> ./samples/spring/src/org/jsecurity/samples/spring/SampleManager.java
>
> Myoungkyu
>
>
>
>
>
> David J. M. Karlsen wrote:
> >
> > On Mon, 29 Jun 2009, Les Hazlewood wrote:
> >
> >> It can, but you need an AOP framework to enable them. We have default
> >> support for Spring/AOP Alliance environments. We don't have support at
> >> this
> >> time for AspectJ environments.
> >
> > The best would probably be to write aspectJ ones, as spring can utilize
> > this directly as well (e.g. configure the aspect in a spring context file
> > if needed) - and let spring do the ltw. (which uses aspectJ underneath).
> > Node though, that spring can only weave spring managed beans.
> >
> > This way only one implementation is needed.
> >
> >
>
> --
> View this message in context:
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3183602.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
Re: About JSecurity's bytecode engineering
Posted by mksong <hi...@gmail.com>.
Thanks, David
Do you think this example has something to do with bytecode engineering by
the Spring framework using JSecurity?
$ find . -exec grep "@RequiresRole" '{}' \; -print
@RequiresRoles("role1")
@RequiresRoles("role2")
./samples/spring/src/org/jsecurity/samples/spring/SampleManager.java
Myoungkyu
David J. M. Karlsen wrote:
>
> On Mon, 29 Jun 2009, Les Hazlewood wrote:
>
>> It can, but you need an AOP framework to enable them. We have default
>> support for Spring/AOP Alliance environments. We don't have support at
>> this
>> time for AspectJ environments.
>
> The best would probably be to write aspectJ ones, as spring can utilize
> this directly as well (e.g. configure the aspect in a spring context file
> if needed) - and let spring do the ltw. (which uses aspectJ underneath).
> Node though, that spring can only weave spring managed beans.
>
> This way only one implementation is needed.
>
>
--
View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3183602.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: About JSecurity's bytecode engineering
Posted by da...@davidkarlsen.com.
On Mon, 29 Jun 2009, Les Hazlewood wrote:
> It can, but you need an AOP framework to enable them. We have default
> support for Spring/AOP Alliance environments. We don't have support at this
> time for AspectJ environments.
The best would probably be to write aspectJ ones, as spring can utilize
this directly as well (e.g. configure the aspect in a spring context file
if needed) - and let spring do the ltw. (which uses aspectJ underneath).
Node though, that spring can only weave spring managed beans.
This way only one implementation is needed.
Re: About JSecurity's bytecode engineering
Posted by Les Hazlewood <lh...@apache.org>.
It can, but you need an AOP framework to enable them. We have default
support for Spring/AOP Alliance environments. We don't have support at this
time for AspectJ environments.
On Mon, Jun 29, 2009 at 1:28 PM, mksong <hi...@gmail.com> wrote:
>
> I thought JSecurity can support the application using @RequiresRole and
> @RequiresAuthentication annotations.
>
> Myoungkyu
>
>
>
> Les Hazlewood-2 wrote:
> >
> > Hi Myoungkyu,
> >
> > We don't have any AspectJ-specific code in place to support our code
> > annotations. You would have to write that yourself.
> >
> > The best advice I have is to look at the AOP base support classes:
> >
> >
> http://svn.apache.org/viewvc/incubator/shiro/trunk/core/src/main/java/org/apache/shiro/aop/
> >
> > and the Spring AOPAlliance implementations:
> >
> >
> http://svn.apache.org/viewvc/incubator/shiro/trunk/support/spring/src/main/java/org/apache/shiro/spring/security/interceptor/
> >
> > and see if they give you any ideas as you try to write AspectJ-specific
> > versions.
> >
> > Regards,
> >
> > Les
> >
> > On Mon, Jun 29, 2009 at 11:27 AM, mksong <hi...@gmail.com> wrote:
> >
> >>
> >> Hello, Les
> >>
> >> I think it looks like you’re saying that JSecurity can do
> >> bytecode engineering by means of AspectJ.
> >> Is it right? If it is true, that is what I try to search.
> >> If you could send me a small example using annotation for
> >> adding the security functionality, I’d very appreciate it.
> >>
> >> Thank you so much for your reply.
> >> Myoungkyu
> >>
> >>
> >>
> >>
> >> Les Hazlewood-2 wrote:
> >> >
> >> > The closest thing Shiro might get to bytecode enhancement might be due
> >> to
> >> > an
> >> > AOP framework that you use that modifies bytecode - but this is a
> >> choice
> >> > you
> >> > make and is not a requirement of the framework.
> >> >
> >> > For example, Shiro has code annotations @RequiresRole,
> >> > @RequiresAuthentication, etc, with which you can annotate code. If
> the
> >> > AOP
> >> > framework configured to support Shiro uses bytecode manipulation, then
> >> > obviously bytecode changes could enforce the annotations.
> >> >
> >> > But this is a factor of the AOP mechanisms you use and is not
> >> controlled
> >> > by
> >> > Shiro directly. AspectJ for example can perform build time or runtime
> >> > bytecode manipulation to support Shiro annotations, but AOPAlliance
> >> might
> >> > use JDK-provided Proxying mechanisms at runtime and no bytecode
> >> > manipulation.
> >> >
> >> > Ultimately though you need to specify somehow how the security
> >> framework
> >> > is
> >> > supposed to execute - either via a Servlet Filter or code @Annotations
> >> or
> >> > text-based configuration, or some other mechanism. The developer
> needs
> >> to
> >> > direct the way the security framework behaves.
> >> >
> >> > So if you desire bytecode enhancement, then yes, you can have it as
> >> long
> >> > as
> >> > you use something like, say, AspectJ to perform the bytecode
> >> manipulation
> >> > which would disover and enforce the Shiro annotations. This is done
> by
> >> > writing Advice that calls the Subject API to perform security checks,
> >> and
> >> > that Advice is 'weaved' by AspectJ. Shiro does not currently have any
> >> > AspectJ-specific Advice written - you'd have to do it yourself, but
> you
> >> > could look at the classes in org.apache.shiro.aop.* for ideas.
> >> >
> >> > Regards,
> >> >
> >> > Les
> >> >
> >> > On Sun, Jun 28, 2009 at 8:50 PM, mksong <hi...@gmail.com> wrote:
> >> >
> >> >>
> >> >> Hello, Manoj
> >> >>
> >> >> I am searching a framework which changes the bytecode directly,
> >> >> without modifying source code. As you knew, this is bytecode
> >> >> engineering or enhancement. Based on this idea, I thought JSecurity
> >> >> modified bytecode in order to support a security functionality
> >> >> relieving a programmer from the burden of having to implement
> >> >> important security concerns by hand.
> >> >>
> >> >> So, is the method of supporting the security functionality a type
> >> >> of API at JSecurity (or Apache Ki)?
> >> >>
> >> >> Myoungkyu
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> Manoj Khangaonkar wrote:
> >> >> >
> >> >> > Hi Myoungkyu,
> >> >> >
> >> >> > Just curious, what kind of security policies are you interested in
> ?
> >> >> > Can you give an example.
> >> >> >
> >> >> > Authorization policies ( role based or other ) that shiro supports
> >> >> > does not necessarily require any byte code manipulation.
> >> >> >
> >> >> > thanks
> >> >> >
> >> >> > Manoj
> >> >> >
> >> >> > On 6/28/09, mksong <hi...@gmail.com> wrote:
> >> >> >>
> >> >> >> Thanks for your reply.
> >> >> >>
> >> >> >> For example, Hibernate does not perform any bytecode
> >> >> >> manipulation on its own, but it uses a proxying library that
> >> >> >> creates proxies at the bytecode level.
> >> >> >>
> >> >> >> If you do not manipulate bytecode,
> >> >> >> how do you enforce security policies then?
> >> >> >>
> >> >> >> Regards,
> >> >> >> Myoungkyu
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> Les Hazlewood-2 wrote:
> >> >> >>>
> >> >> >>> Hiya,
> >> >> >>>
> >> >> >>> The project (now named Shiro) does not perform bytecode
> >> manipulation
> >> >> of
> >> >> >>> any
> >> >> >>> sort.
> >> >> >>>
> >> >> >>> Regards,
> >> >> >>>
> >> >> >>> Les
> >> >> >>>
> >> >> >>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <hi...@gmail.com>
> >> wrote:
> >> >> >>>
> >> >> >>>>
> >> >> >>>> Hello, All
> >> >> >>>>
> >> >> >>>> I am carring out an experiment on JSecurity's bytecode
> >> engineering.
> >> >> >>>>
> >> >> >>>> I tested JSecurity to see if the framework would generate any
> >> >> >>>>
> >> >> >>>> bytecode related to security or add anything to the existing
> >> ones.
> >> >> >>>>
> >> >> >>>> With the attached log file, I am not sure if JSecurity does
> >> bytecode
> >> >> >>>> engineering or not.
> >> >> >>>> (Here are the log file at loading time and the slide file
> >> explaing
> >> >> what
> >> >> >>>> I
> >> >> >>>> did:
> >> >> >>>>
> >> >>
> >> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
> >> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
> >> >> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
> >> >> >>>>
> >> >>
> >> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
> >> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
> >> >> <http://people.cs.vt.edu/%7Emksong/jsecurity/>)
> >> >> >>>>
> >> >> >>>> Is it true?
> >> >> >>>>
> >> >> >>>> --
> >> >> >>>> View this message in context:
> >> >> >>>>
> >> >>
> >>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
> >> >> >>>> Sent from the Shiro User mailing list archive at Nabble.com.
> >> >> >>>>
> >> >> >>>>
> >> >> >>>
> >> >> >>>
> >> >> >>
> >> >> >> --
> >> >> >> View this message in context:
> >> >> >>
> >> >>
> >>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
> >> >> >> Sent from the Shiro User mailing list archive at Nabble.com.
> >> >> >>
> >> >> >>
> >> >> >
> >> >> >
> >> >>
> >> >> --
> >> >> View this message in context:
> >> >>
> >>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171896.html
> >> >> Sent from the Shiro User mailing list archive at Nabble.com.
> >> >>
> >> >>
> >> >
> >> >
> >>
> >> --
> >> View this message in context:
> >>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3175117.html
> >> Sent from the Shiro User mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3175832.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
Re: About JSecurity's bytecode engineering
Posted by mksong <hi...@gmail.com>.
I thought JSecurity can support the application using @RequiresRole and
@RequiresAuthentication annotations.
Myoungkyu
Les Hazlewood-2 wrote:
>
> Hi Myoungkyu,
>
> We don't have any AspectJ-specific code in place to support our code
> annotations. You would have to write that yourself.
>
> The best advice I have is to look at the AOP base support classes:
>
> http://svn.apache.org/viewvc/incubator/shiro/trunk/core/src/main/java/org/apache/shiro/aop/
>
> and the Spring AOPAlliance implementations:
>
> http://svn.apache.org/viewvc/incubator/shiro/trunk/support/spring/src/main/java/org/apache/shiro/spring/security/interceptor/
>
> and see if they give you any ideas as you try to write AspectJ-specific
> versions.
>
> Regards,
>
> Les
>
> On Mon, Jun 29, 2009 at 11:27 AM, mksong <hi...@gmail.com> wrote:
>
>>
>> Hello, Les
>>
>> I think it looks like you’re saying that JSecurity can do
>> bytecode engineering by means of AspectJ.
>> Is it right? If it is true, that is what I try to search.
>> If you could send me a small example using annotation for
>> adding the security functionality, I’d very appreciate it.
>>
>> Thank you so much for your reply.
>> Myoungkyu
>>
>>
>>
>>
>> Les Hazlewood-2 wrote:
>> >
>> > The closest thing Shiro might get to bytecode enhancement might be due
>> to
>> > an
>> > AOP framework that you use that modifies bytecode - but this is a
>> choice
>> > you
>> > make and is not a requirement of the framework.
>> >
>> > For example, Shiro has code annotations @RequiresRole,
>> > @RequiresAuthentication, etc, with which you can annotate code. If the
>> > AOP
>> > framework configured to support Shiro uses bytecode manipulation, then
>> > obviously bytecode changes could enforce the annotations.
>> >
>> > But this is a factor of the AOP mechanisms you use and is not
>> controlled
>> > by
>> > Shiro directly. AspectJ for example can perform build time or runtime
>> > bytecode manipulation to support Shiro annotations, but AOPAlliance
>> might
>> > use JDK-provided Proxying mechanisms at runtime and no bytecode
>> > manipulation.
>> >
>> > Ultimately though you need to specify somehow how the security
>> framework
>> > is
>> > supposed to execute - either via a Servlet Filter or code @Annotations
>> or
>> > text-based configuration, or some other mechanism. The developer needs
>> to
>> > direct the way the security framework behaves.
>> >
>> > So if you desire bytecode enhancement, then yes, you can have it as
>> long
>> > as
>> > you use something like, say, AspectJ to perform the bytecode
>> manipulation
>> > which would disover and enforce the Shiro annotations. This is done by
>> > writing Advice that calls the Subject API to perform security checks,
>> and
>> > that Advice is 'weaved' by AspectJ. Shiro does not currently have any
>> > AspectJ-specific Advice written - you'd have to do it yourself, but you
>> > could look at the classes in org.apache.shiro.aop.* for ideas.
>> >
>> > Regards,
>> >
>> > Les
>> >
>> > On Sun, Jun 28, 2009 at 8:50 PM, mksong <hi...@gmail.com> wrote:
>> >
>> >>
>> >> Hello, Manoj
>> >>
>> >> I am searching a framework which changes the bytecode directly,
>> >> without modifying source code. As you knew, this is bytecode
>> >> engineering or enhancement. Based on this idea, I thought JSecurity
>> >> modified bytecode in order to support a security functionality
>> >> relieving a programmer from the burden of having to implement
>> >> important security concerns by hand.
>> >>
>> >> So, is the method of supporting the security functionality a type
>> >> of API at JSecurity (or Apache Ki)?
>> >>
>> >> Myoungkyu
>> >>
>> >>
>> >>
>> >>
>> >> Manoj Khangaonkar wrote:
>> >> >
>> >> > Hi Myoungkyu,
>> >> >
>> >> > Just curious, what kind of security policies are you interested in ?
>> >> > Can you give an example.
>> >> >
>> >> > Authorization policies ( role based or other ) that shiro supports
>> >> > does not necessarily require any byte code manipulation.
>> >> >
>> >> > thanks
>> >> >
>> >> > Manoj
>> >> >
>> >> > On 6/28/09, mksong <hi...@gmail.com> wrote:
>> >> >>
>> >> >> Thanks for your reply.
>> >> >>
>> >> >> For example, Hibernate does not perform any bytecode
>> >> >> manipulation on its own, but it uses a proxying library that
>> >> >> creates proxies at the bytecode level.
>> >> >>
>> >> >> If you do not manipulate bytecode,
>> >> >> how do you enforce security policies then?
>> >> >>
>> >> >> Regards,
>> >> >> Myoungkyu
>> >> >>
>> >> >>
>> >> >>
>> >> >> Les Hazlewood-2 wrote:
>> >> >>>
>> >> >>> Hiya,
>> >> >>>
>> >> >>> The project (now named Shiro) does not perform bytecode
>> manipulation
>> >> of
>> >> >>> any
>> >> >>> sort.
>> >> >>>
>> >> >>> Regards,
>> >> >>>
>> >> >>> Les
>> >> >>>
>> >> >>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <hi...@gmail.com>
>> wrote:
>> >> >>>
>> >> >>>>
>> >> >>>> Hello, All
>> >> >>>>
>> >> >>>> I am carring out an experiment on JSecurity's bytecode
>> engineering.
>> >> >>>>
>> >> >>>> I tested JSecurity to see if the framework would generate any
>> >> >>>>
>> >> >>>> bytecode related to security or add anything to the existing
>> ones.
>> >> >>>>
>> >> >>>> With the attached log file, I am not sure if JSecurity does
>> bytecode
>> >> >>>> engineering or not.
>> >> >>>> (Here are the log file at loading time and the slide file
>> explaing
>> >> what
>> >> >>>> I
>> >> >>>> did:
>> >> >>>>
>> >>
>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> >> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> >> >>>>
>> >>
>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> >> <http://people.cs.vt.edu/%7Emksong/jsecurity/>)
>> >> >>>>
>> >> >>>> Is it true?
>> >> >>>>
>> >> >>>> --
>> >> >>>> View this message in context:
>> >> >>>>
>> >>
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
>> >> >>>> Sent from the Shiro User mailing list archive at Nabble.com.
>> >> >>>>
>> >> >>>>
>> >> >>>
>> >> >>>
>> >> >>
>> >> >> --
>> >> >> View this message in context:
>> >> >>
>> >>
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
>> >> >> Sent from the Shiro User mailing list archive at Nabble.com.
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >> --
>> >> View this message in context:
>> >>
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171896.html
>> >> Sent from the Shiro User mailing list archive at Nabble.com.
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3175117.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3175832.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: About JSecurity's bytecode engineering
Posted by Les Hazlewood <lh...@apache.org>.
Hi Myoungkyu,
We don't have any AspectJ-specific code in place to support our code
annotations. You would have to write that yourself.
The best advice I have is to look at the AOP base support classes:
http://svn.apache.org/viewvc/incubator/shiro/trunk/core/src/main/java/org/apache/shiro/aop/
and the Spring AOPAlliance implementations:
http://svn.apache.org/viewvc/incubator/shiro/trunk/support/spring/src/main/java/org/apache/shiro/spring/security/interceptor/
and see if they give you any ideas as you try to write AspectJ-specific
versions.
Regards,
Les
On Mon, Jun 29, 2009 at 11:27 AM, mksong <hi...@gmail.com> wrote:
>
> Hello, Les
>
> I think it looks like you’re saying that JSecurity can do
> bytecode engineering by means of AspectJ.
> Is it right? If it is true, that is what I try to search.
> If you could send me a small example using annotation for
> adding the security functionality, I’d very appreciate it.
>
> Thank you so much for your reply.
> Myoungkyu
>
>
>
>
> Les Hazlewood-2 wrote:
> >
> > The closest thing Shiro might get to bytecode enhancement might be due to
> > an
> > AOP framework that you use that modifies bytecode - but this is a choice
> > you
> > make and is not a requirement of the framework.
> >
> > For example, Shiro has code annotations @RequiresRole,
> > @RequiresAuthentication, etc, with which you can annotate code. If the
> > AOP
> > framework configured to support Shiro uses bytecode manipulation, then
> > obviously bytecode changes could enforce the annotations.
> >
> > But this is a factor of the AOP mechanisms you use and is not controlled
> > by
> > Shiro directly. AspectJ for example can perform build time or runtime
> > bytecode manipulation to support Shiro annotations, but AOPAlliance might
> > use JDK-provided Proxying mechanisms at runtime and no bytecode
> > manipulation.
> >
> > Ultimately though you need to specify somehow how the security framework
> > is
> > supposed to execute - either via a Servlet Filter or code @Annotations or
> > text-based configuration, or some other mechanism. The developer needs
> to
> > direct the way the security framework behaves.
> >
> > So if you desire bytecode enhancement, then yes, you can have it as long
> > as
> > you use something like, say, AspectJ to perform the bytecode manipulation
> > which would disover and enforce the Shiro annotations. This is done by
> > writing Advice that calls the Subject API to perform security checks, and
> > that Advice is 'weaved' by AspectJ. Shiro does not currently have any
> > AspectJ-specific Advice written - you'd have to do it yourself, but you
> > could look at the classes in org.apache.shiro.aop.* for ideas.
> >
> > Regards,
> >
> > Les
> >
> > On Sun, Jun 28, 2009 at 8:50 PM, mksong <hi...@gmail.com> wrote:
> >
> >>
> >> Hello, Manoj
> >>
> >> I am searching a framework which changes the bytecode directly,
> >> without modifying source code. As you knew, this is bytecode
> >> engineering or enhancement. Based on this idea, I thought JSecurity
> >> modified bytecode in order to support a security functionality
> >> relieving a programmer from the burden of having to implement
> >> important security concerns by hand.
> >>
> >> So, is the method of supporting the security functionality a type
> >> of API at JSecurity (or Apache Ki)?
> >>
> >> Myoungkyu
> >>
> >>
> >>
> >>
> >> Manoj Khangaonkar wrote:
> >> >
> >> > Hi Myoungkyu,
> >> >
> >> > Just curious, what kind of security policies are you interested in ?
> >> > Can you give an example.
> >> >
> >> > Authorization policies ( role based or other ) that shiro supports
> >> > does not necessarily require any byte code manipulation.
> >> >
> >> > thanks
> >> >
> >> > Manoj
> >> >
> >> > On 6/28/09, mksong <hi...@gmail.com> wrote:
> >> >>
> >> >> Thanks for your reply.
> >> >>
> >> >> For example, Hibernate does not perform any bytecode
> >> >> manipulation on its own, but it uses a proxying library that
> >> >> creates proxies at the bytecode level.
> >> >>
> >> >> If you do not manipulate bytecode,
> >> >> how do you enforce security policies then?
> >> >>
> >> >> Regards,
> >> >> Myoungkyu
> >> >>
> >> >>
> >> >>
> >> >> Les Hazlewood-2 wrote:
> >> >>>
> >> >>> Hiya,
> >> >>>
> >> >>> The project (now named Shiro) does not perform bytecode manipulation
> >> of
> >> >>> any
> >> >>> sort.
> >> >>>
> >> >>> Regards,
> >> >>>
> >> >>> Les
> >> >>>
> >> >>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <hi...@gmail.com> wrote:
> >> >>>
> >> >>>>
> >> >>>> Hello, All
> >> >>>>
> >> >>>> I am carring out an experiment on JSecurity's bytecode engineering.
> >> >>>>
> >> >>>> I tested JSecurity to see if the framework would generate any
> >> >>>>
> >> >>>> bytecode related to security or add anything to the existing ones.
> >> >>>>
> >> >>>> With the attached log file, I am not sure if JSecurity does
> bytecode
> >> >>>> engineering or not.
> >> >>>> (Here are the log file at loading time and the slide file explaing
> >> what
> >> >>>> I
> >> >>>> did:
> >> >>>>
> >> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
> >> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
> >> >>>>
> >> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
> >> <http://people.cs.vt.edu/%7Emksong/jsecurity/>)
> >> >>>>
> >> >>>> Is it true?
> >> >>>>
> >> >>>> --
> >> >>>> View this message in context:
> >> >>>>
> >>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
> >> >>>> Sent from the Shiro User mailing list archive at Nabble.com.
> >> >>>>
> >> >>>>
> >> >>>
> >> >>>
> >> >>
> >> >> --
> >> >> View this message in context:
> >> >>
> >>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
> >> >> Sent from the Shiro User mailing list archive at Nabble.com.
> >> >>
> >> >>
> >> >
> >> >
> >>
> >> --
> >> View this message in context:
> >>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171896.html
> >> Sent from the Shiro User mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3175117.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
Re: About JSecurity's bytecode engineering
Posted by mksong <hi...@gmail.com>.
Hello, Les
I think it looks like you’re saying that JSecurity can do
bytecode engineering by means of AspectJ.
Is it right? If it is true, that is what I try to search.
If you could send me a small example using annotation for
adding the security functionality, I’d very appreciate it.
Thank you so much for your reply.
Myoungkyu
Les Hazlewood-2 wrote:
>
> The closest thing Shiro might get to bytecode enhancement might be due to
> an
> AOP framework that you use that modifies bytecode - but this is a choice
> you
> make and is not a requirement of the framework.
>
> For example, Shiro has code annotations @RequiresRole,
> @RequiresAuthentication, etc, with which you can annotate code. If the
> AOP
> framework configured to support Shiro uses bytecode manipulation, then
> obviously bytecode changes could enforce the annotations.
>
> But this is a factor of the AOP mechanisms you use and is not controlled
> by
> Shiro directly. AspectJ for example can perform build time or runtime
> bytecode manipulation to support Shiro annotations, but AOPAlliance might
> use JDK-provided Proxying mechanisms at runtime and no bytecode
> manipulation.
>
> Ultimately though you need to specify somehow how the security framework
> is
> supposed to execute - either via a Servlet Filter or code @Annotations or
> text-based configuration, or some other mechanism. The developer needs to
> direct the way the security framework behaves.
>
> So if you desire bytecode enhancement, then yes, you can have it as long
> as
> you use something like, say, AspectJ to perform the bytecode manipulation
> which would disover and enforce the Shiro annotations. This is done by
> writing Advice that calls the Subject API to perform security checks, and
> that Advice is 'weaved' by AspectJ. Shiro does not currently have any
> AspectJ-specific Advice written - you'd have to do it yourself, but you
> could look at the classes in org.apache.shiro.aop.* for ideas.
>
> Regards,
>
> Les
>
> On Sun, Jun 28, 2009 at 8:50 PM, mksong <hi...@gmail.com> wrote:
>
>>
>> Hello, Manoj
>>
>> I am searching a framework which changes the bytecode directly,
>> without modifying source code. As you knew, this is bytecode
>> engineering or enhancement. Based on this idea, I thought JSecurity
>> modified bytecode in order to support a security functionality
>> relieving a programmer from the burden of having to implement
>> important security concerns by hand.
>>
>> So, is the method of supporting the security functionality a type
>> of API at JSecurity (or Apache Ki)?
>>
>> Myoungkyu
>>
>>
>>
>>
>> Manoj Khangaonkar wrote:
>> >
>> > Hi Myoungkyu,
>> >
>> > Just curious, what kind of security policies are you interested in ?
>> > Can you give an example.
>> >
>> > Authorization policies ( role based or other ) that shiro supports
>> > does not necessarily require any byte code manipulation.
>> >
>> > thanks
>> >
>> > Manoj
>> >
>> > On 6/28/09, mksong <hi...@gmail.com> wrote:
>> >>
>> >> Thanks for your reply.
>> >>
>> >> For example, Hibernate does not perform any bytecode
>> >> manipulation on its own, but it uses a proxying library that
>> >> creates proxies at the bytecode level.
>> >>
>> >> If you do not manipulate bytecode,
>> >> how do you enforce security policies then?
>> >>
>> >> Regards,
>> >> Myoungkyu
>> >>
>> >>
>> >>
>> >> Les Hazlewood-2 wrote:
>> >>>
>> >>> Hiya,
>> >>>
>> >>> The project (now named Shiro) does not perform bytecode manipulation
>> of
>> >>> any
>> >>> sort.
>> >>>
>> >>> Regards,
>> >>>
>> >>> Les
>> >>>
>> >>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <hi...@gmail.com> wrote:
>> >>>
>> >>>>
>> >>>> Hello, All
>> >>>>
>> >>>> I am carring out an experiment on JSecurity's bytecode engineering.
>> >>>>
>> >>>> I tested JSecurity to see if the framework would generate any
>> >>>>
>> >>>> bytecode related to security or add anything to the existing ones.
>> >>>>
>> >>>> With the attached log file, I am not sure if JSecurity does bytecode
>> >>>> engineering or not.
>> >>>> (Here are the log file at loading time and the slide file explaing
>> what
>> >>>> I
>> >>>> did:
>> >>>>
>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> >>>>
>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> <http://people.cs.vt.edu/%7Emksong/jsecurity/>)
>> >>>>
>> >>>> Is it true?
>> >>>>
>> >>>> --
>> >>>> View this message in context:
>> >>>>
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
>> >>>> Sent from the Shiro User mailing list archive at Nabble.com.
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>
>> >> --
>> >> View this message in context:
>> >>
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
>> >> Sent from the Shiro User mailing list archive at Nabble.com.
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171896.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3175117.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: About JSecurity's bytecode engineering
Posted by Les Hazlewood <lh...@apache.org>.
The closest thing Shiro might get to bytecode enhancement might be due to an
AOP framework that you use that modifies bytecode - but this is a choice you
make and is not a requirement of the framework.
For example, Shiro has code annotations @RequiresRole,
@RequiresAuthentication, etc, with which you can annotate code. If the AOP
framework configured to support Shiro uses bytecode manipulation, then
obviously bytecode changes could enforce the annotations.
But this is a factor of the AOP mechanisms you use and is not controlled by
Shiro directly. AspectJ for example can perform build time or runtime
bytecode manipulation to support Shiro annotations, but AOPAlliance might
use JDK-provided Proxying mechanisms at runtime and no bytecode
manipulation.
Ultimately though you need to specify somehow how the security framework is
supposed to execute - either via a Servlet Filter or code @Annotations or
text-based configuration, or some other mechanism. The developer needs to
direct the way the security framework behaves.
So if you desire bytecode enhancement, then yes, you can have it as long as
you use something like, say, AspectJ to perform the bytecode manipulation
which would disover and enforce the Shiro annotations. This is done by
writing Advice that calls the Subject API to perform security checks, and
that Advice is 'weaved' by AspectJ. Shiro does not currently have any
AspectJ-specific Advice written - you'd have to do it yourself, but you
could look at the classes in org.apache.shiro.aop.* for ideas.
Regards,
Les
On Sun, Jun 28, 2009 at 8:50 PM, mksong <hi...@gmail.com> wrote:
>
> Hello, Manoj
>
> I am searching a framework which changes the bytecode directly,
> without modifying source code. As you knew, this is bytecode
> engineering or enhancement. Based on this idea, I thought JSecurity
> modified bytecode in order to support a security functionality
> relieving a programmer from the burden of having to implement
> important security concerns by hand.
>
> So, is the method of supporting the security functionality a type
> of API at JSecurity (or Apache Ki)?
>
> Myoungkyu
>
>
>
>
> Manoj Khangaonkar wrote:
> >
> > Hi Myoungkyu,
> >
> > Just curious, what kind of security policies are you interested in ?
> > Can you give an example.
> >
> > Authorization policies ( role based or other ) that shiro supports
> > does not necessarily require any byte code manipulation.
> >
> > thanks
> >
> > Manoj
> >
> > On 6/28/09, mksong <hi...@gmail.com> wrote:
> >>
> >> Thanks for your reply.
> >>
> >> For example, Hibernate does not perform any bytecode
> >> manipulation on its own, but it uses a proxying library that
> >> creates proxies at the bytecode level.
> >>
> >> If you do not manipulate bytecode,
> >> how do you enforce security policies then?
> >>
> >> Regards,
> >> Myoungkyu
> >>
> >>
> >>
> >> Les Hazlewood-2 wrote:
> >>>
> >>> Hiya,
> >>>
> >>> The project (now named Shiro) does not perform bytecode manipulation of
> >>> any
> >>> sort.
> >>>
> >>> Regards,
> >>>
> >>> Les
> >>>
> >>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <hi...@gmail.com> wrote:
> >>>
> >>>>
> >>>> Hello, All
> >>>>
> >>>> I am carring out an experiment on JSecurity's bytecode engineering.
> >>>>
> >>>> I tested JSecurity to see if the framework would generate any
> >>>>
> >>>> bytecode related to security or add anything to the existing ones.
> >>>>
> >>>> With the attached log file, I am not sure if JSecurity does bytecode
> >>>> engineering or not.
> >>>> (Here are the log file at loading time and the slide file explaing
> what
> >>>> I
> >>>> did:
> >>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
> >>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
> <http://people.cs.vt.edu/%7Emksong/jsecurity/>)
> >>>>
> >>>> Is it true?
> >>>>
> >>>> --
> >>>> View this message in context:
> >>>>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
> >>>> Sent from the Shiro User mailing list archive at Nabble.com.
> >>>>
> >>>>
> >>>
> >>>
> >>
> >> --
> >> View this message in context:
> >>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
> >> Sent from the Shiro User mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171896.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
Re: About JSecurity's bytecode engineering
Posted by mksong <hi...@gmail.com>.
Hello, Manoj
I am searching a framework which changes the bytecode directly,
without modifying source code. As you knew, this is bytecode
engineering or enhancement. Based on this idea, I thought JSecurity
modified bytecode in order to support a security functionality
relieving a programmer from the burden of having to implement
important security concerns by hand.
So, is the method of supporting the security functionality a type
of API at JSecurity (or Apache Ki)?
Myoungkyu
Manoj Khangaonkar wrote:
>
> Hi Myoungkyu,
>
> Just curious, what kind of security policies are you interested in ?
> Can you give an example.
>
> Authorization policies ( role based or other ) that shiro supports
> does not necessarily require any byte code manipulation.
>
> thanks
>
> Manoj
>
> On 6/28/09, mksong <hi...@gmail.com> wrote:
>>
>> Thanks for your reply.
>>
>> For example, Hibernate does not perform any bytecode
>> manipulation on its own, but it uses a proxying library that
>> creates proxies at the bytecode level.
>>
>> If you do not manipulate bytecode,
>> how do you enforce security policies then?
>>
>> Regards,
>> Myoungkyu
>>
>>
>>
>> Les Hazlewood-2 wrote:
>>>
>>> Hiya,
>>>
>>> The project (now named Shiro) does not perform bytecode manipulation of
>>> any
>>> sort.
>>>
>>> Regards,
>>>
>>> Les
>>>
>>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <hi...@gmail.com> wrote:
>>>
>>>>
>>>> Hello, All
>>>>
>>>> I am carring out an experiment on JSecurity's bytecode engineering.
>>>>
>>>> I tested JSecurity to see if the framework would generate any
>>>>
>>>> bytecode related to security or add anything to the existing ones.
>>>>
>>>> With the attached log file, I am not sure if JSecurity does bytecode
>>>> engineering or not.
>>>> (Here are the log file at loading time and the slide file explaing what
>>>> I
>>>> did:
>>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>)
>>>>
>>>> Is it true?
>>>>
>>>> --
>>>> View this message in context:
>>>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
>>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>>
>>>>
>>>
>>>
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171896.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: About JSecurity's bytecode engineering
Posted by Manoj Khangaonkar <kh...@gmail.com>.
Hi Myoungkyu,
Just curious, what kind of security policies are you interested in ?
Can you give an example.
Authorization policies ( role based or other ) that shiro supports
does not necessarily require any byte code manipulation.
thanks
Manoj
On 6/28/09, mksong <hi...@gmail.com> wrote:
>
> Thanks for your reply.
>
> For example, Hibernate does not perform any bytecode
> manipulation on its own, but it uses a proxying library that
> creates proxies at the bytecode level.
>
> If you do not manipulate bytecode,
> how do you enforce security policies then?
>
> Regards,
> Myoungkyu
>
>
>
> Les Hazlewood-2 wrote:
>>
>> Hiya,
>>
>> The project (now named Shiro) does not perform bytecode manipulation of
>> any
>> sort.
>>
>> Regards,
>>
>> Les
>>
>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <hi...@gmail.com> wrote:
>>
>>>
>>> Hello, All
>>>
>>> I am carring out an experiment on JSecurity's bytecode engineering.
>>>
>>> I tested JSecurity to see if the framework would generate any
>>>
>>> bytecode related to security or add anything to the existing ones.
>>>
>>> With the attached log file, I am not sure if JSecurity does bytecode
>>> engineering or not.
>>> (Here are the log file at loading time and the slide file explaing what I
>>> did:
>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>)
>>>
>>> Is it true?
>>>
>>> --
>>> View this message in context:
>>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>
>>>
>>
>>
>
> --
> View this message in context:
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
Re: About JSecurity's bytecode engineering
Posted by mksong <hi...@gmail.com>.
Thanks for your reply.
For example, Hibernate does not perform any bytecode
manipulation on its own, but it uses a proxying library that
creates proxies at the bytecode level.
If you do not manipulate bytecode,
how do you enforce security policies then?
Regards,
Myoungkyu
Les Hazlewood-2 wrote:
>
> Hiya,
>
> The project (now named Shiro) does not perform bytecode manipulation of
> any
> sort.
>
> Regards,
>
> Les
>
> On Sat, Jun 27, 2009 at 11:26 PM, mksong <hi...@gmail.com> wrote:
>
>>
>> Hello, All
>>
>> I am carring out an experiment on JSecurity's bytecode engineering.
>>
>> I tested JSecurity to see if the framework would generate any
>>
>> bytecode related to security or add anything to the existing ones.
>>
>> With the attached log file, I am not sure if JSecurity does bytecode
>> engineering or not.
>> (Here are the log file at loading time and the slide file explaing what I
>> did:
>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>)
>>
>> Is it true?
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: About JSecurity's bytecode engineering
Posted by Les Hazlewood <lh...@apache.org>.
Hiya,
The project (now named Shiro) does not perform bytecode manipulation of any
sort.
Regards,
Les
On Sat, Jun 27, 2009 at 11:26 PM, mksong <hi...@gmail.com> wrote:
>
> Hello, All
>
> I am carring out an experiment on JSecurity's bytecode engineering.
>
> I tested JSecurity to see if the framework would generate any
>
> bytecode related to security or add anything to the existing ones.
>
> With the attached log file, I am not sure if JSecurity does bytecode
> engineering or not.
> (Here are the log file at loading time and the slide file explaing what I
> did:
> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>)
>
> Is it true?
>
> --
> View this message in context:
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>