You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by bu...@apache.org on 2014/01/23 23:54:31 UTC
svn commit: r895263 - in /websites/staging/isis/trunk: cgi-bin/ content/
content/components/security/shiro/ content/getting-started/
Author: buildbot
Date: Thu Jan 23 22:54:31 2014
New Revision: 895263
Log:
Staging update by buildbot for isis
Removed:
websites/staging/isis/trunk/content/components/security/shiro/shiro-realm-mappings.html
Modified:
websites/staging/isis/trunk/cgi-bin/ (props changed)
websites/staging/isis/trunk/content/ (props changed)
websites/staging/isis/trunk/content/components/security/shiro/about.html
websites/staging/isis/trunk/content/components/security/shiro/configuring-shiro.html
websites/staging/isis/trunk/content/components/security/shiro/using-ldap.html
websites/staging/isis/trunk/content/documentation.html
websites/staging/isis/trunk/content/getting-started/screencasts.html
Propchange: websites/staging/isis/trunk/cgi-bin/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Thu Jan 23 22:54:31 2014
@@ -1 +1 @@
-1560661
+1560843
Propchange: websites/staging/isis/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Thu Jan 23 22:54:31 2014
@@ -1 +1 @@
-1560661
+1560843
Modified: websites/staging/isis/trunk/content/components/security/shiro/about.html
==============================================================================
--- websites/staging/isis/trunk/content/components/security/shiro/about.html (original)
+++ websites/staging/isis/trunk/content/components/security/shiro/about.html Thu Jan 23 22:54:31 2014
@@ -292,7 +292,6 @@
<ul>
<li><a href="configuring-shiro.html">Configuring Isis to use Shiro</a></li>
<li><a href="using-ldap.html">Configuring Shiro to work with LDAP</a></li>
-<li><a href="shiro-realm-mappings.html">Shiro Realm Mappings</a></li>
<li><a href="format-of-permissions.html">Format of Isis Permissions</a></li>
</ul>
Modified: websites/staging/isis/trunk/content/components/security/shiro/configuring-shiro.html
==============================================================================
--- websites/staging/isis/trunk/content/components/security/shiro/configuring-shiro.html (original)
+++ websites/staging/isis/trunk/content/components/security/shiro/configuring-shiro.html Thu Jan 23 22:54:31 2014
@@ -3,7 +3,7 @@
<head>
<meta charset="utf-8">
- <title>Configuring Shiro
</title>
+ <title>Configuring Isis to Shiro
</title>
<meta name="description" content="">
<meta name="author" content="">
@@ -169,7 +169,7 @@
};
function twshare () {
window.open(
- "https://twitter.com/intent/tweet?url="+document.URL+"&text=Configuring Shiro
",
+ "https://twitter.com/intent/tweet?url="+document.URL+"&text=Configuring Isis to Shiro
",
'Share on Twitter',
'width=800,height=526');
};
@@ -272,21 +272,20 @@
<div class="page-header">
<p><a href="./../../../documentation.html">Docs</a> » <a href="./../../../components/about.html">Components</a> » <a href="./../../../components/security/about.html">Security</a> » <a href="./../../../components/security/shiro/about.html">Shiro</a></p>
-<h1>Configuring Shiro
+<h1>Configuring Isis to Shiro
</h1>
</div>
-<h3>Quickstart</h3>
+<h3>Example Configuration</h3>
-<p>The <a href="../../../getting-started/quickstart-archetype.html">quickstart archetype</a> is configured with Shiro using the users, roles and permissions defined in the <code>WEB-INF/shiro.ini</code> file.</p>
+<p>The <a href="../../../getting-started/quickstart-archetype.html">simple archetype</a> and the <a href="../../../getting-started/simple-archetype.html">quickstart archetype</a> are both configured with Shiro; you should see all the configuration explained below in these.</p>
-<h3>Bootstrapping Shiro</h3>
+<h2>Bootstrapping Shiro</h2>
-<p>Shiro is bootstrapped using the following settings to be added near the top of the <code>WEB-INF/web.xml</code> file:</p>
+<p>The Shiro environment (in essence, thread-locals holding the security credentials) is bootstrapped using the following settings to be added near the top of the <code>WEB-INF/web.xml</code> file:</p>
-<pre>
-<listener>
+<pre><code><listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
@@ -299,10 +298,82 @@
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-</pre>
+</code></pre>
<p>Shiro will then read <code>WEB-INF/shiro.ini</code> file to configure its Realm definitions for authentication and authorization.</p>
+<h2>Telling Isis to use Shiro for authentication and authorization</h2>
+
+<p>Isis itself supports multiple authentication/authorization mechanisms. To tell it to use shiro, update the <code>WEB-INF/isis.properties</code> file:</p>
+
+<pre><code>isis.authentication=shiro
+isis.authorization=shiro
+</code></pre>
+
+<p>This then installs Isis components (specifically, the <code>ShiroAuthenticatorOrAuthorizor</code> class) that use Shiro's APIs to perform authentication and authorization.</p>
+
+<h2>Knowing your way around the Shiro config files</h2>
+
+<p>The <code>shiro.ini</code> file as configured in the <a href="../../../getting-started/simple-archetype.html">simple archetype</a> is configured to simple use the built-in <code>$iniRealm</code>, by way of the line:</p>
+
+<pre><code>securityManager.realms = $iniRealm
+</code></pre>
+
+<p>The file also (by way of example) include entries to setup an ldapRealm, but this is not wired in. For more information on LDAP, see <a href="./using-ldap.html">here</a>.</p>
+
+<p>Specifying <code>$iniRealm</code> means that the usernames/passwords, roles and permissions are read from the <code>shiro.ini</code> file itself.</p>
+
+<ul>
+<li>the users/passwords and their roles from the <code>[users]</code> sections; </li>
+<li>the roles are mapped to permissions in the <code>[roles]</code> section.</li>
+</ul>
+
+<p>The permission format is:</p>
+
+<pre><code>packageName:className:memberName:r,w
+</code></pre>
+
+<p>and is discussed in more detail <a href="./format-of-permissions.html">here</a></p>
+
+<p>The <code>shiro.ini</code> file as configured in the <a href="../../../getting-started/quickstart-archetype.html">quickstart archetype</a> is a little more complex. Here there are two text-based realms defined, <code>realm1</code> and <code>realm2</code>. The <code>resourcePath</code> for these realms is in the form:</p>
+
+<pre><code>realm1.resourcePath=classpath:webapp/realm1.ini
+</code></pre>
+
+<p>that is, the <code>src/main/resources/webapp/realm1.ini</code> file in the webapp project.</p>
+
+<p>The security manager for the app only references these two realms:</p>
+
+<pre><code>securityManager.realms = $realm1,$realm2
+</code></pre>
+
+<p>meaning that the <code>[users]</code> and <code>[roles]</code> sections of <code>shiro.ini</code> are unused. Instead, you'll find these sections in both <code>realm1.ini</code> and <code>realm2.ini</code> (because both are coincidentally implementations of the same <code>org.apache.shiro.realm.text.IniRealm</code> class</p>
+
+<h2>What the user/roles translate to</h2>
+
+<blockquote>
+ <p>as of 1.4.0-SNAPSHOT; see <a href="https://issues.apache.org/jira/browse/ISIS-656">ISIS-656</a>.</p>
+</blockquote>
+
+<p>In your domain objects you can find the users/roles for the current user using:</p>
+
+<pre><code>final UserMemento user = container.getUser();
+final List<RoleMemento> roles = user.getRoles();
+for (RoleMemento role : roles) {
+ String roleName = role.getName();
+ ...
+}
+</code></pre>
+
+<p>The role <code>name</code> property encodes both the realm that provided the role, and the role identity itself.</p>
+
+<p>For example, in the quickstart/todo app, if logging in as <code>dick</code> with the following entries for <code>realm1</code>:</p>
+
+<pre><code>dick = pass, user_role, analysis_role, self-install_role
+</code></pre>
+
+<p>then this corresponds to the roles <em>realm1:user_role</em>, <em>realm1:self-install_role</em> and <em>realm1:analysis_role</em>. If using the Wicket viewer, then there will also be another role which is used internally (namely <em>org.apache.isis.viewer.wicket.roles.USER</em>).</p>
+
</div>
Modified: websites/staging/isis/trunk/content/components/security/shiro/using-ldap.html
==============================================================================
--- websites/staging/isis/trunk/content/components/security/shiro/using-ldap.html (original)
+++ websites/staging/isis/trunk/content/components/security/shiro/using-ldap.html Thu Jan 23 22:54:31 2014
@@ -281,8 +281,7 @@
<p>The configuration required in the <code>WEB-INF/shiro.ini</code> file is:</p>
-<pre>
-contextFactory = org.apache.isis.security.shiro.IsisLdapContextFactory
+<pre><code>contextFactory = org.apache.isis.security.shiro.IsisLdapContextFactory
contextFactory.url = ldap://localhost:10389
contextFactory.authenticationMechanism = CRAM-MD5
contextFactory.systemAuthenticationMechanism = simple
@@ -312,7 +311,7 @@ ldapRealm.permissionsByRole=\
admin_role = *
securityManager.realms = $ldapRealm
-</pre>
+</code></pre>
<p>where:</p>
@@ -364,6 +363,30 @@ securityManager.realms = $ldapRealm
<p><img src="resources/activeds-ldap-groups.png" alt="ActiveDS LDAP Users" /></p>
+<h2>Shiro Realm Mappings</h2>
+
+<p>When configuring role based permission mapping, there can only be one of these entries per realm:</p>
+
+<pre><code>realm.groupToRolesMappings = ...
+</code></pre>
+
+<p>and</p>
+
+<pre><code>realm.roleToPermissionsMappings = ...
+</code></pre>
+
+<p>This forces you to put everything on one line for each of the above.</p>
+
+<p>This is, unfortunately, a Shiro "feature". The only solution to this is to use '\' to separate the mappings onto separate lines in the file so that it is at least maintainable. </p>
+
+<p>Use this technique for both group to roles mapping and role to permission mapping. If you use the '\' after the "," that separates the key:value pairs it is more readable.</p>
+
+<p>If you repeat the entries above then it's "last one wins".</p>
+
+<blockquote>
+ <p><strong>Note</strong> you can't use a [roles] section because that triggers Shiro to use the simple "INI" realm and not your defined realm (in most cases you are going to use an LDAP realm in an enterprise environment and the "simple" realm in Shiro isn't much use beyond prototyping work).</p>
+</blockquote>
+
</div>
Modified: websites/staging/isis/trunk/content/documentation.html
==============================================================================
--- websites/staging/isis/trunk/content/documentation.html (original)
+++ websites/staging/isis/trunk/content/documentation.html Thu Jan 23 22:54:31 2014
@@ -748,7 +748,6 @@
<li><a href="components/security/shiro/about.html">About</a></li>
<li><a href="components/security/shiro/configuring-shiro.html">Configuring Isis to use Shiro</a></li>
<li><a href="components/security/shiro/using-ldap.html">Configuring Shiro to use LDAP</a></li>
-<li><a href="components/security/shiro/shiro-realm-mappings.html">Shiro Realm Mappings</a></li>
<li><a href="components/security/shiro/format-of-permissions.html">Format of Isis Permissions</a>
</div>
<div class="col-md-4">
Modified: websites/staging/isis/trunk/content/getting-started/screencasts.html
==============================================================================
--- websites/staging/isis/trunk/content/getting-started/screencasts.html (original)
+++ websites/staging/isis/trunk/content/getting-started/screencasts.html Thu Jan 23 22:54:31 2014
@@ -311,7 +311,7 @@
</td>
</tr>
<tr>
- <td>Isis' integration with <a id="jrebel" name="jrebel">JRebel</a><br/><br/><i>Develop your app without having to redeploy</i><br/><br/>(Apologies for the slightly flaky audio on this screencast)</td>
+ <td>Isis' integration with <a id="jrebel" name="jrebel">JRebel</a><br/><br/><i>Develop your app without having to redeploy using <a href="https://github.com/danhaywood/isis-jrebel-plugin">this plugin</a>.</i><br/><br/>(Apologies for the slightly flaky audio on this screencast)</td>
<td>
<iframe width="420" height="236" src="//www.youtube.com/embed/PxVgbz3ae_g" frameborder="0" allowfullscreen></iframe>
</td>