You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Mario Emmenlauer <ma...@emmenlauer.de> on 2017/04/20 20:05:16 UTC

is Shiro good for a server application?

Dear All,

is Shiro good to be used for a server application? From the tutorial
and documentation I found that a general concept is the "current user":
   Subject currentUser = SecurityUtils.getSubject();

But in my Java server application, I'd like to work with remote users
from a C++ app (via RPC). The remote users send credentials via SSL RPC,
and receive a session token. The server side authentication is not based
on currentUser, but on the username/password. Am I understanding correctly
that this is not the "typical" use case for Shiro? Is Shiro even a good
match for this use case? How to generate a Subject and session token?

Awesome software, by the way! :-)

Thanks and all the best,

    Mario

Re: is Shiro good for a server application?

Posted by Sashika <sa...@gmail.com>.

I guess what is more suitable for you is JASIG CAS.
https://wiki.jasig.org/display/CAS/Home
Give it a spin

On Fri, Apr 21, 2017 at 1:58 AM, Brian Demers <br...@gmail.com>
wrote:

> I think Apache Aurora uses both Shiro and Thrift, you may want to take a
> look and see what they do in their code base.
>
> On Thu, Apr 20, 2017 at 4:25 PM, Mario Emmenlauer <ma...@emmenlauer.de>
> wrote:
>
>>
>> Dear Brian,
>>
>> thanks a lot for this quick response, I'll check out the spring-mvc!
>>
>> Admittedly, I'm a bit oblivious to most of Javas web technologies. I'm
>> implementing a "plain" Java 8 Server with a multi-threaded Apache Thrift
>> API. Clients are typically C++ and sometimes Java. My idea is:
>>  - client calls RPC method for login with Username, Password
>>  - server returns SessionID to client
>>  - client may use API with SessionID for X time (even after disconnect),
>>    so every API method validates SessionID before any action
>>
>> Currently I do this with a simple thread-save Set<String> on the Server
>> to store session ID's, and libsodium for the password encryption. But
>> Shiro seems more suitable, and LDAP and CROWD authentication would be
>> great to have.
>>
>> All the best,
>>
>>    Mario
>>
>>
>>
>> On 20.04.2017 22:15, Brian Demers wrote:
>> > Hey Mario,
>> >
>> > The typical use case is a web server (though not limited to this). An
>> RPC app
>> > can fit into this category.
>> > This example uses Spring
>> > remoting: https://github.com/apache/shiro/tree/master/samples/spring-
>> mvc
>> >
>> > The getSubject() method will return the subject bound to the current
>> thread.  So
>> > If your application is not using HTTP, you would just need bind a new
>> subject to
>> > your handling thread.
>> >
>> > Can you give a few more details on your stack, and we might be able to
>> point you
>> > in the right direction.
>> >
>> > -Brian
>> >
>> >
>> > On Thu, Apr 20, 2017 at 4:05 PM, Mario Emmenlauer <mario@emmenlauer.de
>> > <ma...@emmenlauer.de>> wrote:
>> >
>> >
>> >     Dear All,
>> >
>> >     is Shiro good to be used for a server application? From the tutorial
>> >     and documentation I found that a general concept is the "current
>> user":
>> >        Subject currentUser = SecurityUtils.getSubject();
>> >
>> >     But in my Java server application, I'd like to work with remote
>> users
>> >     from a C++ app (via RPC). The remote users send credentials via SSL
>> RPC,
>> >     and receive a session token. The server side authentication is not
>> based
>> >     on currentUser, but on the username/password. Am I understanding
>> correctly
>> >     that this is not the "typical" use case for Shiro? Is Shiro even a
>> good
>> >     match for this use case? How to generate a Subject and session
>> token?
>> >
>> >     Awesome software, by the way! :-)
>> >
>> >     Thanks and all the best,
>> >
>> >         Mario
>>
>>
>>
>> Viele Gruesse,
>>
>>     Mario Emmenlauer
>>
>>
>> --
>> BioDataAnalysis GmbH, Mario Emmenlauer      Tel. Buero: +49-89-74677203
>> Balanstr. 43                   mailto: memmenlauer * biodataanalysis.de
>> D-81669 München                          http://www.biodataanalysis.de/
>>
>
>

Re: is Shiro good for a server application?

Posted by Brian Demers <br...@gmail.com>.

I think Apache Aurora uses both Shiro and Thrift, you may want to take a
look and see what they do in their code base.

On Thu, Apr 20, 2017 at 4:25 PM, Mario Emmenlauer <ma...@emmenlauer.de>
wrote:

>
> Dear Brian,
>
> thanks a lot for this quick response, I'll check out the spring-mvc!
>
> Admittedly, I'm a bit oblivious to most of Javas web technologies. I'm
> implementing a "plain" Java 8 Server with a multi-threaded Apache Thrift
> API. Clients are typically C++ and sometimes Java. My idea is:
>  - client calls RPC method for login with Username, Password
>  - server returns SessionID to client
>  - client may use API with SessionID for X time (even after disconnect),
>    so every API method validates SessionID before any action
>
> Currently I do this with a simple thread-save Set<String> on the Server
> to store session ID's, and libsodium for the password encryption. But
> Shiro seems more suitable, and LDAP and CROWD authentication would be
> great to have.
>
> All the best,
>
>    Mario
>
>
>
> On 20.04.2017 22:15, Brian Demers wrote:
> > Hey Mario,
> >
> > The typical use case is a web server (though not limited to this). An
> RPC app
> > can fit into this category.
> > This example uses Spring
> > remoting: https://github.com/apache/shiro/tree/master/samples/spring-mvc
> >
> > The getSubject() method will return the subject bound to the current
> thread.  So
> > If your application is not using HTTP, you would just need bind a new
> subject to
> > your handling thread.
> >
> > Can you give a few more details on your stack, and we might be able to
> point you
> > in the right direction.
> >
> > -Brian
> >
> >
> > On Thu, Apr 20, 2017 at 4:05 PM, Mario Emmenlauer <mario@emmenlauer.de
> > <ma...@emmenlauer.de>> wrote:
> >
> >
> >     Dear All,
> >
> >     is Shiro good to be used for a server application? From the tutorial
> >     and documentation I found that a general concept is the "current
> user":
> >        Subject currentUser = SecurityUtils.getSubject();
> >
> >     But in my Java server application, I'd like to work with remote users
> >     from a C++ app (via RPC). The remote users send credentials via SSL
> RPC,
> >     and receive a session token. The server side authentication is not
> based
> >     on currentUser, but on the username/password. Am I understanding
> correctly
> >     that this is not the "typical" use case for Shiro? Is Shiro even a
> good
> >     match for this use case? How to generate a Subject and session token?
> >
> >     Awesome software, by the way! :-)
> >
> >     Thanks and all the best,
> >
> >         Mario
>
>
>
> Viele Gruesse,
>
>     Mario Emmenlauer
>
>
> --
> BioDataAnalysis GmbH, Mario Emmenlauer      Tel. Buero: +49-89-74677203
> Balanstr. 43                   mailto: memmenlauer * biodataanalysis.de
> D-81669 München                          http://www.biodataanalysis.de/
>

Re: is Shiro good for a server application?

Posted by Mario Emmenlauer <ma...@emmenlauer.de>.

Dear Brian,

thanks a lot for this quick response, I'll check out the spring-mvc!

Admittedly, I'm a bit oblivious to most of Javas web technologies. I'm
implementing a "plain" Java 8 Server with a multi-threaded Apache Thrift
API. Clients are typically C++ and sometimes Java. My idea is:
 - client calls RPC method for login with Username, Password
 - server returns SessionID to client
 - client may use API with SessionID for X time (even after disconnect),
   so every API method validates SessionID before any action

Currently I do this with a simple thread-save Set<String> on the Server
to store session ID's, and libsodium for the password encryption. But
Shiro seems more suitable, and LDAP and CROWD authentication would be
great to have.

All the best,

   Mario



On 20.04.2017 22:15, Brian Demers wrote:
> Hey Mario,
> 
> The typical use case is a web server (though not limited to this). An RPC app
> can fit into this category. 
> This example uses Spring
> remoting: https://github.com/apache/shiro/tree/master/samples/spring-mvc
> 
> The getSubject() method will return the subject bound to the current thread.  So
> If your application is not using HTTP, you would just need bind a new subject to
> your handling thread.
> 
> Can you give a few more details on your stack, and we might be able to point you
> in the right direction.
> 
> -Brian
> 
> 
> On Thu, Apr 20, 2017 at 4:05 PM, Mario Emmenlauer <mario@emmenlauer.de
> <ma...@emmenlauer.de>> wrote:
> 
> 
>     Dear All,
> 
>     is Shiro good to be used for a server application? From the tutorial
>     and documentation I found that a general concept is the "current user":
>        Subject currentUser = SecurityUtils.getSubject();
> 
>     But in my Java server application, I'd like to work with remote users
>     from a C++ app (via RPC). The remote users send credentials via SSL RPC,
>     and receive a session token. The server side authentication is not based
>     on currentUser, but on the username/password. Am I understanding correctly
>     that this is not the "typical" use case for Shiro? Is Shiro even a good
>     match for this use case? How to generate a Subject and session token?
> 
>     Awesome software, by the way! :-)
> 
>     Thanks and all the best,
> 
>         Mario



Viele Gruesse,

    Mario Emmenlauer


--
BioDataAnalysis GmbH, Mario Emmenlauer      Tel. Buero: +49-89-74677203
Balanstr. 43                   mailto: memmenlauer * biodataanalysis.de
D-81669 M�nchen                          http://www.biodataanalysis.de/

Re: is Shiro good for a server application?

Posted by Brian Demers <br...@gmail.com>.

Hey Mario,

The typical use case is a web server (though not limited to this). An RPC
app can fit into this category.
This example uses Spring remoting:
https://github.com/apache/shiro/tree/master/samples/spring-mvc

The getSubject() method will return the subject bound to the current
thread.  So If your application is not using HTTP, you would just need bind
a new subject to your handling thread.

Can you give a few more details on your stack, and we might be able to
point you in the right direction.

-Brian

On Thu, Apr 20, 2017 at 4:05 PM, Mario Emmenlauer <ma...@emmenlauer.de>
wrote:

>
> Dear All,
>
> is Shiro good to be used for a server application? From the tutorial
> and documentation I found that a general concept is the "current user":
>    Subject currentUser = SecurityUtils.getSubject();
>
> But in my Java server application, I'd like to work with remote users
> from a C++ app (via RPC). The remote users send credentials via SSL RPC,
> and receive a session token. The server side authentication is not based
> on currentUser, but on the username/password. Am I understanding correctly
> that this is not the "typical" use case for Shiro? Is Shiro even a good
> match for this use case? How to generate a Subject and session token?
>
> Awesome software, by the way! :-)
>
> Thanks and all the best,
>
>     Mario
>
>