Modified: shiro/site/publish/authorization-features.html URL: http://svn.apache.org/viewvc/shiro/site/publish/authorization-features.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/authorization-features.html (original) +++ shiro/site/publish/authorization-features.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> @@ -71,7 +73,10 @@ <div id="content"> - <h1>Apache Shiro Authorization Features</h1><p>Authorization, also called access control, is the process of determining access rights to resources in an application. In other words, determining “who has access to what.” Authorization is used to answer security questions like, “is the user allowed to edit accounts”, “is this user allowed to view this web page”, “does this user have access to this button?” These are all decisions determining what a user has access to and therefore all represent authorization checks.</p><p>Authorization is a critical element of any application but it can quickly become very complex. Shiro’s goal is to eliminate much of the complexity around authorization so that you can more easily build secure software. Below is a highlight of the Shiro authorization features. </p><h2>Features</h2> + <h1><a href="#apache-shiro-authorization-features" name="apache-shiro-authorization-features">Apache Shiro Authorization Features</a></h1> +<p>Authorization, also called access control, is the process of determining access rights to resources in an application. In other words, determining “who has access to what.” Authorization is used to answer security questions like, “is the user allowed to edit accounts”, “is this user allowed to view this web page”, “does this user have access to this button?” These are all decisions determining what a user has access to and therefore all represent authorization checks.</p> +<p>Authorization is a critical element of any application but it can quickly become very complex. Shiro’s goal is to eliminate much of the complexity around authorization so that you can more easily build secure software. Below is a highlight of the Shiro authorization features. </p> +<h2><a href="#features" name="features">Features</a></h2> <table align="right" width="275" style="margin-left: 20px; margin-bottom: 20px; border-style: solid; border-width: 2px; border-color: navy" cellpadding="10px"> <tr> @@ -96,13 +101,20 @@ </tr> </table> <ul> - <li><p><strong>Subject-based</strong> - Almost everything you do in Shiro is based on the currently executing user, called a Subject. And you can easily access the subject retrieve the Subject and checks its roles, permissions, or other relevant attributes anywhere in your code. This makes it easier for you to understand and work with Shiro in your applications.</p></li> - <li><p><strong>Checks based on roles or permissions</strong> - Since the complexity of authorization differs greatly between applications, Shiro is designed to be flexible, supporting both role-based security and permission-based security based on your projects needs.</p></li> - <li><p><strong>Powerful and intuitive permission syntax</strong> - As an option, Shiro provides an out-of-the-box permission syntax, called Wildcard Permissions, that help you model the fine grained access policies your application may have. By using Shiro’s Wildcard Permissions you get an easy-to-process and human readable syntax. Moreoever, you don’t have to go through the time-consuming effort and complexity of creating your own method for representing your access policies.</p></li> - <li><p><strong>Multiple enforcement options</strong> – Authorization checks in Shiro can be done through in-code checks, JDK 1.5 annotations, AOP, and JSP/GSP Taglibs. Shiro’s goal is to give you the choice to use the option you think are best based on your preferences and project needs.</p></li> - <li><p><strong>Strong caching support</strong> - Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience. For authorization, caching is crucial for performance in larger environments or with more complex policies using back-end security data sources.</p></li> - <li><p><strong>Pluggable data sources</strong> - Shiro uses pluggable data access objects, referred to as Realms, to connect to security data sources where you keep your access control information, like a LDAP or a relational database. To help you avoid building and maintaining integrations yourself, Shiro provides out-of-the-box realms for popular data sources like LDAP, Active Directory, Kerboros, and JDBC. If needed, you can also create your own realms to support specific functionality not included in the basic realms.</p></li> - <li><p><strong>Supports any data model</strong> - Shiro can support any data model for access control– it doesn’t force a model on you. Your realm implementation ultimately decides how your permissions and roles are grouped together and whether to return a “yes” or a “no” answer to Shiro. This feature allows you to architect your application in the manner you chose and Shiro will bend to support you.</p></li> + <li> + <p><strong>Subject-based</strong> - Almost everything you do in Shiro is based on the currently executing user, called a Subject. And you can easily access the subject retrieve the Subject and checks its roles, permissions, or other relevant attributes anywhere in your code. This makes it easier for you to understand and work with Shiro in your applications.</p></li> + <li> + <p><strong>Checks based on roles or permissions</strong> - Since the complexity of authorization differs greatly between applications, Shiro is designed to be flexible, supporting both role-based security and permission-based security based on your projects needs.</p></li> + <li> + <p><strong>Powerful and intuitive permission syntax</strong> - As an option, Shiro provides an out-of-the-box permission syntax, called Wildcard Permissions, that help you model the fine grained access policies your application may have. By using Shiro’s Wildcard Permissions you get an easy-to-process and human readable syntax. Moreoever, you don’t have to go through the time-consuming effort and complexity of creating your own method for representing your access policies.</p></li> + <li> + <p><strong>Multiple enforcement options</strong> – Authorization checks in Shiro can be done through in-code checks, JDK 1.5 annotations, AOP, and JSP/GSP Taglibs. Shiro’s goal is to give you the choice to use the option you think are best based on your preferences and project needs.</p></li> + <li> + <p><strong>Strong caching support</strong> - Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience. For authorization, caching is crucial for performance in larger environments or with more complex policies using back-end security data sources.</p></li> + <li> + <p><strong>Pluggable data sources</strong> - Shiro uses pluggable data access objects, referred to as Realms, to connect to security data sources where you keep your access control information, like a LDAP or a relational database. To help you avoid building and maintaining integrations yourself, Shiro provides out-of-the-box realms for popular data sources like LDAP, Active Directory, Kerboros, and JDBC. If needed, you can also create your own realms to support specific functionality not included in the basic realms.</p></li> + <li> + <p><strong>Supports any data model</strong> - Shiro can support any data model for access control– it doesn’t force a model on you. Your realm implementation ultimately decides how your permissions and roles are grouped together and whether to return a “yes” or a “no” answer to Shiro. This feature allows you to architect your application in the manner you chose and Shiro will bend to support you.</p></li> </ul> </div>
Modified: shiro/site/publish/authorization.html URL: http://svn.apache.org/viewvc/shiro/site/publish/authorization.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/authorization.html (original) +++ shiro/site/publish/authorization.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> @@ -98,7 +100,29 @@ <p>When looking at permissions, probably the most important thing to realize is that permission statements have no representation of <em>who</em> can perform the represented behavior. They are only statements of <em>what</em> can be done in an application.</p> -<div class="panelMacro"><table class="infoMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Permissions represent behavior only</b><br clear="none">Permission statements reflect behavior (actions associated with resource types) <em>only</em>. They do not reflect <em>who</em> is able to perform such behavior.</td></tr></table></div> +<div class="panelMacro"> + <table class="infoMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + + + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-info-circle"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>Permissions represent behavior only</b> + <br clear="none"> + Permission statements reflect behavior (actions associated with resource types) <em>only</em>. They do not reflect <em>who</em> is able to perform such behavior. + </td> + </tr> + </tbody> + </table> +</div> <p>Defining <em>who</em> (users) is allowed to do <em>what</em> (permissions) is an exercise of assigning permissions to users in some way. This is always done by the application's data model and can vary greatly across applications.</p> @@ -123,19 +147,54 @@ <ul><li><b>Implicit Roles</b>: Most people use roles as an <em>implicit</em> construct: where your application <em>implies</em> a set of behaviors (i.e. permissions) based on a role name only. With implicit roles, there is nothing at the software level that says "role X is allowed to perform behavior A, B and C". Behavior is implied by a name alone. <br clear="none" class="atl-forced-newline"> <br clear="none" class="atl-forced-newline"> -<div class="panelMacro"><table class="noteMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Potentially Brittle Security</b><br clear="none">While the simpler and most common approach, implicit roles potentially impose a lot of software maintenance and management problems. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"> -For example, what if you just want to add or remove a role, or redefine a role's behavior later? You'll have to go back into your source code and change all your role checks to reflect the change in your security model, every time such a change is required! Not to mention the operational costs this would incur (re-test, go through QA, shut down the app, upgrade the software with the new role checks, restart the app, etc). -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"> -This is probably ok for very simple applications (e.g. maybe there is an 'admin' role and 'everyone else'). But for more complicated or configurable applications, this can be a major major problem throughout the life of your application and drive a large maintenance cost for your software.</td></tr></table></div> -<p><br clear="none" class="atl-forced-newline"></p></li><li><b>Excplict Roles</b>: An explicit role however is essentially a named collection of actual permission statements. In this form, the application (and Shiro) knows <em>exactly</em> what it means to have a particular role or not. Because it is known the <em>exact</em> behavior that can be performed or not, there is no guessing or implying what a particular role can or can not do.</li></ul> +<div class="panelMacro"> + <table class="noteMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-warning"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>Potentially Brittle Security</b> + <br clear="none"> + While the simpler and most common approach, implicit roles potentially impose a lot of software maintenance and management problems. +<p>For example, what if you just want to add or remove a role, or redefine a role's behavior later? You'll have to go back into your source code and change all your role checks to reflect the change in your security model, every time such a change is required! Not to mention the operational costs this would incur (re-test, go through QA, shut down the app, upgrade the software with the new role checks, restart the app, etc).</p> +<p>This is probably ok for very simple applications (e.g. maybe there is an 'admin' role and 'everyone else'). But for more complicated or configurable applications, this can be a major major problem throughout the life of your application and drive a large maintenance cost for your software.</p> + </td> + </tr> + </tbody> + </table> +</div> +</li> +<li><b>Excplict Roles</b>: An explicit role however is essentially a named collection of actual permission statements. In this form, the application (and Shiro) knows <em>exactly</em> what it means to have a particular role or not. Because it is known the <em>exact</em> behavior that can be performed or not, there is no guessing or implying what a particular role can or can not do.</li></ul> <p>The Shiro team advocates using permissions and explicit roles instead of the older implicit approach. You will have much greater control over your application's security experience.</p> -<div class="panelMacro"><table class="tipMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Resource-Based Access Control</b><br clear="none">Be sure to read Les Hazlewood's article, <a class="external-link" href="http://www.katasoft.com/blog/2011/05/09/new-rbac-resource-based-access-control"; rel="nofollow">The New RBAC: Resource-Based Access Control</a>, which covers in-depth the benefits of using permissions and explicit roles (and their positive impact on source code) instead of the older implicit role approach.</td></tr></table></div> +<div class="panelMacro"> + <table class="tipMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody><tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-check-square-o"></i> + </td> + <td colspan="1" rowspan="1"> + <b>Resource-Based Access Control</b> + <br clear="none"> + Be sure to read Les Hazlewood's article, <a class="external-link" href="http://www.katasoft.com/blog/2011/05/09/new-rbac-resource-based-access-control"; rel="nofollow">The New RBAC: Resource-Based Access Control</a>, which covers in-depth the benefits of using permissions and explicit roles (and their positive impact on source code) instead of the older implicit role approach. + </td> + </tr> + </tbody> + </table> +</div> <h3><a name="Authorization-Users"></a>Users</h3> @@ -147,7 +206,29 @@ This is probably ok for very simple appl <p>Your data model defines exactly how authorization will function. Shiro relies on a <a href="realm.html" title="Realm">Realm</a> implementation to translate your data model association details into a format Shiro understands. We'll cover how Realms do this a little later.</p> -<div class="panelMacro"><table class="infoMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1">Ultimately, your <a href="realm.html" title="Realm">Realm</a> implementation is what communicates with your data source (RDBMS, LDAP, etc). So your realm is what will tell Shiro whether or not roles or permissions exist. You have full control over how your authorization model is structured and defined.</td></tr></table></div> +<div class="panelMacro"> + <table class="infoMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + + + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-info-circle"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>Note</b> + <br clear="none"> + Ultimately, your <a href="realm.html" title="Realm">Realm</a> implementation is what communicates with your data source (RDBMS, LDAP, etc). So your realm is what will tell Shiro whether or not roles or permissions exist. You have full control over how your authorization model is structured and defined. + </td> + </tr> + </tbody> + </table> +</div> <h2><a name="Authorization-AuthorizingSubjects"></a>Authorizing Subjects</h2> @@ -168,7 +249,7 @@ This is probably ok for very simple appl <p>If you want to simply check to see if the current <tt>Subject</tt> has a role or not, you can call the variant <tt>hasRole*</tt> methods on the <tt>Subject</tt> instance.</p> -<p>For example, to see if a <tt>Subject</tt> has a particular (single) role, you can call the <tt>subject.</tt> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#hasRole(java.lang.String)">hasRole(roleName)</a></tt> method, and react accordingly:</p> +<p>For example, to see if a <tt>Subject</tt> has a particular (single) role, you can call the <tt>subject.</tt> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#hasRole(java.lang.String)">hasRole(roleName)</a></tt> method, and react accordingly:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> @@ -187,7 +268,7 @@ Subject currentUser = SecurityUtils.getS <p> </p><div class="table-wrap"> -<table class="confluenceTable" id="TBL1365578679389"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"> Subject Method </th><th colspan="1" rowspan="1" class="confluenceTh"> Description </th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#hasRole(java.lang.String)">hasRole(String roleName)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns <tt>true</tt> if the <tt>Subject</tt> is assigned the specified role, <tt>false</tt> otherwise. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#hasRoles(java.util.List)">hasRoles(List<String> roleNames)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns a array of <tt>hasRole</tt> results corresponding to the indices in the method argument. Useful as a performance enhancemen t if many role checks need to be performed (e.g. when customizing a complex view) </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#hasAllRoles(java.util.Collection)">hasAllRoles(Collection<String> roleNames)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns <tt>true</tt> if the <tt>Subject</tt> is assigned <em>all</em> of the specified roles, <tt>false</tt> otherwise. </td></tr></tbody></table> +<table class="confluenceTable" id="TBL1365578679389"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"> Subject Method </th><th colspan="1" rowspan="1" class="confluenceTh"> Description </th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#hasRole(java.lang.String)">hasRole(String roleName)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns <tt>true</tt> if the <tt>Subject</tt> is assigned the specified role, <tt>false</tt> otherwise. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#hasRoles(java.util.List)">hasRoles(List<String> roleNames)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns a array of <tt>hasRole</tt> results corresponding to the indices in the method argument. Useful as a performance enhancem ent if many role checks need to be performed (e.g. when customizing a complex view) </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#hasAllRoles(java.util.Collection)">hasAllRoles(Collection<String> roleNames)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns <tt>true</tt> if the <tt>Subject</tt> is assigned <em>all</em> of the specified roles, <tt>false</tt> otherwise. </td></tr></tbody></table> </div> <script type="text/javascript"> <!-- @@ -233,7 +314,7 @@ openBankAccount(); <p> </p><div class="table-wrap"> -<table class="confluenceTable" id="TBL1365578679390"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"> Subject Method </th><th colspan="1" rowspan="1" class="confluenceTh"> Description </th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#checkRole(java.lang.String)">checkRole(String roleName)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns quietly if the <tt>Subject</tt> is assigned the specified role or throws an <tt>AuthorizationException</tt> if not. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#checkRoles(java.util.Collection)">checkRoles(Collection<String> roleNames)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns quietly if the <tt>Subject</tt> is assigned <em>all</em> of the specified role or th rows an <tt>AuthorizationException</tt> if not. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#checkRoles(java.lang.String...)">checkRoles(String... roleNames)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Same effect as the <tt>checkRoles</tt> method above, but allows Java 5 var-args style arguments. </td></tr></tbody></table> +<table class="confluenceTable" id="TBL1365578679390"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"> Subject Method </th><th colspan="1" rowspan="1" class="confluenceTh"> Description </th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#checkRole(java.lang.String)">checkRole(String roleName)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns quietly if the <tt>Subject</tt> is assigned the specified role or throws an <tt>AuthorizationException</tt> if not. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#checkRoles(java.util.Collection)">checkRoles(Collection<String> roleNames)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns quietly if the <tt>Subject</tt> is assigned <em>all</em> of the specified role or throws an <tt>AuthorizationException</tt> if not. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#checkRoles(java.lang.String...)">checkRoles(String... roleNames)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Same effect as the <tt>checkRoles</tt> method above, but allows Java 5 var-args style arguments. </td></tr></tbody></table> </div> <script type="text/javascript"> <!-- @@ -275,7 +356,7 @@ Subject currentUser = SecurityUtils.getS <p>Object-based <tt>Permissions</tt> are useful if:</p> -<ul><li>You want compile-time type-safety</li><li>You want to guarantee permissions are represented and used correctly</li><li>You want explicit control of how permission resolution logic (called permission implication logic, based on the Permission interface's <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/Permission.html#implies(org.apache.shiro.authz.Permission)">implies</a></tt> method) executes.</li><li>You want to guarantee Permissions reflect application resources accurately (for example, maybe Permission classes can be auto-generated during a project's build based on a project's domain model).</li></ul> +<ul><li>You want compile-time type-safety</li><li>You want to guarantee permissions are represented and used correctly</li><li>You want explicit control of how permission resolution logic (called permission implication logic, based on the Permission interface's <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/Permission.html\#implies(org.apache.shiro.authz.Permission)">implies</a></tt> method) executes.</li><li>You want to guarantee Permissions reflect application resources accurately (for example, maybe Permission classes can be auto-generated during a project's build based on a project's domain model).</li></ul> <p>There are few Object permission-oriented <tt>Subject</tt> methods you can call, depending on your needs:</p> @@ -283,7 +364,7 @@ Subject currentUser = SecurityUtils.getS <p> </p><div class="table-wrap"> -<table class="confluenceTable" id="TBL1365578679391"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"> Subject Method </th><th colspan="1" rowspan="1" class="confluenceTh"> Description </th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#isPermitted(org.apache.shiro.authz.Permission)">isPermitted(Permission p)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns <tt>true</tt> if the <tt>Subject</tt> is permitted to perform an action or access a resource summarized by the specified <tt>Permission</tt> instance, <tt>false</tt> otherwise. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#isPermitted(java.util.List)">isPermitted(List<Permission> perms)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns an array of <tt >isPermitted</tt> results corresponding to the indices in the method argument. > Useful as a performance enhancement if many permission checks need to be >performed (e.g. when customizing a complex view) </td></tr><tr><td >colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" >href="static/current/apidocs/org/apache/shiro/subject/Subject.html#isPermittedAll(java.util.Collection)">isPermittedAll(Collection<Permission> > perms)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> >Returns <tt>true</tt> if the <tt>Subject</tt> is permitted <em>all</em> of >the specified permissions, <tt>false</tt> otherwise. ></td></tr></tbody></table> +<table class="confluenceTable" id="TBL1365578679391"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"> Subject Method </th><th colspan="1" rowspan="1" class="confluenceTh"> Description </th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#isPermitted(org.apache.shiro.authz.Permission)">isPermitted(Permission p)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns <tt>true</tt> if the <tt>Subject</tt> is permitted to perform an action or access a resource summarized by the specified <tt>Permission</tt> instance, <tt>false</tt> otherwise. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#isPermitted(java.util.List)">isPermitted(List<Permission> perms)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns an array of < tt>isPermitted</tt> results corresponding to the indices in the method argument. Useful as a performance enhancement if many permission checks need to be performed (e.g. when customizing a complex view) </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#isPermittedAll(java.util.Collection)">isPermittedAll(Collection<Permission> perms)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns <tt>true</tt> if the <tt>Subject</tt> is permitted <em>all</em> of the specified permissions, <tt>false</tt> otherwise. </td></tr></tbody></table> </div> <script type="text/javascript"> <!-- @@ -342,7 +423,7 @@ Permission p = <span class="code-keyword <p> </p><div class="table-wrap"> -<table class="confluenceTable" id="TBL1365578679392"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"> Subject Method </th><th colspan="1" rowspan="1" class="confluenceTh"> Description </th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#isPermitted(java.lang.String)">isPermitted(String perm)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns <tt>true</tt> if the <tt>Subject</tt> is permitted to perform an action or access a resource summarized by the specified <tt>String</tt> permission, <tt>false</tt> otherwise. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#isPermitted(java.util.List)">isPermitted(String... perms)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns an array of <tt>isPermitted</tt> results corresp onding to the indices in the method argument. Useful as a performance enhancement if many <tt>String</tt> permission checks need to be performed (e.g. when customizing a complex view) </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#isPermittedAll(java.lang.String...)">isPermittedAll(String... perms)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns <tt>true</tt> if the <tt>Subject</tt> is permitted <em>all</em> of the specified <tt>String</tt> permissions, <tt>false</tt> otherwise. </td></tr></tbody></table> +<table class="confluenceTable" id="TBL1365578679392"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"> Subject Method </th><th colspan="1" rowspan="1" class="confluenceTh"> Description </th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#isPermitted(java.lang.String)">isPermitted(String perm)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns <tt>true</tt> if the <tt>Subject</tt> is permitted to perform an action or access a resource summarized by the specified <tt>String</tt> permission, <tt>false</tt> otherwise. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#isPermitted(java.util.List)">isPermitted(String... perms)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns an array of <tt>isPermitted</tt> results corre sponding to the indices in the method argument. Useful as a performance enhancement if many <tt>String</tt> permission checks need to be performed (e.g. when customizing a complex view) </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#isPermittedAll(java.lang.String...)">isPermittedAll(String... perms)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns <tt>true</tt> if the <tt>Subject</tt> is permitted <em>all</em> of the specified <tt>String</tt> permissions, <tt>false</tt> otherwise. </td></tr></tbody></table> </div> <script type="text/javascript"> <!-- @@ -391,7 +472,7 @@ openBankAccount(); <p> </p><div class="table-wrap"> -<table class="confluenceTable" id="TBL1365578679393"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"> Subject Method </th><th colspan="1" rowspan="1" class="confluenceTh"> Description </th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#checkPermission(org.apache.shiro.authz.Permission)">checkPermission(Permission p)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns quietly if the <tt>Subject</tt> is permitted to perform an action or access a resource summarized by the specified <tt>Permission</tt> instance, or throws an <tt>AuthorizationException</tt> if not. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#checkPermission(java.lang.String)">checkPermission(String perm)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> R eturns quietly if the <tt>Subject</tt> is is permitted to perform an action or access a resource summarized by the specified <tt>String</tt> permission, or throws an <tt>AuthorizationException</tt> if not. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#checkPermissions(java.util.Collection)">checkPermissions(Collection<Permission> perms)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns quietly if the <tt>Subject</tt> is permitted <em>all</em> the specified permissions, or throws an <tt>AuthorizationException</tt> if not. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#checkPermissions(java.lang.String...)">checkPermissions(String... perms)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Same effect as the <tt>checkPer missions</tt> method above, but using <tt>String</tt>-based permissions. </td></tr></tbody></table> +<table class="confluenceTable" id="TBL1365578679393"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"> Subject Method </th><th colspan="1" rowspan="1" class="confluenceTh"> Description </th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#checkPermission(org.apache.shiro.authz.Permission)">checkPermission(Permission p)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns quietly if the <tt>Subject</tt> is permitted to perform an action or access a resource summarized by the specified <tt>Permission</tt> instance, or throws an <tt>AuthorizationException</tt> if not. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#checkPermission(java.lang.String)">checkPermission(String perm)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns quietly if the <tt>Subject</tt> is is permitted to perform an action or access a resource summarized by the specified <tt>String</tt> permission, or throws an <tt>AuthorizationException</tt> if not. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#checkPermissions(java.util.Collection)">checkPermissions(Collection<Permission> perms)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Returns quietly if the <tt>Subject</tt> is permitted <em>all</em> the specified permissions, or throws an <tt>AuthorizationException</tt> if not. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#checkPermissions(java.lang.String...)">checkPermissions(String... perms)</a></tt> </td><td colspan="1" rowspan="1" class="confluenceTd"> Same effect as the <tt>chec kPermissions</tt> method above, but using <tt>String</tt>-based permissions. </td></tr></tbody></table> </div> <script type="text/javascript"> <!-- @@ -582,7 +663,7 @@ customizeMacroTable('TBL1365578679393', <h3><a name="Authorization-JSPTagLibAuthorization"></a>JSP TagLib Authorization</h3> -<p>Shiro offers a Tag Library for controlling JSP/GSP page output based on <tt>Subject</tt> state. This is covered in the <a href="web.html" title="Web">Web</a> chapter's <a href="web.html#Web-taglibrary">JSP/GSP Tag Library</a> section.</p> +<p>Shiro offers a Tag Library for controlling JSP/GSP page output based on <tt>Subject</tt> state. This is covered in the <a href="web.html" title="Web">Web</a> chapter's <a href="web.html\#Web-taglibrary">JSP/GSP Tag Library</a> section.</p> <h2><a name="Authorization-AuthorizationSequence"></a>Authorization Sequence</h2> @@ -653,7 +734,27 @@ securityManager.authorizer.permissionRes </pre> </div></div> -<div class="panelMacro"><table class="noteMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>PermissionResolverAware</b><br clear="none">If you want to configure a global <tt>PermissionResolver</tt>, each <tt>Realm</tt> that is to receive the configured <tt>PermissionResolver</tt> <b><em>must</em></b> implement the <tt><a class="external-link" href="static/current/apidocs/src-html/org/apache/shiro/authz/permission/PermissionResolverAware.html">PermisionResolverAware</a></tt> interface. This guarantees that the configured instance can be relayed to each <tt>Realm</tt> that supports such configuration.</td></tr></table></div> +<div class="panelMacro"> + <table class="noteMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-warning"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>PermissionResolverAware</b> + <br clear="none"> + If you want to configure a global <tt>PermissionResolver</tt>, each <tt>Realm</tt> that is to receive the configured <tt>PermissionResolver</tt> <b><em>must</em></b> implement the <tt><a class="external-link" href="static/current/apidocs/src-html/org/apache/shiro/authz/permission/PermissionResolverAware.html">PermisionResolverAware</a></tt> interface. This guarantees that the configured instance can be relayed to each <tt>Realm</tt> that supports such configuration. + </td> + </tr> + </tbody> + </table> +</div> <p>If you don't want to use a global <tt>PermissionResolver</tt> or you don't want to be bothered with the <tt>PermissionResolverAware</tt> interface, you can always configure a realm with a <tt>PermissionResolver</tt> instance explicitly (assuming there is a JavaBeans-compatible setPermissionResolver method):</p> @@ -692,7 +793,27 @@ securityManager.authorizer.rolePermissio </pre> </div></div> -<div class="panelMacro"><table class="noteMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>RolePermissionResolverAware</b><br clear="none">If you want to configure a global <tt>RolePermissionResolver</tt>, each <tt>Realm</tt> that is to receive the configured <tt>RolePermissionResolver</tt> <b><em>must</em></b> implement the <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/permission/RolePermissionResolverAware.html">RolePermisionResolverAware</a></tt> interface. This guarantees that the configured global <tt>RolePermissionResolver</tt> instance can be relayed to each <tt>Realm</tt> that supports such configuration.</td></tr></table></div> +<div class="panelMacro"> + <table class="noteMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-warning"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>RolePermissionResolverAware</b> + <br clear="none"> + If you want to configure a global <tt>RolePermissionResolver</tt>, each <tt>Realm</tt> that is to receive the configured <tt>RolePermissionResolver</tt> <b><em>must</em></b> implement the <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/permission/RolePermissionResolverAware.html">RolePermisionResolverAware</a></tt> interface. This guarantees that the configured global <tt>RolePermissionResolver</tt> instance can be relayed to each <tt>Realm</tt> that supports such configuration. + </td> + </tr> + </tbody> + </table> +</div> <p>If you don't want to use a global <tt>RolePermissionResolver</tt> or you don't want to be bothered with the <tt>RolePermissionResolverAware</tt> interface, you can always configure a realm with a <tt>RolePermissionResolver</tt> instance explicitly (assuming there is a JavaBeans-compatible setRolePermissionResolver method):</p> Modified: shiro/site/publish/authorizer.html URL: http://svn.apache.org/viewvc/shiro/site/publish/authorizer.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/authorizer.html (original) +++ shiro/site/publish/authorizer.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> @@ -73,12 +75,13 @@ <p>TODO</p> -<h2><a name="Authorizer-Lendahandwithdocumentation"></a>Lend a hand with documentation </h2> +<h2><a name="Lendahandwithdocumentation"></a>Lend a hand with documentation </h2> <p>While we hope this documentation helps you with the work you're doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you'd like to help the Shiro project, please consider corrected, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro. </p> <p>The easiest way to contribute your documentation is to send it to the <a class="external-link" href="http://shiro-user.582556.n2.nabble.com/"; rel="nofollow">User Forum</a> or the <a href="mailing-lists.html" title="Mailing Lists">User Mailing List</a>.</p> + </div> </div><!--END WRAPPER--> Modified: shiro/site/publish/banner.html URL: http://svn.apache.org/viewvc/shiro/site/publish/banner.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/banner.html (original) +++ shiro/site/publish/banner.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/cachemanager.html URL: http://svn.apache.org/viewvc/shiro/site/publish/cachemanager.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/cachemanager.html (original) +++ shiro/site/publish/cachemanager.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/caching.html URL: http://svn.apache.org/viewvc/shiro/site/publish/caching.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/caching.html (original) +++ shiro/site/publish/caching.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/cas.html URL: http://svn.apache.org/viewvc/shiro/site/publish/cas.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/cas.html (original) +++ shiro/site/publish/cas.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/codec.html URL: http://svn.apache.org/viewvc/shiro/site/publish/codec.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/codec.html (original) +++ shiro/site/publish/codec.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/command-line-hasher.html URL: http://svn.apache.org/viewvc/shiro/site/publish/command-line-hasher.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/command-line-hasher.html (original) +++ shiro/site/publish/command-line-hasher.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/commercial-support.html URL: http://svn.apache.org/viewvc/shiro/site/publish/commercial-support.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/commercial-support.html (original) +++ shiro/site/publish/commercial-support.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/community.html URL: http://svn.apache.org/viewvc/shiro/site/publish/community.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/community.html (original) +++ shiro/site/publish/community.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> @@ -71,19 +73,33 @@ <div id="content"> - <h1>Welcome to the Apache Shiro Community!</h1><p>We have a great user and developer community and hope that you become an active participant.</p><p>Our community is here to help you learn about Shiro, figure out how to do what you need, identify and fix any bugs, and improve Shiro so that it continues to be a powerful and useful software project.</p> + <h1>Welcome to the Apache Shiro Community!</h1> +<p>We have a great user and developer community and hope that you become an active participant.</p> +<p>Our community is here to help you learn about Shiro, figure out how to do what you need, identify and fix any bugs, and improve Shiro so that it continues to be a powerful and useful software project.</p> <ul> - <li><p><strong><a href="forums.html">Community Forums</a></strong> - Need help? For users that prefer to use forums over mailing lists, we use Nabble</p></li> - <li><p><strong><a href="mailing-lists.html">Mailing Lists</a></strong> - Need help, but hate forums? Lists for Users, Developers and Committers!</p></li> - <li><p><strong><a href="articles.html">Articles</a></strong> - Read up on the latest discussions, guides, and how-tos created by members of our community</p></li> - <li><p><strong><a href="news.html">News</a></strong> - Stay up to date on the latest Shiro news</p></li> - <li><p><strong><a href="events.html">Events</a></strong> - Check out the next Shiro events and see if there’s something near you to attend</p></li> -</ul><h2>Contribute and Commit!</h2><p>Apache Shiro is a non-profit project and relies on your help and contributions in order to evolve and improve.</p><p>At the Shiro project we make it easy for anyone to join our great community and lend a hand. We welcome any help you can offer inlcuding help with documentation, identifying bugs, providing answers on the user mailing list, and providing helpful code improvements.</p> + <li> + <p><strong><a href="forums.html">Community Forums</a></strong> - Need help? For users that prefer to use forums over mailing lists, we use Nabble</p></li> + <li> + <p><strong><a href="mailing-lists.html">Mailing Lists</a></strong> - Need help, but hate forums? Lists for Users, Developers and Committers!</p></li> + <li> + <p><strong><a href="articles.html">Articles</a></strong> - Read up on the latest discussions, guides, and how-tos created by members of our community</p></li> + <li> + <p><strong><a href="news.html">News</a></strong> - Stay up to date on the latest Shiro news</p></li> + <li> + <p><strong><a href="events.html">Events</a></strong> - Check out the next Shiro events and see if there’s something near you to attend</p></li> +</ul> +<h2>Contribute and Commit!</h2> +<p>Apache Shiro is a non-profit project and relies on your help and contributions in order to evolve and improve.</p> +<p>At the Shiro project we make it easy for anyone to join our great community and lend a hand. We welcome any help you can offer inlcuding help with documentation, identifying bugs, providing answers on the user mailing list, and providing helpful code improvements.</p> <ul> - <li><p><strong><a href="how-to-contribute.html">How to Contribute</a></strong> - Join our community and help make Apache Shiro even better</p></li> - <li><p><strong><a href="developer-resources.html">Developer Resources</a></strong> - Helpful information for anyone providing project help as a committer or contributor</p></li> - <li><p><strong><a href="https://issues.apache.org/jira/issues/?jql=project%20%3D%20SHIRO%20AND%20status%20%3D%20Open%20ORDER%20BY%20priority%20DESC";>Issue Tracker</a></strong> - Once you’re ready to contribute, this is a good place to see what needs to get done</p></li> - <li><p><strong><a href="http://www.apache.org/foundation/sponsorship.html";>Donate to ASF</a></strong> - Shiro is a project under the Apache Software Foundation, a non-profit that relies on donations and community support</p></li> + <li> + <p><strong><a href="how-to-contribute.html">How to Contribute</a></strong> - Join our community and help make Apache Shiro even better</p></li> + <li> + <p><strong><a href="developer-resources.html">Developer Resources</a></strong> - Helpful information for anyone providing project help as a committer or contributor</p></li> + <li> + <p><strong><a href="https://issues.apache.org/jira/issues/?jql=project%20%3D%20SHIRO%20AND%20status%20%3D%20Open%20ORDER%20BY%20priority%20DESC";>Issue Tracker</a></strong> - Once you’re ready to contribute, this is a good place to see what needs to get done</p></li> + <li> + <p><strong><a href="http://www.apache.org/foundation/sponsorship.html";>Donate to ASF</a></strong> - Shiro is a project under the Apache Software Foundation, a non-profit that relies on donations and community support</p></li> </ul> </div> Modified: shiro/site/publish/concurrency.html URL: http://svn.apache.org/viewvc/shiro/site/publish/concurrency.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/concurrency.html (original) +++ shiro/site/publish/concurrency.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/conferences.html URL: http://svn.apache.org/viewvc/shiro/site/publish/conferences.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/conferences.html (original) +++ shiro/site/publish/conferences.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/configuration.html URL: http://svn.apache.org/viewvc/shiro/site/publish/configuration.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/configuration.html (original) +++ shiro/site/publish/configuration.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> @@ -78,7 +80,25 @@ <p>Shiro is designed to work in any environment, from simple command-line applications to the largest enterprise clustered applications. Because of this diversity of environments, there are a number of configuration mechanisms that are suitable for configuration. This section covers the configuration mechanisms that are supported by Shiro core only.</p> -<div class="panelMacro"><table class="tipMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Many Configuration Options</b><br clear="none">Shiro's <tt>SecurityManager</tt> implementations and all supporting components are all JavaBeans compatible. This allows Shiro to be configured with practically any configuration format such as regular Java, XML (Spring, JBoss, Guice, etc), <a class="external-link" href="http://www.yaml.org/"; rel="nofollow">YAML</a>, JSON, Groovy Builder markup, and more.</td></tr></table></div> +<div class="panelMacro"> + <table class="tipMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody><tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-check-square-o"></i> + </td> + <td colspan="1" rowspan="1"> + <b>Many Configuration Options</b> + <br clear="none"> + Shiro's <tt>SecurityManager</tt> implementations and all supporting components are all JavaBeans compatible. This allows Shiro to be configured with practically any configuration format such as regular Java, XML (Spring, JBoss, Guice, etc), <a class="external-link" href="http://www.yaml.org/"; rel="nofollow">YAML</a>, JSON, Groovy Builder markup, and more. + </td> + </tr> + </tbody> + </table> +</div> <h2><a name="Configuration-ProgrammaticConfiguration"></a>Programmatic Configuration</h2> @@ -332,7 +352,25 @@ securityManager.getSessionManager().setG <p>The graph traversal can be as deep as necessary: <tt>object.property1.property2....propertyN.value = blah</tt></p> -<div class="panelMacro"><table class="tipMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>BeanUtils Property Support</b><br clear="none">Any property assignment operation supported by the BeanUtils.<a class="external-link" href="http://commons.apache.org/beanutils/v1.8.2/apidocs/org/apache/commons/beanutils/BeanUtils.html#setProperty%28java.lang.Object,%20java.lang.String,%20java.lang.Object%29";>setProperty</a> method will work in Shiro's [main] section, including set/list/map element assignments. See the <a class="external-link" href="http://commons.apache.org/beanutils/";>Apache Commons BeanUtils Website</a> and documentation for more information.</td></tr></table></div> +<div class="panelMacro"> + <table class="tipMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody><tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-check-square-o"></i> + </td> + <td colspan="1" rowspan="1"> + <b>BeanUtils Property Support</b> + <br clear="none"> + Any property assignment operation supported by the BeanUtils.<a class="external-link" href="http://commons.apache.org/beanutils/v1.8.2/apidocs/org/apache/commons/beanutils/BeanUtils.html#setProperty%28java.lang.Object,%20java.lang.String,%20java.lang.Object%29";>setProperty</a> method will work in Shiro's [main] section, including set/list/map element assignments. See the <a class="external-link" href="http://commons.apache.org/beanutils/";>Apache Commons BeanUtils Website</a> and documentation for more information. + </td> + </tr> + </tbody> + </table> +</div> <h6><a name="Configuration-ByteArrayValues"></a>Byte Array Values</h6> @@ -400,9 +438,28 @@ anObject.map = $objectKey1:$objectValue1 <p>The INI format and conventions above are very convenient and easy to understand, but it is not as powerful as other text/XML-based configuration mechanisms. The most important thing to understand when using the above mechanism is that <b>Order Matters!</b></p> -<div class="panelMacro"><table class="noteMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Be Careful</b><br clear="none">Each object instantiation and each value assignment is executed <em>in the order they occur in the [main] section</em>. These lines ultimately translate to a JavaBeans getter/setter method invocation, and so those methods are invoked in the same order! - -<p>Keep this in mind when writing your configuration.</p></td></tr></table></div> +<div class="panelMacro"> + <table class="noteMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-warning"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>Be Careful</b> + <br clear="none"> + Each object instantiation and each value assignment is executed <em>in the order they occur in the [main] section</em>. These lines ultimately translate to a JavaBeans getter/setter method invocation, and so those methods are invoked in the same order! +<p>Keep this in mind when writing your configuration.</p> + </td> + </tr> + </tbody> + </table> +</div> <h6><a name="Configuration-OverridingInstances"></a>Overriding Instances</h6> @@ -460,7 +517,29 @@ darkhelmet = ludicrousspeed, badguy, sch </pre> </div></div> -<div class="panelMacro"><table class="infoMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Automatic IniRealm</b><br clear="none">Just defining non-empty [users] or [roles] sections will automatically trigger the creation of an <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/realm/text/IniRealm.html">org.apache.shiro.realm.text.IniRealm</a></tt> instance and make it available in the [main] section under the name <tt><b>iniRealm</b></tt>. You can configure it like any other object as described above.</td></tr></table></div> +<div class="panelMacro"> + <table class="infoMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + + + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-info-circle"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>Automatic IniRealm</b> + <br clear="none"> + Just defining non-empty [users] or [roles] sections will automatically trigger the creation of an <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/realm/text/IniRealm.html">org.apache.shiro.realm.text.IniRealm</a></tt> instance and make it available in the [main] section under the name <tt><b>iniRealm</b></tt>. You can configure it like any other object as described above. + </td> + </tr> + </tbody> + </table> +</div> <h5><a name="Configuration-LineFormat"></a>Line Format</h5> @@ -475,7 +554,25 @@ darkhelmet = ludicrousspeed, badguy, sch <p>If you don't want the [users] section passwords to be in plain-text, you can encrypt them using your favorite hash algorithm (MD5, Sha1, Sha256, etc) however you like and use the resulting string as the password value. By default, the password string is expected to be Hex encoded, but can be configured to be Base64 encoded instead (see below).</p> -<div class="panelMacro"><table class="tipMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Easy Secure Passwords</b><br clear="none">To save time and use best-practices, you might want to use Shiro's <a href="command-line-hasher.html" title="Command Line Hasher">Command Line Hasher</a>, which will hash passwords as well as any other type of resource. It is especially convenient for encrypting INI <tt>[users]</tt> passwords.</td></tr></table></div> +<div class="panelMacro"> + <table class="tipMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody><tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-check-square-o"></i> + </td> + <td colspan="1" rowspan="1"> + <b>Easy Secure Passwords</b> + <br clear="none"> + To save time and use best-practices, you might want to use Shiro's <a href="command-line-hasher.html" title="Command Line Hasher">Command Line Hasher</a>, which will hash passwords as well as any other type of resource. It is especially convenient for encrypting INI <tt>[users]</tt> passwords. + </td> + </tr> + </tbody> + </table> +</div> <p>Once you've specified the hashed text password values, you have to tell Shiro that these are encrypted. You do that by configuring the implicitly created <tt>iniRealm</tt> in the [main] section to use an appropriate <tt>CredentialsMatcher</tt> implementation corresponding to the hash algorithm you've specified:</p> @@ -533,10 +630,49 @@ goodguy = winnebago:drive:eagle5 <p>where <em>permissionDefinition</em> is an arbitrary String, but most people will want to use strings that conform<br clear="none"> to the <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/permission/WildcardPermission.html">org.apache.shiro.authz.permission.WildcardPermission</a></tt> format for ease of use and flexibility. See the <a href="permissions.html" title="Permissions">Permissions</a> documentation for more information on Permissions and how you can benefit from them. </p> -<div class="panelMacro"><table class="infoMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Internal commas</b><br clear="none">Note that if an individual <em>permissionDefinition</em> needs to be internally comma-delimited (e.g. <tt>printer:5thFloor:print,info</tt>), you will need to surround that definition with double quotes (") to avoid parsing errors:<br clear="none"> -<tt>"printer:5thFloor:print,info"</tt></td></tr></table></div> - -<div class="panelMacro"><table class="tipMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Roles without Permissions</b><br clear="none">If you have roles that don't require permission associations, you don't need to list them in the [roles] section if you don't want to. Just defining the role names in the [users] section is enough to create the role if it does not exist yet.</td></tr></table></div> +<div class="panelMacro"> + <table class="infoMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + + + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-info-circle"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>Internal commas</b> + <br clear="none"> + Note that if an individual <em>permissionDefinition</em> needs to be internally comma-delimited (e.g. <tt>printer:5thFloor:print,info</tt>), you will need to surround that definition with double quotes (") to avoid parsing errors:<br clear="none"><tt>"printer:5thFloor:print,info"</tt> + </td> + </tr> + </tbody> + </table> +</div> + +<div class="panelMacro"> + <table class="tipMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody><tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-check-square-o"></i> + </td> + <td colspan="1" rowspan="1"> + <b>Roles without Permissions</b> + <br clear="none"> + If you have roles that don't require permission associations, you don't need to list them in the [roles] section if you don't want to. Just defining the role names in the [users] section is enough to create the role if it does not exist yet. + </td> + </tr> + </tbody> + </table> +</div> <h4><a name="Configuration-%5Curls%5C"></a>[urls]</h4>
![https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"){kind=link}