Integrating Shiro, Am i writing too much code?

[Snehesh <sn...@gmail.com>]

Hi

Apologies if the following has already been answered, but i tried my best to
look for it and finally thought of posting the same.

I have been reading and looking into Shiro for sometime now. The idea was to
use this for our services layer. This layer is accessed by n number of front
ends and hence we decided to have security at this layer.

Also as this is a SAAS based multi tenant application, i am not able to use
any out of the box Realms, AuthenticationInfo, Token etc. The more i try to
integrate the more i end up overriding. I am not sure if this is the right
way to do it as by the end of the integration i would have probably
overridden a huge amount of code.

My question here is that do we have a standard guideline as to what all
should be extended/overridden if one needs a custom realm.

Also to give an idea on our application:
- I use Hibernate for database access
- Authentication is based on username, tenant name/tenant id and password

It looks like a very slight deviation from the out of the box
functionalities but its forcing me to write everything again.

Any suggestions will be appreciated.

Thanks
Snehesh
-- 
View this message in context: http://shiro-user.582556.n2.nabble.com/Integrating-Shiro-Am-i-writing-too-much-code-tp6048755p6048755.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integrating Shiro, Am i writing too much code?

[Scott Ryan <sr...@gmail.com>]

What frameworks are you using for your backend.  We use Grails and the SAAS comes as a plugin and we only wrote a few lines of security code to integrate with the Shiro plugin for Grails. We had to write some more code to support SAML but most of the out of the box DB support came with plugins from Grails.  That is the power of a framework like Grails and it integrates with your existing Java Code as well

Scott Ryan
On Feb 21, 2011, at 6:52 AM, Snehesh wrote:

> 
> Hi
> 
> Apologies if the following has already been answered, but i tried my best to
> look for it and finally thought of posting the same.
> 
> I have been reading and looking into Shiro for sometime now. The idea was to
> use this for our services layer. This layer is accessed by n number of front
> ends and hence we decided to have security at this layer.
> 
> Also as this is a SAAS based multi tenant application, i am not able to use
> any out of the box Realms, AuthenticationInfo, Token etc. The more i try to
> integrate the more i end up overriding. I am not sure if this is the right
> way to do it as by the end of the integration i would have probably
> overridden a huge amount of code.
> 
> My question here is that do we have a standard guideline as to what all
> should be extended/overridden if one needs a custom realm.
> 
> Also to give an idea on our application:
> - I use Hibernate for database access
> - Authentication is based on username, tenant name/tenant id and password
> 
> It looks like a very slight deviation from the out of the box
> functionalities but its forcing me to write everything again.
> 
> Any suggestions will be appreciated.
> 
> Thanks
> Snehesh
> -- 
> View this message in context: http://shiro-user.582556.n2.nabble.com/Integrating-Shiro-Am-i-writing-too-much-code-tp6048755p6048755.html
> Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integrating Shiro, Am i writing too much code?

[Les Hazlewood <lh...@apache.org>]

On Mon, Feb 21, 2011 at 5:52 AM, Snehesh <sn...@gmail.com> wrote:
>
> Hi
>
> Apologies if the following has already been answered, but i tried my best to
> look for it and finally thought of posting the same.
>
> I have been reading and looking into Shiro for sometime now. The idea was to
> use this for our services layer. This layer is accessed by n number of front
> ends and hence we decided to have security at this layer.
>
> Also as this is a SAAS based multi tenant application, i am not able to use
> any out of the box Realms, AuthenticationInfo, Token etc. The more i try to
> integrate the more i end up overriding. I am not sure if this is the right
> way to do it as by the end of the integration i would have probably
> overridden a huge amount of code.
>
> My question here is that do we have a standard guideline as to what all
> should be extended/overridden if one needs a custom realm.
>
> Also to give an idea on our application:
> - I use Hibernate for database access
> - Authentication is based on username, tenant name/tenant id and password
>
> It looks like a very slight deviation from the out of the box
> functionalities but its forcing me to write everything again.
>
> Any suggestions will be appreciated.
>
> Thanks
> Snehesh
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Integrating-Shiro-Am-i-writing-too-much-code-tp6048755p6048755.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Hi Snehesh,

Besides creating a new AuthenticationToken (probably a subclass of
UsernamePasswordToken that also has the tenant id) and a custom Realm
to understand/process that token, what else are you overriding?

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com