initial attempt at adding a bootstrap
Project: http://git-wip-us.apache.org/repos/asf/shiro-site/repo Commit: http://git-wip-us.apache.org/repos/asf/shiro-site/commit/ddea166c Tree: http://git-wip-us.apache.org/repos/asf/shiro-site/tree/ddea166c Diff: http://git-wip-us.apache.org/repos/asf/shiro-site/diff/ddea166c Branch: refs/heads/master Commit: ddea166c68d446f6e2dc948f028623379d06b4e6 Parents: 5896aac Author: Brian Demers <[email protected]> Authored: Tue Oct 18 17:32:55 2016 -0400 Committer: Brian Demers <[email protected]> Committed: Wed Oct 19 09:52:18 2016 -0400 ---------------------------------------------------------------------- 10-minute-tutorial.html | 337 ----------- 10-minute-tutorial.html.vtl | 307 ++++++++++ about.html | 38 -- about.html.vtl | 38 ++ adoption.html | 5 - adoption.html.vtl | 5 + architecture.html | 112 ---- architecture.html.vtl | 112 ++++ articles.html | 66 --- articles.html.vtl | 66 +++ assets/css/gh-pages/gh-fork-ribbon.css | 4 + authentication-guide.html | 9 - authentication-guide.html.vtl | 11 + authentication.html | 291 ---------- authentication.html.vtl | 292 ++++++++++ authenticator.html | 7 - authenticator.html.vtl | 1 + authorization.html | 650 --------------------- authorization.html.vtl | 647 +++++++++++++++++++++ authorizer.html | 7 - authorizer.html.vtl | 1 + config.scms.groovy | 8 + configuration.html | 476 ---------------- configuration.html.vtl | 474 ++++++++++++++++ confluence-auto-export.html | 165 ------ confluence-auto-export.html.vtl | 1 + developer-resources.html | 34 -- developer-resources.html.vtl | 34 ++ guice.html | 184 ------ guice.html.vtl | 184 ++++++ java-authentication-guide.html | 168 ------ java-authentication-guide.html.vtl | 168 ++++++ java-authorization-guide.html | 234 -------- java-authorization-guide.html.vtl | 234 ++++++++ java-cryptography-guide.html | 95 ---- java-cryptography-guide.html.vtl | 95 ++++ performing-a-release.html | 98 ---- performing-a-release.html.vtl | 1 + quickstart.html | 3 - quickstart.html.vtl | 1 + realm.html | 218 ------- realm.html.vtl | 218 +++++++ securitymanager.html | 77 --- securitymanager.html.vtl | 77 +++ session-management.html | 29 +- static/.htaccess | 1 - subject.html | 356 ------------ subject.html.vtl | 355 ++++++++++++ templates/default.vtl | 24 +- templates/macros.vtl | 6 + templates/macros/danger.vtl | 7 + templates/macros/info.vtl | 7 + templates/macros/lend-a-hand.vtl | 9 + templates/macros/redirect.vtl | 11 + templates/macros/tip.vtl | 7 + templates/macros/warning.vtl | 7 + testing.html | 241 -------- testing.html.vtl | 240 ++++++++ tutorial.html | 513 ----------------- tutorial.html.vtl | 513 +++++++++++++++++ web.html | 850 ---------------------------- web.html.vtl | 848 +++++++++++++++++++++++++++ 62 files changed, 5023 insertions(+), 5254 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/shiro-site/blob/ddea166c/10-minute-tutorial.html ---------------------------------------------------------------------- diff --git a/10-minute-tutorial.html b/10-minute-tutorial.html deleted file mode 100644 index b3e42a6..0000000 --- a/10-minute-tutorial.html +++ /dev/null @@ -1,337 +0,0 @@ -<h1><a name="10MinuteTutorial-10MinuteTutorialonApacheShiro"></a>10 Minute Tutorial on Apache Shiro</h1> - -<div class="addthis_toolbox addthis_default_style"> - <a class="addthis_button_compact" href="http://www.addthis.com/bookmark.php?v=250&pubid=ra-4d66ef016022c3bd";>Share</a> - <span class="addthis_separator">|</span> - <a class="addthis_button_preferred_1"></a> - <a class="addthis_button_preferred_2"></a> - <a class="addthis_button_preferred_3"></a> - <a class="addthis_button_preferred_4"></a> -</div> -<script type="text/javascript">var addthis_config = {"data_track_clickback": true};</script> -<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#pubid=ra-4d66ef016022c3bd";></script> - - -<h2><a name="10MinuteTutorial-Introduction"></a>Introduction</h2> - -<p>Welcome to Apache Shiro's 10 Minute Tutoral! </p> - -<p>By going through this quick and simple tutorial you should fully understand how a developer uses Shiro in their - application. And you should be able to do it in under 10 minutes.</p> - -<h2><a name="10MinuteTutorial-Overview"></a>Overview</h2> - -<p>What is Apache Shiro?</p> - -<p>Apache Shiro is a powerful and easy to use Java security framework that offers developers an intuitive yet - comprehensive solution to authentication, authorization, cryptography, and session management.</p> - -<p>In practical terms, it achieves to manage all facets of your application's security, while keeping out of the way as - much as possible. It is built on sound interface-driven design and OO principles, enabling custom behavior wherever - you can imagine it. But with sensible defaults for everything, it is as "hands off" as application security can be. - At least that's what we strive for.</p> - -<p>What can Apache Shiro do?</p> - -<p>A lot <img align="middle" class="emoticon" src="https://cwiki.apache.org/confluence/images/icons/emoticons/smile.png"; - height="20" width="20" alt="" border="0">. But we don't want to bloat the QuickStart. Please check out our - <a href="features.html" title="Features">Features</a> page if you'd like to see what it can do for you. Also, if - you're curious on how we got started and why we exist, please see the <a href="what-is-shiro.html" - title="What is Shiro">Shiro History and - Mission</a> page.</p> - -<p>Ok. Now let's actually do something!</p> - -<div class="panelMacro"> - <table class="infoMacro"> - <colgroup span="1"> - <col span="1" width="24"> - <col span="1"> - </colgroup> - <tr> - <td colspan="1" rowspan="1" valign="top"><img align="middle" - src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.png"; - width="16" height="16" alt="" border="0"></td> - <td colspan="1" rowspan="1">Shiro can be run in any environment, from the simplest command line application - to the biggest enterprise web and clustered applications, but we'll use the simplest possible example in - a simple <tt>main</tt> method for this QuickStart so you can get a feel for the API. - </td> - </tr> - </table> -</div> - -<h2><a name="10MinuteTutorial-Download"></a>Download</h2> - -<ol> - <li>Ensure you have JDK 1.6+ and Maven 3.0.3+ installed.</li> - <li>Download the lastest "Source Code Distribution" from the <a href="download.html" title="Download">Download</a> - page. In this example, we're using the 1.3.2 release distribution. - </li> - <li>Unzip the source package: - <div class="code panel" style="border-width: 1px;"> - <div class="codeContent panelContent"> -<pre class="code-java"> -> unzip shiro-root-1.3.2-source-release.zip -</pre> - </div> - </div> - </li> - <li>Enter the quickstart directory: - <div class="code panel" style="border-width: 1px;"> - <div class="codeContent panelContent"> -<pre class="code-java"> -> cd shiro-root-1.3.2/samples/quickstart -</pre> - </div> - </div> - </li> - <li>Run the QuickStart: - <div class="code panel" style="border-width: 1px;"> - <div class="codeContent panelContent"> -<pre class="code-java"> -> mvn compile exec:java -</pre> - </div> - </div> - <p>This target will just print out some log messages to let you know what is going on and then exit. While - reading this quickstart, feel free to look at the code found under <tt>samples/quickstart/src/main/java/Quickstart.java</tt>. - Change that file and run the above <tt>mvn compile exec:java</tt> command as often as you like.</p></li> -</ol> - - -<h2><a name="10MinuteTutorial-Quickstart.java"></a>Quickstart.java</h2> - -<p>The <tt>Quickstart.java</tt> file referenced above contains all the code that will get you familiar with the API. Now - lets break it down in chunks here so you can easily understand what is going on.</p> - -<p>In almost all environments, you can obtain the currently executing user via the following call:</p> - -<p></p> - -<div class="code panel" style="border-width: 1px;"> - <div class="codeContent panelContent"> -<pre class="code-java"> -Subject currentUser = SecurityUtils.getSubject(); -</pre> - </div> -</div> - -<p>Using <tt><a class="external-link" - href="static/current/apidocs/org/apache/shiro/SecurityUtils.html">SecurityUtils</a>.<a - class="external-link" href="static/current/apidocs/org/apache/shiro/SecurityUtils.html#getSubject()">getSubject()</a></tt>, - we can obtain the currently executing <tt><a class="external-link" - href="static/current/apidocs/org/apache/shiro/subject/Subject.html">Subject</a></tt>. - A <em>Subject</em> is just a security-specific "view" of an application User. We actually wanted to call it 'User' - since that "just makes sense", but we decided against it: too many applications have existing APIs that already have - their own User classes/frameworks, and we didn't want to conflict with those. Also, in the security world, the term - <tt>Subject</tt> is actually the recognized nomenclature. Ok, moving on...</p> - -<p>The <tt>getSubject()</tt> call in a standalone application might return a <tt>Subject</tt> based on user data in an - application-specific location, and in a server environment (e.g. web app), it acquires the <tt>Subject</tt> based on - user data associated with current thread or incoming request.</p> - -<p>Now that you have a <tt>Subject</tt>, what can you do with it?</p> - -<p>If you want to make things available to the user during their current session with the application, you can get their - session:</p> - -<p></p> - -<div class="code panel" style="border-width: 1px;"> - <div class="codeContent panelContent"> -<pre class="code-java"> -Session session = currentUser.getSession(); -session.setAttribute( <span class="code-quote">"someKey"</span>, <span class="code-quote">"aValue"</span> ); -</pre> - </div> -</div> - -<p>The <tt>Session</tt> is a Shiro-specific instance that provides most of what you're used to with regular HttpSessions - but with some extra goodies and one <b>big</b> difference: it does not require an HTTP environment!</p> - -<p>If deploying inside a web application, by default the <tt>Session</tt> will be <tt>HttpSession</tt> based. But, in a - non-web environment, like this simple Quickstart, Shiro will automatically use its Enterprise Session Management by - default. This means you get to use the same API in your applications, in any tier, regardless of deployment - environment. This opens a whole new world of applications since any application requiring sessions does not need to - be forced to use the <tt>HttpSession</tt> or EJB Stateful Session Beans. And, any client technology can now share - session data.</p> - -<p>So now you can acquire a <tt>Subject</tt> and their <tt>Session</tt>. What about the <em>really</em> useful stuff - like checking if they are allowed to do things, like checking against roles and permissions?</p> - -<p>Well, we can only do those checks for a known user. Our <tt>Subject</tt> instance above represents the current user, - but <em>who</em> is the current user? Well, they're anonymous - that is, until they log in at least once. So, let's - do that:</p> - -<div class="code panel" style="border-width: 1px;"> - <div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">if</span> ( !currentUser.isAuthenticated() ) { - <span class="code-comment">//collect user principals and credentials in a gui specific manner -</span> <span class="code-comment">//such as username/password html form, X509 certificate, OpenID, etc. -</span> <span class="code-comment">//We'll use the username/password example here since it is the most common. -</span> <span class="code-comment">//(<span class="code-keyword">do</span> you know what movie <span - class="code-keyword">this</span> is from? ;) -</span> UsernamePasswordToken token = <span class="code-keyword">new</span> UsernamePasswordToken(<span - class="code-quote">"lonestarr"</span>, <span class="code-quote">"vespa"</span>); - <span class="code-comment">//<span class="code-keyword">this</span> is all you have to <span - class="code-keyword">do</span> to support 'remember me' (no config - built in!): -</span> token.setRememberMe(<span class="code-keyword">true</span>); - currentUser.login(token); -} -</pre> - </div> -</div> - -<p>That's it! It couldn't be easier.</p> - -<p>But what if their login attempt fails? You can catch all sorts of specific exceptions that tell you exactly what - happened and allows you to handle and react accordingly:</p> - -<div class="code panel" style="border-width: 1px;"> - <div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">try</span> { - currentUser.login( token ); - <span class="code-comment">//<span class="code-keyword">if</span> no exception, that's it, we're done! -</span>} <span class="code-keyword">catch</span> ( UnknownAccountException uae ) { - <span class="code-comment">//username wasn't in the system, show them an error message? -</span>} <span class="code-keyword">catch</span> ( IncorrectCredentialsException ice ) { - <span class="code-comment">//password didn't match, <span class="code-keyword">try</span> again? -</span>} <span class="code-keyword">catch</span> ( LockedAccountException lae ) { - <span class="code-comment">//account <span class="code-keyword">for</span> that username is locked - can't login. Show them a message? -</span>} - ... more types exceptions to check <span class="code-keyword">if</span> you want ... -} <span class="code-keyword">catch</span> ( AuthenticationException ae ) { - <span class="code-comment">//unexpected condition - error? -</span>} -</pre> - </div> -</div> - -<p>There are many different types of exceptions you can check, or throw your own for custom conditions Shiro might not - account for. See the <a class="external-link" - href="static/current/apidocs/org/apache/shiro/authc/AuthenticationException.html">AuthenticationException - JavaDoc</a> for more. </p> - -<div class="panelMacro"> - <table class="tipMacro"> - <colgroup span="1"> - <col span="1" width="24"> - <col span="1"> - </colgroup> - <tr> - <td colspan="1" rowspan="1" valign="top"><img align="middle" - src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.png"; - width="16" height="16" alt="" border="0"></td> - <td colspan="1" rowspan="1"><b>Handy Hint</b><br clear="none">Security best practice is to give generic - login failure messages to users because you do not want to aid an attacker trying to break into your - system. - </td> - </tr> - </table> -</div> - -<p>Ok, so by now, we have a logged in user. What else can we do?</p> - -<p>Let's say who they are:</p> - -<p></p> - -<div class="code panel" style="border-width: 1px;"> - <div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-comment">//print their identifying principal (in <span class="code-keyword">this</span> <span - class="code-keyword">case</span>, a username): -</span>log.info( <span class="code-quote">"User ["</span> + currentUser.getPrincipal() + <span class="code-quote">"] logged in successfully."</span> ); -</pre> - </div> -</div> - -<p>We can also test to see if they have specific role or not:</p> - -<p></p> - -<div class="code panel" style="border-width: 1px;"> - <div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">if</span> ( currentUser.hasRole( <span class="code-quote">"schwartz"</span> ) ) { - log.info(<span class="code-quote">"May the Schwartz be with you!"</span> ); -} <span class="code-keyword">else</span> { - log.info( <span class="code-quote">"Hello, mere mortal."</span> ); -} -</pre> - </div> -</div> - -<p>We can also see if they have a permission to act on a certain type of entity:</p> - -<p></p> - -<div class="code panel" style="border-width: 1px;"> - <div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">if</span> ( currentUser.isPermitted( <span class="code-quote">"lightsaber:weild"</span> ) ) { - log.info(<span class="code-quote">"You may use a lightsaber ring. Use it wisely."</span>); -} <span class="code-keyword">else</span> { - log.info(<span class="code-quote">"Sorry, lightsaber rings are <span class="code-keyword">for</span> schwartz masters only."</span>); -} -</pre> - </div> -</div> - -<p>Also, we can perform an extremely powerful <em>instance-level</em> permission check - the ability to see if the user - has the ability to access a specific instance of a type:</p> - -<p></p> - -<div class="code panel" style="border-width: 1px;"> - <div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">if</span> ( currentUser.isPermitted( <span class="code-quote">"winnebago:drive:eagle5"</span> ) ) { - log.info(<span - class="code-quote">"You are permitted to 'drive' the 'winnebago' with license plate (id) 'eagle5'. "</span> + - <span class="code-quote">"Here are the keys - have fun!"</span>); -} <span class="code-keyword">else</span> { - log.info(<span class="code-quote">"Sorry, you aren't allowed to drive the 'eagle5' winnebago!"</span>); -} -</pre> - </div> -</div> - -<p>Piece of cake, right?</p> - -<p>Finally, when the user is done using the application, they can log out:</p> - -<p></p> - -<div class="code panel" style="border-width: 1px;"> - <div class="codeContent panelContent"> -<pre class="code-java"> -currentUser.logout(); <span class="code-comment">//removes all identifying information and invalidates their session too.</span> -</pre> - </div> -</div> - -<p>Well, that's the core to using Apache Shiro at the application-developer level. And although there is some pretty - sophisticated stuff going on under the hood to make this work so elegantly, that's really all there is to it.</p> - -<p>But you might ask yourself, "But who is responsible for getting the user data during a login (usernames and - passwords, role and permissions, etc), and who actually performs those security checks during runtime?" Well, you - do, by implementing what Shiro calls a <a href="realm.html" title="Realm">Realm</a> and plugging that <tt>Realm</tt> - into Shiro's configuration. </p> - -<p>However, how you configure a <a href="realm.html" title="Realm">Realm</a> is largely dependent upon your runtime - environment. For example, if you run a standalone application, or if you have a web based application, or a Spring - or JEE container-based application, or combination thereof. That type of configuration is outside the scope of this - QuickStart, since its aim is to get you comfortable with the API and Shiro's concepts.</p> - -<p>When you're ready to jump in with a little more detail, you'll definitely want to read the <a - href="java-authentication-guide.html" title="Java Authentication Guide">Authentication Guide</a> and <a - href="java-authorization-guide.html" title="Java Authorization Guide">Authorization Guide</a>. Then can move - onto other <a href="documentation.html" title="Documentation">Documentation</a>, in particularly the <a - href="reference.html" title="Reference">Reference Manual</a>, to answer any other questions. You'll also - probably want to join the user <a href="mailing-lists.html" title="Mailing Lists">mailing list</a> - you'll find - that we have a great community with people willing to help whenever possible.</p> - -<p>Thanks for following along. We hope you enjoy using Apache Shiro!</p> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/shiro-site/blob/ddea166c/10-minute-tutorial.html.vtl ---------------------------------------------------------------------- diff --git a/10-minute-tutorial.html.vtl b/10-minute-tutorial.html.vtl new file mode 100644 index 0000000..49dd68e --- /dev/null +++ b/10-minute-tutorial.html.vtl @@ -0,0 +1,307 @@ +#parse("templates/macros.vtl") + +<h1><a name="10MinuteTutorial-10MinuteTutorialonApacheShiro"></a>10 Minute Tutorial on Apache Shiro</h1> + +<div class="addthis_toolbox addthis_default_style"> + <a class="addthis_button_compact" href="http://www.addthis.com/bookmark.php?v=250&pubid=ra-4d66ef016022c3bd";>Share</a> + <span class="addthis_separator">|</span> + <a class="addthis_button_preferred_1"></a> + <a class="addthis_button_preferred_2"></a> + <a class="addthis_button_preferred_3"></a> + <a class="addthis_button_preferred_4"></a> +</div> +<script type="text/javascript">var addthis_config = {"data_track_clickback": true};</script> +<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#pubid=ra-4d66ef016022c3bd";></script> + + +<h2><a name="10MinuteTutorial-Introduction"></a>Introduction</h2> + +<p>Welcome to Apache Shiro's 10 Minute Tutoral! </p> + +<p>By going through this quick and simple tutorial you should fully understand how a developer uses Shiro in their + application. And you should be able to do it in under 10 minutes.</p> + +<h2><a name="10MinuteTutorial-Overview"></a>Overview</h2> + +<p>What is Apache Shiro?</p> + +<p>Apache Shiro is a powerful and easy to use Java security framework that offers developers an intuitive yet + comprehensive solution to authentication, authorization, cryptography, and session management.</p> + +<p>In practical terms, it achieves to manage all facets of your application's security, while keeping out of the way as + much as possible. It is built on sound interface-driven design and OO principles, enabling custom behavior wherever + you can imagine it. But with sensible defaults for everything, it is as "hands off" as application security can be. + At least that's what we strive for.</p> + +<p>What can Apache Shiro do?</p> + +<p>A lot <img align="middle" class="emoticon" src="https://cwiki.apache.org/confluence/images/icons/emoticons/smile.png"; + height="20" width="20" alt="" border="0">. But we don't want to bloat the QuickStart. Please check out our + <a href="features.html" title="Features">Features</a> page if you'd like to see what it can do for you. Also, if + you're curious on how we got started and why we exist, please see the <a href="what-is-shiro.html" + title="What is Shiro">Shiro History and + Mission</a> page.</p> + +<p>Ok. Now let's actually do something!</p> + +#info('Note', 'Shiro can be run in any environment, from the simplest command line application to the biggest enterprise web and clustered applications, but we''ll use the simplest possible example in a simple <tt>main</tt> method for this QuickStart so you can get a feel for the API.') + +<h2><a name="10MinuteTutorial-Download"></a>Download</h2> + +<ol> + <li>Ensure you have JDK 1.6+ and Maven 3.0.3+ installed.</li> + <li>Download the lastest "Source Code Distribution" from the <a href="download.html" title="Download">Download</a> + page. In this example, we're using the 1.3.2 release distribution. + </li> + <li>Unzip the source package: + <div class="code panel" style="border-width: 1px;"> + <div class="codeContent panelContent"> +<pre class="code-java"> +> unzip shiro-root-1.3.2-source-release.zip +</pre> + </div> + </div> + </li> + <li>Enter the quickstart directory: + <div class="code panel" style="border-width: 1px;"> + <div class="codeContent panelContent"> +<pre class="code-java"> +> cd shiro-root-1.3.2/samples/quickstart +</pre> + </div> + </div> + </li> + <li>Run the QuickStart: + <div class="code panel" style="border-width: 1px;"> + <div class="codeContent panelContent"> +<pre class="code-java"> +> mvn compile exec:java +</pre> + </div> + </div> + <p>This target will just print out some log messages to let you know what is going on and then exit. While + reading this quickstart, feel free to look at the code found under <tt>samples/quickstart/src/main/java/Quickstart.java</tt>. + Change that file and run the above <tt>mvn compile exec:java</tt> command as often as you like.</p></li> +</ol> + + +<h2><a name="10MinuteTutorial-Quickstart.java"></a>Quickstart.java</h2> + +<p>The <tt>Quickstart.java</tt> file referenced above contains all the code that will get you familiar with the API. Now + lets break it down in chunks here so you can easily understand what is going on.</p> + +<p>In almost all environments, you can obtain the currently executing user via the following call:</p> + +<p></p> + +<div class="code panel" style="border-width: 1px;"> + <div class="codeContent panelContent"> +<pre class="code-java"> +Subject currentUser = SecurityUtils.getSubject(); +</pre> + </div> +</div> + +<p>Using <tt><a class="external-link" + href="static/current/apidocs/org/apache/shiro/SecurityUtils.html">SecurityUtils</a>.<a + class="external-link" href="static/current/apidocs/org/apache/shiro/SecurityUtils.html#getSubject()">getSubject()</a></tt>, + we can obtain the currently executing <tt><a class="external-link" + href="static/current/apidocs/org/apache/shiro/subject/Subject.html">Subject</a></tt>. + A <em>Subject</em> is just a security-specific "view" of an application User. We actually wanted to call it 'User' + since that "just makes sense", but we decided against it: too many applications have existing APIs that already have + their own User classes/frameworks, and we didn't want to conflict with those. Also, in the security world, the term + <tt>Subject</tt> is actually the recognized nomenclature. Ok, moving on...</p> + +<p>The <tt>getSubject()</tt> call in a standalone application might return a <tt>Subject</tt> based on user data in an + application-specific location, and in a server environment (e.g. web app), it acquires the <tt>Subject</tt> based on + user data associated with current thread or incoming request.</p> + +<p>Now that you have a <tt>Subject</tt>, what can you do with it?</p> + +<p>If you want to make things available to the user during their current session with the application, you can get their + session:</p> + +<p></p> + +<div class="code panel" style="border-width: 1px;"> + <div class="codeContent panelContent"> +<pre class="code-java"> +Session session = currentUser.getSession(); +session.setAttribute( <span class="code-quote">"someKey"</span>, <span class="code-quote">"aValue"</span> ); +</pre> + </div> +</div> + +<p>The <tt>Session</tt> is a Shiro-specific instance that provides most of what you're used to with regular HttpSessions + but with some extra goodies and one <b>big</b> difference: it does not require an HTTP environment!</p> + +<p>If deploying inside a web application, by default the <tt>Session</tt> will be <tt>HttpSession</tt> based. But, in a + non-web environment, like this simple Quickstart, Shiro will automatically use its Enterprise Session Management by + default. This means you get to use the same API in your applications, in any tier, regardless of deployment + environment. This opens a whole new world of applications since any application requiring sessions does not need to + be forced to use the <tt>HttpSession</tt> or EJB Stateful Session Beans. And, any client technology can now share + session data.</p> + +<p>So now you can acquire a <tt>Subject</tt> and their <tt>Session</tt>. What about the <em>really</em> useful stuff + like checking if they are allowed to do things, like checking against roles and permissions?</p> + +<p>Well, we can only do those checks for a known user. Our <tt>Subject</tt> instance above represents the current user, + but <em>who</em> is the current user? Well, they're anonymous - that is, until they log in at least once. So, let's + do that:</p> + +<div class="code panel" style="border-width: 1px;"> + <div class="codeContent panelContent"> +<pre class="code-java"> +<span class="code-keyword">if</span> ( !currentUser.isAuthenticated() ) { + <span class="code-comment">//collect user principals and credentials in a gui specific manner +</span> <span class="code-comment">//such as username/password html form, X509 certificate, OpenID, etc. +</span> <span class="code-comment">//We'll use the username/password example here since it is the most common. +</span> <span class="code-comment">//(<span class="code-keyword">do</span> you know what movie <span + class="code-keyword">this</span> is from? ;) +</span> UsernamePasswordToken token = <span class="code-keyword">new</span> UsernamePasswordToken(<span + class="code-quote">"lonestarr"</span>, <span class="code-quote">"vespa"</span>); + <span class="code-comment">//<span class="code-keyword">this</span> is all you have to <span + class="code-keyword">do</span> to support 'remember me' (no config - built in!): +</span> token.setRememberMe(<span class="code-keyword">true</span>); + currentUser.login(token); +} +</pre> + </div> +</div> + +<p>That's it! It couldn't be easier.</p> + +<p>But what if their login attempt fails? You can catch all sorts of specific exceptions that tell you exactly what + happened and allows you to handle and react accordingly:</p> + +<div class="code panel" style="border-width: 1px;"> + <div class="codeContent panelContent"> +<pre class="code-java"> +<span class="code-keyword">try</span> { + currentUser.login( token ); + <span class="code-comment">//<span class="code-keyword">if</span> no exception, that's it, we're done! +</span>} <span class="code-keyword">catch</span> ( UnknownAccountException uae ) { + <span class="code-comment">//username wasn't in the system, show them an error message? +</span>} <span class="code-keyword">catch</span> ( IncorrectCredentialsException ice ) { + <span class="code-comment">//password didn't match, <span class="code-keyword">try</span> again? +</span>} <span class="code-keyword">catch</span> ( LockedAccountException lae ) { + <span class="code-comment">//account <span class="code-keyword">for</span> that username is locked - can't login. Show them a message? +</span>} + ... more types exceptions to check <span class="code-keyword">if</span> you want ... +} <span class="code-keyword">catch</span> ( AuthenticationException ae ) { + <span class="code-comment">//unexpected condition - error? +</span>} +</pre> + </div> +</div> + +<p>There are many different types of exceptions you can check, or throw your own for custom conditions Shiro might not + account for. See the <a class="external-link" + href="static/current/apidocs/org/apache/shiro/authc/AuthenticationException.html">AuthenticationException + JavaDoc</a> for more. </p> + +#tip('Handy Hint', 'Security best practice is to give generic login failure messages to users because you do not want to aid an attacker trying to break into your system.') + +<p>Ok, so by now, we have a logged in user. What else can we do?</p> + +<p>Let's say who they are:</p> + +<p></p> + +<div class="code panel" style="border-width: 1px;"> + <div class="codeContent panelContent"> +<pre class="code-java"> +<span class="code-comment">//print their identifying principal (in <span class="code-keyword">this</span> <span + class="code-keyword">case</span>, a username): +</span>log.info( <span class="code-quote">"User ["</span> + currentUser.getPrincipal() + <span class="code-quote">"] logged in successfully."</span> ); +</pre> + </div> +</div> + +<p>We can also test to see if they have specific role or not:</p> + +<p></p> + +<div class="code panel" style="border-width: 1px;"> + <div class="codeContent panelContent"> +<pre class="code-java"> +<span class="code-keyword">if</span> ( currentUser.hasRole( <span class="code-quote">"schwartz"</span> ) ) { + log.info(<span class="code-quote">"May the Schwartz be with you!"</span> ); +} <span class="code-keyword">else</span> { + log.info( <span class="code-quote">"Hello, mere mortal."</span> ); +} +</pre> + </div> +</div> + +<p>We can also see if they have a permission to act on a certain type of entity:</p> + +<p></p> + +<div class="code panel" style="border-width: 1px;"> + <div class="codeContent panelContent"> +<pre class="code-java"> +<span class="code-keyword">if</span> ( currentUser.isPermitted( <span class="code-quote">"lightsaber:weild"</span> ) ) { + log.info(<span class="code-quote">"You may use a lightsaber ring. Use it wisely."</span>); +} <span class="code-keyword">else</span> { + log.info(<span class="code-quote">"Sorry, lightsaber rings are <span class="code-keyword">for</span> schwartz masters only."</span>); +} +</pre> + </div> +</div> + +<p>Also, we can perform an extremely powerful <em>instance-level</em> permission check - the ability to see if the user + has the ability to access a specific instance of a type:</p> + +<p></p> + +<div class="code panel" style="border-width: 1px;"> + <div class="codeContent panelContent"> +<pre class="code-java"> +<span class="code-keyword">if</span> ( currentUser.isPermitted( <span class="code-quote">"winnebago:drive:eagle5"</span> ) ) { + log.info(<span + class="code-quote">"You are permitted to 'drive' the 'winnebago' with license plate (id) 'eagle5'. "</span> + + <span class="code-quote">"Here are the keys - have fun!"</span>); +} <span class="code-keyword">else</span> { + log.info(<span class="code-quote">"Sorry, you aren't allowed to drive the 'eagle5' winnebago!"</span>); +} +</pre> + </div> +</div> + +<p>Piece of cake, right?</p> + +<p>Finally, when the user is done using the application, they can log out:</p> + +<p></p> + +<div class="code panel" style="border-width: 1px;"> + <div class="codeContent panelContent"> +<pre class="code-java"> +currentUser.logout(); <span class="code-comment">//removes all identifying information and invalidates their session too.</span> +</pre> + </div> +</div> + +<p>Well, that's the core to using Apache Shiro at the application-developer level. And although there is some pretty + sophisticated stuff going on under the hood to make this work so elegantly, that's really all there is to it.</p> + +<p>But you might ask yourself, "But who is responsible for getting the user data during a login (usernames and + passwords, role and permissions, etc), and who actually performs those security checks during runtime?" Well, you + do, by implementing what Shiro calls a <a href="realm.html" title="Realm">Realm</a> and plugging that <tt>Realm</tt> + into Shiro's configuration. </p> + +<p>However, how you configure a <a href="realm.html" title="Realm">Realm</a> is largely dependent upon your runtime + environment. For example, if you run a standalone application, or if you have a web based application, or a Spring + or JEE container-based application, or combination thereof. That type of configuration is outside the scope of this + QuickStart, since its aim is to get you comfortable with the API and Shiro's concepts.</p> + +<p>When you're ready to jump in with a little more detail, you'll definitely want to read the <a + href="java-authentication-guide.html" title="Java Authentication Guide">Authentication Guide</a> and <a + href="java-authorization-guide.html" title="Java Authorization Guide">Authorization Guide</a>. Then can move + onto other <a href="documentation.html" title="Documentation">Documentation</a>, in particularly the <a + href="reference.html" title="Reference">Reference Manual</a>, to answer any other questions. You'll also + probably want to join the user <a href="mailing-lists.html" title="Mailing Lists">mailing list</a> - you'll find + that we have a great community with people willing to help whenever possible.</p> + +<p>Thanks for following along. We hope you enjoy using Apache Shiro!</p> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/shiro-site/blob/ddea166c/about.html ---------------------------------------------------------------------- diff --git a/about.html b/about.html deleted file mode 100644 index 02bb6d2..0000000 --- a/about.html +++ /dev/null @@ -1,38 +0,0 @@ -<h1><a name="About-AboutApacheShiro"></a>About Apache Shiro</h1> - -<p>Apache Shiro is is a top level open source project under the <a class="external-link" href="http://www.apache.org";>Apache - Software Foundation</a>. As a project, Shiro is an application security framework that provides application - developers very clean and simple ways of supporting four cornerstones of security in their applications: - authentication, authorization, enterprise session management and cryptography. </p> - -<p>If you'd like to learn more about Shiro please visit the links below</p> - -<ul class="alternate"> - <li><b><a href="what-is-shiro.html" title="What is Shiro">What is Shiro</a></b> - A deeper look into the project, - its mission, and its history - </li> -</ul> - - -<ul class="alternate"> - <li><b><a href="features.html" title="Features">Features</a></b> - Explore the major features of the project</li> -</ul> - - -<ul class="alternate"> - <li><b><a href="news.html" title="News">News</a></b> - Stay up to date on the latest Apache Shiro news</li> -</ul> - - -<ul class="alternate"> - <li><b><a href="events.html" title="Events">Events</a></b> - See what Apache Shiro events are coming that you should - consider attending - </li> -</ul> - - -<ul class="alternate"> - <li><b><a href="license.html" title="License">License</a></b> - Review the license under which Shiro is released-- - Apache Software License, Version 2.0 - </li> -</ul> http://git-wip-us.apache.org/repos/asf/shiro-site/blob/ddea166c/about.html.vtl ---------------------------------------------------------------------- diff --git a/about.html.vtl b/about.html.vtl new file mode 100644 index 0000000..02bb6d2 --- /dev/null +++ b/about.html.vtl @@ -0,0 +1,38 @@ +<h1><a name="About-AboutApacheShiro"></a>About Apache Shiro</h1> + +<p>Apache Shiro is is a top level open source project under the <a class="external-link" href="http://www.apache.org";>Apache + Software Foundation</a>. As a project, Shiro is an application security framework that provides application + developers very clean and simple ways of supporting four cornerstones of security in their applications: + authentication, authorization, enterprise session management and cryptography. </p> + +<p>If you'd like to learn more about Shiro please visit the links below</p> + +<ul class="alternate"> + <li><b><a href="what-is-shiro.html" title="What is Shiro">What is Shiro</a></b> - A deeper look into the project, + its mission, and its history + </li> +</ul> + + +<ul class="alternate"> + <li><b><a href="features.html" title="Features">Features</a></b> - Explore the major features of the project</li> +</ul> + + +<ul class="alternate"> + <li><b><a href="news.html" title="News">News</a></b> - Stay up to date on the latest Apache Shiro news</li> +</ul> + + +<ul class="alternate"> + <li><b><a href="events.html" title="Events">Events</a></b> - See what Apache Shiro events are coming that you should + consider attending + </li> +</ul> + + +<ul class="alternate"> + <li><b><a href="license.html" title="License">License</a></b> - Review the license under which Shiro is released-- + Apache Software License, Version 2.0 + </li> +</ul> http://git-wip-us.apache.org/repos/asf/shiro-site/blob/ddea166c/adoption.html ---------------------------------------------------------------------- diff --git a/adoption.html b/adoption.html deleted file mode 100644 index 0375417..0000000 --- a/adoption.html +++ /dev/null @@ -1,5 +0,0 @@ -<h1><a name="Adoption-ApacheShiroAdoption"></a>Apache Shiro Adoption</h1> - -<p>Are you using Shiro to build an application? List your name and company here and let the world know!</p> - -<p>The more people that adopt Shiro, the better it becomes, and the more you benefit from it. Help adoption by letting others know how you use it.</p> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/shiro-site/blob/ddea166c/adoption.html.vtl ---------------------------------------------------------------------- diff --git a/adoption.html.vtl b/adoption.html.vtl new file mode 100644 index 0000000..0375417 --- /dev/null +++ b/adoption.html.vtl @@ -0,0 +1,5 @@ +<h1><a name="Adoption-ApacheShiroAdoption"></a>Apache Shiro Adoption</h1> + +<p>Are you using Shiro to build an application? List your name and company here and let the world know!</p> + +<p>The more people that adopt Shiro, the better it becomes, and the more you benefit from it. Help adoption by letting others know how you use it.</p> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/shiro-site/blob/ddea166c/architecture.html ---------------------------------------------------------------------- diff --git a/architecture.html b/architecture.html deleted file mode 100644 index 6fe931f..0000000 --- a/architecture.html +++ /dev/null @@ -1,112 +0,0 @@ -<h1><a name="Architecture-ApacheShiroArchitecture"></a>Apache Shiro Architecture</h1> - -<p>Apache Shiro's design goals are to simplify application security by being intuitive and easy to use. Shiro's core design models how most people think about application security - in the context of someone (or something) interacting with an application.</p> - -<p>Software applications are usually designed based on user stories. That is, you'll often design user interfaces or service APIs based on how a user would (or should) interact with the software. For example, you might say, "If the user interacting with my application is logged in, I will show them a button they can click to view their account information. If they are not logged in, I will show a sign-up button." </p> - -<p>This example statement indicates that applications are largely written to satisfy user requirements and needs. Even if the 'user' is another software system and not a human being, you still write code to reflect behavior based on who (or what) is currently interacting with your software.</p> - -<p>Shiro reflects these concepts in its own design. By matching what is already intuitive for software developers, Apache Shiro remains intuitive and easy to use in practically any application.</p> - -<h2><a name="Architecture-HighLevelOverview"></a>High-Level Overview</h2> - -<p>At the highest conceptual level, Shiro's architecture has 3 primary concepts: the <tt>Subject</tt>, <tt>SecurityManager</tt> and <tt>Realms</tt>. The following diagram is a high-level overview of how these components interact, and we'll cover each concept below:</p> - -<p><br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"> -<span class="image-wrap" style="display: block; text-align: center"><img src="assets/images/ShiroBasicArchitecture.png" style="border: 0px solid black"></span> -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></p> - -<ul><li><b>Subject</b>: As we've mentioned in our <a href="tutorial.html" title="Tutorial">Tutorial</a>, the <tt>Subject</tt> is essentially a security specific 'view' of the the currently executing user. Whereas the word 'User' often implies a human being, a <tt>Subject</tt> can be a person, but it could also represent a 3rd-party service, daemon account, cron job, or anything similar - basically anything that is currently interacting with the software. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"> -<tt>Subject</tt> instances are all bound to (and require) a <tt>SecurityManager</tt>. When you interact with a <tt>Subject</tt>, those interactions translate to subject-specific interactions with the <tt>SecurityManager</tt>. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li><li><b>SecurityManager</b>: The <tt>SecurityManager</tt> is the heart of Shiro’s architecture and acts as a sort of 'umbrella’ object that coordinates its internal security components that together form an object graph. However, once the SecurityManager and its internal object graph is configured for an application, it is usually left alone and application developers spend almost all of their time with the <tt>Subject</tt> API. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"> -We will talk about the <tt>SecurityManager</tt> in detail later on, but it is important to realize that when you interact with a <tt>Subject</tt>, it is really the <tt>SecurityManager</tt> behind the scenes that does all the heavy lifting for any <tt>Subject</tt> security operation. This is reflected in the basic flow diagram above. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li><li><b>Realms</b>: Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"> -In this sense a Realm is essentially a security-specific <a class="external-link" href="http://en.wikipedia.org/wiki/Data_access_object"; rel="nofollow">DAO</a>: it encapsulates connection details for data sources and makes the associated data available to Shiro as needed. When configuring Shiro, you must specify at least one Realm to use for authentication and/or authorization. The <tt>SecurityManager</tt> may be configured with multiple Realms, but at least one is required. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"> -Shiro provides out-of-the-box Realms to connect to a number of security data sources (aka directories) such as LDAP, relational databases (JDBC), text configuration sources like INI and properties files, and more. You can plug-in your own Realm implementations to represent custom data sources if the default Realms do not meet your needs. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"> -Like other internal components, the Shiro <tt>SecurityManager</tt> manages how Realms are used to acquire security and identity data to be represented as <tt>Subject</tt> instances.</li></ul> - - -<h2><a name="Architecture-DetailedArchitecture"></a>Detailed Architecture</h2> - -<p>The following diagram shows Shiro's core architectural concepts followed by short summaries of each:</p> - -<p><span class="image-wrap" style="display: block; text-align: center"><img src="assets/images/ShiroArchitecture.png" style="border: 0px solid black"></span></p> - -<ul><li><b>Subject</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html">org.apache.shiro.subject.Subject</a></tt>)<br clear="none"> -A security-specific 'view' of the entity (user, 3rd-party service, cron job, etc) currently interacting with the software. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li><li><b>SecurityManager</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/mgt/SecurityManager.html">org.apache.shiro.mgt.SecurityManager</a></tt>)<br clear="none"> -As mentioned above, the <tt>SecurityManager</tt> is the heart of Shiro's architecture. It is mostly an 'umbrella' object that coordinates its managed components to ensure they work smoothly together. It also manages Shiro's view of every application user, so it knows how to perform security operations per user. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li><li><b>Authenticator</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/authc/Authenticator.html">org.apache.shiro.authc.Authenticator</a></tt>)<br clear="none"> -The <tt>Authenticator</tt> is the component that is responsible for executing and reacting to authentication (log-in) attempts by users. When a user tries to log-in, that logic is executed by the <tt>Authenticator</tt>. The <tt>Authenticator</tt> knows how to coordinate with one or more <tt>Realms</tt> that store relevant user/account information. The data obtained from these <tt>Realms</tt> is used to verify the user's identity to guarantee the user really is who they say they are. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"> - <ul><li><b>Authentication Strategy</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/authc/pam/AuthenticationStrategy.html">org.apache.shiro.authc.pam.AuthenticationStrategy</a></tt>)<br clear="none"> -If more than one <tt>Realm</tt> is configured, the <tt>AuthenticationStrategy</tt> will coordinate the Realms to determine the conditions under which an authentication attempt succeeds or fails (for example, if one realm succeeds but others fail, is the attempt successful? Must all realms succeed? Only the first?). -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li></ul> - </li><li><b>Authorizer</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/Authorizer.html">org.apache.shiro.authz.Authorizer</a></tt>)<br clear="none"> -The <tt>Authorizer</tt> is the component responsible determining users' access control in the application. It is the mechanism that ultimately says if a user is allowed to do something or not. Like the <tt>Authenticator</tt>, the <tt>Authorizer</tt> also knows how to coordinate with multiple back-end data sources to access role and permission information. The <tt>Authorizer</tt> uses this information to determine exactly if a user is allowed to perform a given action. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li><li><b>SessionManager</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/session/mgt/SessionManager.html">org.apache.shiro.session.mgt.SessionManager</a></tt>)<br clear="none"> -The <tt>SessionManager</tt> knows how to create and manage user <tt>Session</tt> lifecycles to provide a robust Session experience for users in all environments. This is a unique feature in the world of security frameworks - Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available. By default, Shiro will use an existing session mechanism if available, (e.g. Servlet Container), but if there isn't one, such as in a standalone application or non-web environment, it will use its built-in enterprise session management to offer the same programming experience. The <tt>SessionDAO</tt> exists to allow any datasource to be used to persist sessions. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"> - <ul><li><b>SessionDAO</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/session/mgt/eis/SessionDAO.html">org.apache.shiro.session.mgt.eis.SessionDAO</a></tt>)<br clear="none"> -The <tt>SessionDAO</tt> performs <tt>Session</tt> persistence (CRUD) operations on behalf of the <tt>SessionManager</tt>. This allows any data store to be plugged in to the Session Management infrastructure. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li></ul> - </li><li><b>CacheManager</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/cache/CacheManager.html">org.apache.shiro.cache.CacheManager</a></tt>)<br clear="none"> -The <tt>CacheManager</tt> creates and manages <tt>Cache</tt> instance lifecycles used by other Shiro components. Because Shiro can access many back-end data sources for authentication, authorization and session management, caching has always been a first-class architectural feature in the framework to improve performance while using these data sources. Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li><li><b>Cryptography</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/crypto/package-summary.html">org.apache.shiro.crypto.*</a></tt>)<br clear="none"> -Cryptography is a natural addition to an enterprise security framework. Shiro's <tt>crypto</tt> package contains easy-to-use and understand representations of crytographic Ciphers, Hashes (aka digests) and different codec implementations. All of the classes in this package are carefully designed to be very easy to use and easy to understand. Anyone who has used Java's native cryptography support knows it can be a challenging animal to tame. Shiro's crypto APIs simplify the complicated Java mechanisms and make cryptography easy to use for normal mortal human beings. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li><li><b>Realms</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/realm/Realm.html">org.apache.shiro.realm.Realm</a></tt>)<br clear="none"> -As mentioned above, Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application. You can configure as many <tt>Realms</tt> as you need (usually one per data source) and Shiro will coordinate with them as necessary for both authentication and authorization.</li></ul> - - -<h2><a name="Architecture-The%7B%7BSecurityManager%7D%7D"></a>The <tt>SecurityManager</tt></h2> - -<p>Because Shiro's API encourages a <tt>Subject</tt>-centric programming approach, most application developers will rarely, if ever, interact with the <tt>SecurityManager</tt> directly (framework developers however might sometimes find it useful). Even so, it is still important to know how the <tt>SecurityManager</tt> functions, especially when configuring one for an application.</p> - -<h2><a name="Architecture-Design"></a>Design</h2> - -<p>As stated previously, the application's <tt>SecurityManager</tt> performs security operations and manages state for <em>all</em> application users. In Shiro's default <tt>SecurityManager</tt> implementations, this includes:</p> - -<ul><li>Authentication</li><li>Authorization</li><li>Session Management</li><li>Cache Management</li><li><a href="realm.html" title="Realm">Realm</a> coordination</li><li>Event propagation</li><li>"Remember Me" Services</li><li>Subject creation</li><li>Logout<br clear="none"> -and more.</li></ul> - - -<p>But this is a lot of functionality to try to manage in a single component. And, making these things flexible and customizable would be very difficult if everything were lumped into a single implementation class. </p> - -<p>To simplify configuration and enable flexible configuration/pluggability, Shiro's implementations are all highly modular in design - so modular in fact, that the SecurityManager implementation (and its class-hierarchy) does not do much at all. Instead, the <tt>SecurityManager</tt> implementations mostly act as a lightweight 'container' component, delegating almost all behavior to nested/wrapped components. This 'wrapper' design is reflected in the detailed architecture diagram above.</p> - -<p>While the components actually execute the logic, the <tt>SecurityManager</tt> implementation knows how and when to coordinate the components for the correct behavior.</p> - -<p>The <tt>SecurityManager</tt> implementations and are also JavaBeans compatible, which allows you (or a configuration mechanism) to easily customize the pluggable components via standard JavaBeans accessor/mutator methods (get*/set*). This means the Shiro's architectural modularity can translate into very easy configuration for custom behavior.</p> - -<div class="panelMacro"><table class="tipMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Easy Configuration</b><br clear="none">Because of JavaBeans compatibility, it is very easy to configure the <tt>SecurityManager</tt> with custom components via any mechanism that supports JavaBeans-style configuration, such as <a href="spring.html" title="Spring">Spring</a>, Guice, JBoss, etc.</td></tr></table></div> - -<p>We will cover <a href="configuration.html" title="Configuration">Configuration</a> next.</p> - -<h2><a name="Architecture-Lendahandwithdocumentation"></a>Lend a hand with documentation </h2> - -<p>While we hope this documentation helps you with the work you're doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you'd like to help the Shiro project, please consider corrected, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro. </p> - -<p>The easiest way to contribute your documentation is to send it to the <a class="external-link" href="http://shiro-user.582556.n2.nabble.com/"; rel="nofollow">User Forum</a> or the <a href="mailing-lists.html" title="Mailing Lists">User Mailing List</a>.</p> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/shiro-site/blob/ddea166c/architecture.html.vtl ---------------------------------------------------------------------- diff --git a/architecture.html.vtl b/architecture.html.vtl new file mode 100644 index 0000000..c4b9258 --- /dev/null +++ b/architecture.html.vtl @@ -0,0 +1,112 @@ +<h1><a name="Architecture-ApacheShiroArchitecture"></a>Apache Shiro Architecture</h1> + +<p>Apache Shiro's design goals are to simplify application security by being intuitive and easy to use. Shiro's core design models how most people think about application security - in the context of someone (or something) interacting with an application.</p> + +<p>Software applications are usually designed based on user stories. That is, you'll often design user interfaces or service APIs based on how a user would (or should) interact with the software. For example, you might say, "If the user interacting with my application is logged in, I will show them a button they can click to view their account information. If they are not logged in, I will show a sign-up button." </p> + +<p>This example statement indicates that applications are largely written to satisfy user requirements and needs. Even if the 'user' is another software system and not a human being, you still write code to reflect behavior based on who (or what) is currently interacting with your software.</p> + +<p>Shiro reflects these concepts in its own design. By matching what is already intuitive for software developers, Apache Shiro remains intuitive and easy to use in practically any application.</p> + +<h2><a name="Architecture-HighLevelOverview"></a>High-Level Overview</h2> + +<p>At the highest conceptual level, Shiro's architecture has 3 primary concepts: the <tt>Subject</tt>, <tt>SecurityManager</tt> and <tt>Realms</tt>. The following diagram is a high-level overview of how these components interact, and we'll cover each concept below:</p> + +<p><br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"> +<span class="image-wrap" style="display: block; text-align: center"><img src="assets/images/ShiroBasicArchitecture.png" style="border: 0px solid black"></span> +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"></p> + +<ul><li><b>Subject</b>: As we've mentioned in our <a href="tutorial.html" title="Tutorial">Tutorial</a>, the <tt>Subject</tt> is essentially a security specific 'view' of the the currently executing user. Whereas the word 'User' often implies a human being, a <tt>Subject</tt> can be a person, but it could also represent a 3rd-party service, daemon account, cron job, or anything similar - basically anything that is currently interacting with the software. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"> +<tt>Subject</tt> instances are all bound to (and require) a <tt>SecurityManager</tt>. When you interact with a <tt>Subject</tt>, those interactions translate to subject-specific interactions with the <tt>SecurityManager</tt>. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"></li><li><b>SecurityManager</b>: The <tt>SecurityManager</tt> is the heart of Shiro’s architecture and acts as a sort of 'umbrella’ object that coordinates its internal security components that together form an object graph. However, once the SecurityManager and its internal object graph is configured for an application, it is usually left alone and application developers spend almost all of their time with the <tt>Subject</tt> API. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"> +We will talk about the <tt>SecurityManager</tt> in detail later on, but it is important to realize that when you interact with a <tt>Subject</tt>, it is really the <tt>SecurityManager</tt> behind the scenes that does all the heavy lifting for any <tt>Subject</tt> security operation. This is reflected in the basic flow diagram above. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"></li><li><b>Realms</b>: Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"> +In this sense a Realm is essentially a security-specific <a class="external-link" href="http://en.wikipedia.org/wiki/Data_access_object"; rel="nofollow">DAO</a>: it encapsulates connection details for data sources and makes the associated data available to Shiro as needed. When configuring Shiro, you must specify at least one Realm to use for authentication and/or authorization. The <tt>SecurityManager</tt> may be configured with multiple Realms, but at least one is required. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"> +Shiro provides out-of-the-box Realms to connect to a number of security data sources (aka directories) such as LDAP, relational databases (JDBC), text configuration sources like INI and properties files, and more. You can plug-in your own Realm implementations to represent custom data sources if the default Realms do not meet your needs. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"> +Like other internal components, the Shiro <tt>SecurityManager</tt> manages how Realms are used to acquire security and identity data to be represented as <tt>Subject</tt> instances.</li></ul> + + +<h2><a name="Architecture-DetailedArchitecture"></a>Detailed Architecture</h2> + +<p>The following diagram shows Shiro's core architectural concepts followed by short summaries of each:</p> + +<p><span class="image-wrap" style="display: block; text-align: center"><img src="assets/images/ShiroArchitecture.png" style="border: 0px solid black"></span></p> + +<ul><li><b>Subject</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html">org.apache.shiro.subject.Subject</a></tt>)<br clear="none"> +A security-specific 'view' of the entity (user, 3rd-party service, cron job, etc) currently interacting with the software. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"></li><li><b>SecurityManager</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/mgt/SecurityManager.html">org.apache.shiro.mgt.SecurityManager</a></tt>)<br clear="none"> +As mentioned above, the <tt>SecurityManager</tt> is the heart of Shiro's architecture. It is mostly an 'umbrella' object that coordinates its managed components to ensure they work smoothly together. It also manages Shiro's view of every application user, so it knows how to perform security operations per user. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"></li><li><b>Authenticator</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/authc/Authenticator.html">org.apache.shiro.authc.Authenticator</a></tt>)<br clear="none"> +The <tt>Authenticator</tt> is the component that is responsible for executing and reacting to authentication (log-in) attempts by users. When a user tries to log-in, that logic is executed by the <tt>Authenticator</tt>. The <tt>Authenticator</tt> knows how to coordinate with one or more <tt>Realms</tt> that store relevant user/account information. The data obtained from these <tt>Realms</tt> is used to verify the user's identity to guarantee the user really is who they say they are. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"> + <ul><li><b>Authentication Strategy</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/authc/pam/AuthenticationStrategy.html">org.apache.shiro.authc.pam.AuthenticationStrategy</a></tt>)<br clear="none"> +If more than one <tt>Realm</tt> is configured, the <tt>AuthenticationStrategy</tt> will coordinate the Realms to determine the conditions under which an authentication attempt succeeds or fails (for example, if one realm succeeds but others fail, is the attempt successful? Must all realms succeed? Only the first?). +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"></li></ul> + </li><li><b>Authorizer</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/Authorizer.html">org.apache.shiro.authz.Authorizer</a></tt>)<br clear="none"> +The <tt>Authorizer</tt> is the component responsible determining users' access control in the application. It is the mechanism that ultimately says if a user is allowed to do something or not. Like the <tt>Authenticator</tt>, the <tt>Authorizer</tt> also knows how to coordinate with multiple back-end data sources to access role and permission information. The <tt>Authorizer</tt> uses this information to determine exactly if a user is allowed to perform a given action. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"></li><li><b>SessionManager</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/session/mgt/SessionManager.html">org.apache.shiro.session.mgt.SessionManager</a></tt>)<br clear="none"> +The <tt>SessionManager</tt> knows how to create and manage user <tt>Session</tt> lifecycles to provide a robust Session experience for users in all environments. This is a unique feature in the world of security frameworks - Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available. By default, Shiro will use an existing session mechanism if available, (e.g. Servlet Container), but if there isn't one, such as in a standalone application or non-web environment, it will use its built-in enterprise session management to offer the same programming experience. The <tt>SessionDAO</tt> exists to allow any datasource to be used to persist sessions. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"> + <ul><li><b>SessionDAO</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/session/mgt/eis/SessionDAO.html">org.apache.shiro.session.mgt.eis.SessionDAO</a></tt>)<br clear="none"> +The <tt>SessionDAO</tt> performs <tt>Session</tt> persistence (CRUD) operations on behalf of the <tt>SessionManager</tt>. This allows any data store to be plugged in to the Session Management infrastructure. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"></li></ul> + </li><li><b>CacheManager</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/cache/CacheManager.html">org.apache.shiro.cache.CacheManager</a></tt>)<br clear="none"> +The <tt>CacheManager</tt> creates and manages <tt>Cache</tt> instance lifecycles used by other Shiro components. Because Shiro can access many back-end data sources for authentication, authorization and session management, caching has always been a first-class architectural feature in the framework to improve performance while using these data sources. Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"></li><li><b>Cryptography</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/crypto/package-summary.html">org.apache.shiro.crypto.*</a></tt>)<br clear="none"> +Cryptography is a natural addition to an enterprise security framework. Shiro's <tt>crypto</tt> package contains easy-to-use and understand representations of crytographic Ciphers, Hashes (aka digests) and different codec implementations. All of the classes in this package are carefully designed to be very easy to use and easy to understand. Anyone who has used Java's native cryptography support knows it can be a challenging animal to tame. Shiro's crypto APIs simplify the complicated Java mechanisms and make cryptography easy to use for normal mortal human beings. +<br clear="none" class="atl-forced-newline"> +<br clear="none" class="atl-forced-newline"></li><li><b>Realms</b> (<tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/realm/Realm.html">org.apache.shiro.realm.Realm</a></tt>)<br clear="none"> +As mentioned above, Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application. You can configure as many <tt>Realms</tt> as you need (usually one per data source) and Shiro will coordinate with them as necessary for both authentication and authorization.</li></ul> + + +<h2><a name="Architecture-The%7B%7BSecurityManager%7D%7D"></a>The <tt>SecurityManager</tt></h2> + +<p>Because Shiro's API encourages a <tt>Subject</tt>-centric programming approach, most application developers will rarely, if ever, interact with the <tt>SecurityManager</tt> directly (framework developers however might sometimes find it useful). Even so, it is still important to know how the <tt>SecurityManager</tt> functions, especially when configuring one for an application.</p> + +<h2><a name="Architecture-Design"></a>Design</h2> + +<p>As stated previously, the application's <tt>SecurityManager</tt> performs security operations and manages state for <em>all</em> application users. In Shiro's default <tt>SecurityManager</tt> implementations, this includes:</p> + +<ul><li>Authentication</li><li>Authorization</li><li>Session Management</li><li>Cache Management</li><li><a href="realm.html" title="Realm">Realm</a> coordination</li><li>Event propagation</li><li>"Remember Me" Services</li><li>Subject creation</li><li>Logout<br clear="none"> +and more.</li></ul> + + +<p>But this is a lot of functionality to try to manage in a single component. And, making these things flexible and customizable would be very difficult if everything were lumped into a single implementation class. </p> + +<p>To simplify configuration and enable flexible configuration/pluggability, Shiro's implementations are all highly modular in design - so modular in fact, that the SecurityManager implementation (and its class-hierarchy) does not do much at all. Instead, the <tt>SecurityManager</tt> implementations mostly act as a lightweight 'container' component, delegating almost all behavior to nested/wrapped components. This 'wrapper' design is reflected in the detailed architecture diagram above.</p> + +<p>While the components actually execute the logic, the <tt>SecurityManager</tt> implementation knows how and when to coordinate the components for the correct behavior.</p> + +<p>The <tt>SecurityManager</tt> implementations and are also JavaBeans compatible, which allows you (or a configuration mechanism) to easily customize the pluggable components via standard JavaBeans accessor/mutator methods (get*/set*). This means the Shiro's architectural modularity can translate into very easy configuration for custom behavior.</p> + +#tip('Easy Configuration', 'Because of JavaBeans compatibility, it is very easy to configure the <tt>SecurityManager</tt> with custom components via any mechanism that supports JavaBeans-style configuration, such as <a href="spring.html" title="Spring">Spring</a>, Guice, JBoss, etc.') + +<p>We will cover <a href="configuration.html" title="Configuration">Configuration</a> next.</p> + +<h2><a name="Architecture-Lendahandwithdocumentation"></a>Lend a hand with documentation </h2> + +<p>While we hope this documentation helps you with the work you're doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you'd like to help the Shiro project, please consider corrected, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro. </p> + +<p>The easiest way to contribute your documentation is to send it to the <a class="external-link" href="http://shiro-user.582556.n2.nabble.com/"; rel="nofollow">User Forum</a> or the <a href="mailing-lists.html" title="Mailing Lists">User Mailing List</a>.</p> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/shiro-site/blob/ddea166c/articles.html ---------------------------------------------------------------------- diff --git a/articles.html b/articles.html deleted file mode 100644 index e4c799a..0000000 --- a/articles.html +++ /dev/null @@ -1,66 +0,0 @@ -<h1><a name="Articles-ApacheShiroArticles"></a>Apache Shiro Articles</h1> - -<p>Here are some articles written by and for members of the Apache Shiro community. Please post any errata to the user or dev <a href="mailing-lists.html" title="Mailing Lists">mailing lists</a>.</p> - -<h2><a name="Articles-IntroductoryArticles"></a>Introductory Articles</h2> -<p>New to Shiro? Here are some great introductory articles:</p> - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://www.infoq.com/articles/apache-shiro"; rel="nofollow">Application Security with Apache Shiro</a></b> InfoQ article by Les Hazlewood, Apache Shiro PMC Chair.</li></ul> - -<ul class="alternate" type="square"><li><b><a href="webapp-tutorial.html" title="Apache Shiro Beginner's Webapp Tutorial">Apache Shiro Beginner's Webapp Tutorial</a>: a step-by-step tutorial to enable Shiro in a web application</b> on 19 November 2013 by Les Hazlewood</li></ul> - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://www.stormpath.com/blog/2012/03/12/whats-new-in-apache-shiro-12"; rel="nofollow">What's new in Apache Shiro 1.2</a></b> on 13 March 2012 by Les Hazlewood.</li></ul> - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://www.ibm.com/developerworks/web/library/wa-apacheshiro/"; rel="nofollow">Introducing Apache Shiro</a></b> by Nathan Good on IBM DeveloperWorks, 14 September 2010.</li></ul> - -<ul class="alternate" type="square"><li><b>An Introduction to Shiro (formerly JSecurity/Ki) - A Beginner's Tutorial</b> by <a class="external-link" href="http://www.brucephillips.name"; rel="nofollow">Bruce Phillips</a>: - <ul class="alternate" type="square"><li><a class="external-link" href="http://www.brucephillips.name/blog/index.cfm/2009/4/5/An-Introduction-to-Ki-formerly-JSecurity--A-Beginners--Tutorial-Part-1"; rel="nofollow">Part 1</a></li><li><a class="external-link" href="http://www.brucephillips.name/blog/index.cfm/2009/4/5/An-Introduction-to-Ki-formerly-JSecurity--A-Beginners--Tutorial-Part-2"; rel="nofollow">Part 2</a></li><li><a class="external-link" href="http://www.brucephillips.name/blog/index.cfm/2009/4/5/An-Introduction-to-Ki-formerly-JSecurity--A-Beginners--Tutorial-Part-3"; rel="nofollow">Part 3</a></li><li><a class="external-link" href="http://www.brucephillips.name/blog/index.cfm/2009/4/5/An-Introduction-to-Ki-formerly-JSecurity--A-Beginners--Tutorial-Part-4"; rel="nofollow">Part 4</a></li><li><a class="external-link" href="http://www.brucephillips.name/blog/index.cfm/2009/5/1/An-Introduction-to-Ki-formerly-JSecurity--A-Beginners-Tutorial-Part-5"; rel="nofollow">Part 5</a></li></ul> - </li></ul> - -<h2><a name="Articles-AdditionalArticles"></a>Additional Articles</h2> -<p>Once you've gotten your feet wet, you might find these useful too:</p> - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://czetsuya-tech.blogspot.com/2012/10/how-to-integrate-apache-shiro-with.html?spref=tw"; rel="nofollow">How to Integrate Apache Shiro with JavaEE6</a></b> by czetsuya on 11 October 2012.</li></ul> - - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://blog.pinateknoloji.com/shiro-jdbc-realm"; rel="nofollow">Custom Apache Shiro JDBC Realm</a></b> by Mehmet Celiksoy</li></ul> - - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://bubba-h57.github.com/H57_Shiro/"; rel="nofollow">Spring MVC + Shiro + myBatis + JSR-303 Validation</a></b> by Rob Hines et. al. on 2 April 2012.</li></ul> - - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://books.zkoss.org/wiki/Small_Talks/2012/March/Securing_ZK_Applications_With_Apache_Shiro"; rel="nofollow">Securing ZK Applications with Apache Shiro</a></b> by Ashish Dasnurkar on 6 March 2012.</li></ul> - - -<ul class="alternate" type="square"><li><b>Facebook Login with Apache Shiro</b> by Mike Warren on 28 November 2011 - <ul class="alternate" type="square"><li><a class="external-link" href="http://mrdwnotes.wordpress.com/2011/11/28/using-apache-shiro-security-to-allow-login-via-facebook-part-1"; rel="nofollow">Part 1</a></li><li><a class="external-link" href="http://mrdwnotes.wordpress.com/2011/11/28/using-apache-shiro-security-to-allow-login-via-facebook-part-2"; rel="nofollow">Part 2</a></li></ul> - </li></ul> - - -<ul class="alternate" type="square"><li><b>Apache Shiro - a blog series by Meri</b> - <ul class="alternate" type="square"><li><a class="external-link" href="http://meri-stuff.blogspot.com/2011/03/apache-shiro-part-1-basics.html"; rel="nofollow">Part 1 - Basics</a> on 27 March 2011</li><li><a class="external-link" href="http://meri-stuff.blogspot.com/2011/04/apache-shiro-part-2-realms-database-and.html"; rel="nofollow">Part 2 - Realms, Database and PGP Certificates</a> on 18 April 2011</li><li><a class="external-link" href="http://meri-stuff.blogspot.com/2011/12/apache-shiro-part-3-cryptography.html"; rel="nofollow">Part 3 - Cryptography</a> on 4 December 2011</li></ul> - </li></ul> - - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://www.katasoft.com/blog/2011/05/09/new-rbac-resource-based-access-control"; rel="nofollow">The New RBAC: Resource-Based Access Control</a></b> by Les Hazlewood on 9 May 2011</li></ul> - - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://eneuwirt.de/2011/04/22/using-apache-shiro-to-secure-vaading-application/"; rel="nofollow">Securing Vaadin Applications with Apache Shiro</a></b> by Eduard Neuwirt on 22 April 2011.</li></ul> - - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://blog.xebia.com/author/yamsellem/"; rel="nofollow">HTTP Authentication and Security with Apache Shiro</a></b> blog article by yamsellem on 18 April 2011.</li></ul> - - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://spring-java-ee.blogspot.com/2011/04/using-shiro-for-authorization-via-cdi.html"; rel="nofollow">Using Shiro for Authorization via CDI Interceptors then Easily Test with Arquillian</a></b> blog article by Hendy Irawan on 16 April 2011.</li></ul> - - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://blogs.mulesoft.org/apache-shiro-support-for-mule/"; rel="nofollow">Apache Shiro Support for Mule</a></b> by Dan Diephouse on 10 January 2011.</li></ul> - - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://www.gdevelop.com/blog/2010/12/apache-shiro-on-appengine"; rel="nofollow">Apache Shiro on Google AppEngine</a></b> by Trung on 13 December 2010.</li></ul> - - -<ul class="alternate" type="square"><li><b><a class="external-link" href="http://techbeats.deluan.com/apache-shiro-tags-for-jsffacelets"; rel="nofollow">Apache Shiro tags for JSF - Securing Your JSF Pages</a></b> by Deluan Quintão on 1 November 2010.</li></ul> - - -<ul class="alternate" type="square"><li><b>Shiro DevNexus 2009 Presentation</b> by <a class="external-link" href="http://cwiki.apache.org/confluence/display/~jhaile";>Jeremy Haile</a>: (<a href="assets/images/articles/Ki-DevNexus-2009.pdf?version=1&modificationDate=1246602947000">PDF</a>) (<a href="assets/images/articles/Ki-DevNexus-2009.key.zip?version=1&modificationDate=1246602947000">Keynote</a>) (<a href="assets/images/articles/Ki-DevNexus-2009.ppt.zip?version=1&modificationDate=1246602947000">Powerpoint</a>)</li></ul>
![https://cwiki.apache.org/confluence/images/icons/emoticons/smile.png"](https://cwiki.apache.org/confluence/images/icons/emoticons/smile.png"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/emoticons/information.png"](https://cwiki.apache.org/confluence/images/icons/emoticons/information.png"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/emoticons/check.png"](https://cwiki.apache.org/confluence/images/icons/emoticons/check.png"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"){kind=link}