Apache Shiro on a Swing Client - EJB 3.1 Case for Authentication-Authorisation

[papo <st...@hotmail.com>]

*General Case*: A simple application that exposes its services through EJB
(3.1) - most of them Stateless Sessions beans (nothing funcy here) and SWING
based clients that, call through remote interfaces these services and do
what they have to do.

*Security*: I want to authenticate/authorize this cycle of calls and of
course protect my services. The obvious answer would be to use JAAS in the
server and any custom wiring setup on the underlying server. That is still
an option

*Apache Shiro*: So lots of people talk about Apache Shiro and indeed it
features a very simple API and mechanism - that could potentially be
application server independent.

*Technical Questions*:

    *Session*: In my case I dont have an HTTP session - and from what I have
understood Shiro at least needs some sort of SESSION ID that I need to pass
around. Any nice way on injecting user credentials in my RMI/IIOP calls to
the server with not polluting my business API?

    *Server side implementation*: For the few resources I have gone through
I think I can implement a Shiro DefaultSecurityManager by 'referencing it'
from a Singleton Ejb 3.1 bean. Any other ideas? Then I can easily create an
interceptor and add it to my remote calls - so when a new call is going
through my Remote EJB method - the Shiro Intereceptor to validate my user or
check for specific rights.

Any comments/ tips / examples ?

Many thanks


*Note*: The very same question was also posted in StackOverflow (for users
that would like to use it)



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Apache-Shiro-on-a-Swing-Client-EJB-3-1-Case-for-Authentication-Authorisation-tp7577509.html
Sent from the Shiro User mailing list archive at Nabble.com.