Modified: shiro/site/publish/how-to-contribute.html URL: http://svn.apache.org/viewvc/shiro/site/publish/how-to-contribute.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/how-to-contribute.html (original) +++ shiro/site/publish/how-to-contribute.html Mon Oct 24 14:33:52 2016 @@ -78,143 +78,129 @@ <div id="content"> - <h1><a name="HowtoContribute-ContributingtoApacheShiro"></a>Contributing to Apache Shiro</h1> - -<ul><li><a href="#HowtoContribute-introduction">Introduction</a></li><li><a href="#HowtoContribute-help">Help Wanted Here</a></li><li><a href="#HowtoContribute-procedure">Procedure for reporting bugs and issues and enhancement suggestions</a></li><li><a href="#HowtoContribute-git">Git Usage</a></li><li><a href="#HowtoContribute-committer">Git Committers</a></li><li><a href="#HowtoContribute-issues">Procedure for Raising Development Issues</a></li><li><a href="#HowtoContribute-patches">How to prepare and contribute patches</a></li><li><a href="#HowtoContribute-revert">How to revert changes in Git</a></li><li><a href="#HowtoContribute-tips">Contribution Notes and Tips</a></li></ul> - - -<p><a name="HowtoContribute-introductions"></a></p> -<h2><a name="HowtoContribute-Introduction"></a>Introduction</h2> - -<p>The Shiro Project is an <a class="external-link" href="https://opensource.org/"; rel="nofollow">Open Source</a> volunteer project released under a <a href="license.html" title="License">very liberal license</a>. This means there are many ways to contribute to the project - either with direct participation (coding, documenting, answering questions, proposing ideas, reporting bugs, suggesting bug-fixes, etc..) or by resource donations (staff time, conference presentations, publicity, software) and even general hardware/money <a class="external-link" href="http://www.apache.org/foundation/thanks.html";>donations</a> via the <a class="external-link" href="http://www.apache.org";>Apache Software Foundation</a>.</p> - + <a name="HowtoContribute-ContributingtoApacheShiro"></a> +<h1><a href="#contributing-to-apache-shiro" name="contributing-to-apache-shiro">Contributing to Apache Shiro</a></h1> +<ul> + <li><a href="#HowtoContribute-introduction">Introduction</a></li> + <li><a href="#HowtoContribute-help">Help Wanted Here</a></li> + <li><a href="#HowtoContribute-procedure">Procedure for reporting bugs and issues and enhancement suggestions</a></li> + <li><a href="#HowtoContribute-git">Git Usage</a></li> + <li><a href="#HowtoContribute-committer">Git Committers</a></li> + <li><a href="#HowtoContribute-issues">Procedure for Raising Development Issues</a></li> + <li><a href="#HowtoContribute-patches">How to prepare and contribute patches</a></li> + <li><a href="#HowtoContribute-revert">How to revert changes in Git</a></li> + <li><a href="#HowtoContribute-tips">Contribution Notes and Tips</a></li> +</ul> +<a name="HowtoContribute-introductions"></a> +<a name="HowtoContribute-Introduction"></a> +<h2><a href="#introduction" name="introduction">Introduction</a></h2> +<p>The Shiro Project is an <a href="https://opensource.org/";>Open Source</a> volunteer project released under a <a href="license.html" title="License">very liberal license</a>. This means there are many ways to contribute to the project - either with direct participation (coding, documenting, answering questions, proposing ideas, reporting bugs, suggesting bug-fixes, etc..) or by resource donations (staff time, conference presentations, publicity, software) and even general hardware/money <a href="http://www.apache.org/foundation/thanks.html";>donations</a> via the <a href="http://www.apache.org";>Apache Software Foundation</a>.</p> <p>To begin with, we suggest you to subscribe to the <a href="mailing-lists.html" title="Mailing Lists">Shiro mailing lists</a> (follow the link for information on how to subscribe and to access the mail list archives). Listen-in for a while, to hear how others make contributions.</p> - -<p>You can get your local working copy of the <a href="download.html" title="Download">latest and greatest code</a> by following the directions in our <a href="download.html" title="Download">Download</a> page. Review the To Do list in the <a class="external-link" href="https://issues.apache.org/jira/browse/SHIRO";>issue tracker</a> and then choose a task that interests you. Perhaps you have noticed something that needs patching, or have a new feature to contribute. Make the changes, do the testing, generate a patch, and discuss on the <a href="mailing-lists.html" title="Mailing Lists">dev mailing list</a>. (Do not worry - the process is easy and explained below.)</p> - -<p>Document writers are usually the most wanted people so if you like to help but you're not familiar with the innermost technical details, don't worry: you can still be tremendously helpful!</p> - -<p><a name="HowtoContribute-help"></a></p> -<h2><a name="HowtoContribute-HelpWantedHere"></a>Help Wanted Here </h2> - +<p>You can get your local working copy of the <a href="download.html" title="Download">latest and greatest code</a> by following the directions in our <a href="download.html" title="Download">Download</a> page. Review the To Do list in the <a href="https://issues.apache.org/jira/browse/SHIRO";>issue tracker</a> and then choose a task that interests you. Perhaps you have noticed something that needs patching, or have a new feature to contribute. Make the changes, do the testing, generate a patch, and discuss on the <a href="mailing-lists.html" title="Mailing Lists">dev mailing list</a>. (Do not worry - the process is easy and explained below.)</p> +<p>Document writers are usually the most wanted people so if you like to help but you’re not familiar with the innermost technical details, don’t worry: you can still be tremendously helpful!</p> +<a name="HowtoContribute-help"></a> +<a name="HowtoContribute-HelpWantedHere"></a> +<h2><a href="#help-wanted-here" name="help-wanted-here">Help Wanted Here</a></h2> <p>You can be a huge help by providing extra assistance in any of the following areas:</p> - -<ul><li>Assisting to improve documentation and the website.</li><li>Testing Shiro (especially its less-frequently-used features) on various configurations and reporting back.</li><li>New samples for the 'shiro-sample' to concisely describe and demonstrate features. Such samples can also enable automated testing.</li><li>Debugging - producing reproducible test cases and/or finding causes of bugs. Most bugs are recorded as issues (see <a href="#HowtoContribute-procedure">explanation below</a>).</li><li>Providing new use-cases and requirements. If you think that Shiro does not quite meet your needs then tell us about it on the mailing list.</li><li>Specifying/analysing/designing new features - and beyond. If you wish to get further involved with this, please join the <a href="mailing-lists.html" title="Mailing Lists"><tt>shiro-dev</tt> mailing list</a>, install and try out Shiro and read some of the <a href="mailing-lists.html" title="Mailing Lists">mail archives</a>. You should have a reasonable fluency in security technologies, some Java and Maven skills, and a basic understanding of the Shiro architecture - don't just say "it should have XYZ" without reading anything first - because chances are, somebody has already thought of that feature!)</li><li>Packaging easy-to-install packages (such as RPMs) for the myriad of possible configurations out there. (The project does not maintain anything but the basic .zip and .tar.gz packages, but anyone is welcome to build their own specific packages and announce them on the forrest-dev list)</li><li>... and there is just one other thing - don't forget to tell everyone who asks, how great Shiro is! The more people that know about and start to use Shiro, the larger the pool of potential contributors will be.</li></ul> - - -<p><a name="HowtoContribute-procedure"></a></p> -<h2><a name="HowtoContribute-Procedureforreportingbugsandissuesandenhancementsuggestions"></a>Procedure for reporting bugs and issues and enhancement suggestions</h2> - -<p>If you think that you have found a bug or you have a suggestion for improvement, then please discuss it on one of the <a href="mailing-lists.html" title="Mailing Lists">mailing lists</a>. However, please check our <a class="external-link" href="https://issues.apache.org/jira/browse/SHIRO";>issue tracker</a> first as it may be already reported.</p> - -<p>The <a class="external-link" href="https://issues.apache.org/jira/browse/SHIRO";>Apache Shiro Issue Tracker</a> collates our known issues. Obviously not every issue is listed there. Some issues have been discussed on the mailing list but do not yet have an issue recorded.</p> - +<ul> + <li>Assisting to improve documentation and the website.</li> + <li>Testing Shiro (especially its less-frequently-used features) on various configurations and reporting back.</li> + <li>New samples for the ‘shiro-sample’ to concisely describe and demonstrate features. Such samples can also enable automated testing.</li> + <li>Debugging - producing reproducible test cases and/or finding causes of bugs. Most bugs are recorded as issues (see <a href="#HowtoContribute-procedure">explanation below</a>).</li> + <li>Providing new use-cases and requirements. If you think that Shiro does not quite meet your needs then tell us about it on the mailing list.</li> + <li>Specifying/analysing/designing new features - and beyond. If you wish to get further involved with this, please join the <a href="mailing-lists.html" title="Mailing Lists"><code>shiro-dev</code> mailing list</a>, install and try out Shiro and read some of the <a href="mailing-lists.html" title="Mailing Lists">mail archives</a>. You should have a reasonable fluency in security technologies, some Java and Maven skills, and a basic understanding of the Shiro architecture - don’t just say “it should have XYZ” without reading anything first - because chances are, somebody has already thought of that feature!)</li> + <li>Packaging easy-to-install packages (such as RPMs) for the myriad of possible configurations out there. (The project does not maintain anything but the basic .zip and .tar.gz packages, but anyone is welcome to build their own specific packages and announce them on the forrest-dev list)</li> + <li>… and there is just one other thing - don’t forget to tell everyone who asks, how great Shiro is! The more people that know about and start to use Shiro, the larger the pool of potential contributors will be.</li> +</ul> +<a name="HowtoContribute-procedure"></a> +<a name="HowtoContribute-Procedureforreportingbugsandissuesandenhancementsuggestions"></a> +<h2><a href="#procedure-for-reporting-bugs-and-issues-and-enhancement-suggestions" name="procedure-for-reporting-bugs-and-issues-and-enhancement-suggestions">Procedure for reporting bugs and issues and enhancement suggestions</a></h2> +<p>If you think that you have found a bug or you have a suggestion for improvement, then please discuss it on one of the <a href="mailing-lists.html" title="Mailing Lists">mailing lists</a>. However, please check our <a href="https://issues.apache.org/jira/browse/SHIRO";>issue tracker</a> first as it may be already reported.</p> +<p>The <a href="https://issues.apache.org/jira/browse/SHIRO";>Apache Shiro Issue Tracker</a> collates our known issues. Obviously not every issue is listed there. Some issues have been discussed on the mailing list but do not yet have an issue recorded.</p> <p>The Roadmap is the best way to get an overview. The Unscheduled list also needs regular review, and committers will schedule some of those for the next release.</p> - <p>When creating a new issue, please provide a concise Summary Title and a short Description. Add further information as Comments and include links to the mail archives. The normal procedure is to discuss the issue on the mailing list and then add relevant notes to the issue tracker, otherwise it becomes cluttered.</p> - -<p><a name="HowtoContribute-git"></a></p> -<h2><a name="HowtoContribute-GitUsage"></a>Git Usage</h2> - +<a name="HowtoContribute-git"></a> +<a name="HowtoContribute-GitUsage"></a> +<h2><a href="#git-usage" name="git-usage">Git Usage</a></h2> <p>An overview of how to use Git to participate in Shiro development. Do not be afraid - you cannot accidentally destroy the actual code repository, because you are working with a local copy as an anonymous user. Therefore, you do not have the system permissions to change anything. You can only update your local repository and compare your revisions with the real repository. The <a href="download.html" title="Download">Download Shiro</a> page explains how to check-out the code base and build your local copy.</p> - -<p><a name="HowtoContribute-committer"></a></p> -<h2><a name="HowtoContribute-GitCommitters"></a>Git Committers</h2> - -<p>After a developer has consistently provided contributions (code, documentation and discussion) and demonstrated committment, then the rest of the dev community may vote to grant this developer commit access to the Git repository. See the <a class="external-link" href="http://www.apache.org/dev/";>ASF developers resources</a> especially the <a class="external-link" href="http://www.apache.org/dev/version-control.html";>Source code repositories</a>.</p> - -<p><a name="HowtoContribute-issues"></a></p> -<h2><a name="HowtoContribute-ProcedureforRaisingDevelopmentIssues"></a>Procedure for Raising Development Issues</h2> - -<p>There are two methods for discussing development and submitting patches. So that everyone can be productive, it is important to know which method is appropriate for a certain situation and how to go about it without confusion. This section explains when to use the developer <a href="mailing-lists.html" title="Mailing Lists">mailing list</a> and the <a class="external-link" href="https://issues.apache.org/jira/browse/SHIRO";>issue tracker</a>.</p> - +<a name="HowtoContribute-committer"></a> +<a name="HowtoContribute-GitCommitters"></a> +<h2><a href="#git-committers" name="git-committers">Git Committers</a></h2> +<p>After a developer has consistently provided contributions (code, documentation and discussion) and demonstrated committment, then the rest of the dev community may vote to grant this developer commit access to the Git repository. See the <a href="http://www.apache.org/dev/";>ASF developers resources</a> especially the <a href="http://www.apache.org/dev/version-control.html";>Source code repositories</a>.</p> +<a name="HowtoContribute-issues"></a> +<a name="HowtoContribute-ProcedureforRaisingDevelopmentIssues"></a> +<h2><a href="#procedure-for-raising-development-issues" name="procedure-for-raising-development-issues">Procedure for Raising Development Issues</a></h2> +<p>There are two methods for discussing development and submitting patches. So that everyone can be productive, it is important to know which method is appropriate for a certain situation and how to go about it without confusion. This section explains when to use the developer <a href="mailing-lists.html" title="Mailing Lists">mailing list</a> and the <a href="https://issues.apache.org/jira/browse/SHIRO";>issue tracker</a>.</p> <p>Research your topic thoroughly before beginning to discuss a new development issue. Search and browse through the email archives - your issue may have been discussed before. Prepare your post clearly and concisely.</p> - <p>Most issues will be discovered, resolved, and then patched quickly via the developer mailing list. Larger issues, and ones that are not yet fully understood or are hard to solve, are destined for the issue tracker.</p> - <p>Experienced developers use the issue tracker directly, as they are very sure when they have found a bug and when not. However, less experienced users should first discuss it on the user or developer mailing list (as appropriate). Impatient people always enter everything into the issue tracker without caring if it is a bug of Shiro or their own installation/configuration mistake - please do not do this.</p> - <p>As a rule-of-thumb, discuss an issue on the developers mailing list first to work out any details. After it is confirmed to be worthwhile, and you are clear about it, then submit the bug description or patch via Bug Tracking.</p> - -<p>Perhaps you do not get any answer on your first reply, so just post it again until you get one. (But please not every hour - allow a few days for the list to deal with it.) Bear in mind that other countries will have holidays at different times to your country and that they are in different time zones. You might also consider rewriting your initial posting. It may have not been clear to the readers on the mailing list.</p> - -<p><a name="HowtoContribute-patches"></a></p> -<h2><a name="HowtoContribute-Howtoprepareandcontributepatches"></a>Contributing as a Non-Committer</h2> - -<p>If you're a committer on an Apache project, it means that you can commit directly to the project's repository. For instance, with Apache Shiro committers are allowed to directly push commits into the git repository.</p> - +<p>Perhaps you do not get any answer on your first reply, so just post it again until you get one. (But please not every hour - allow a few days for the list to deal with it.) Bear in mind that other countries will have holidays at different times to your country and that they are in different time zones. You might also consider rewriting your initial posting. It may have not been clear to the readers on the mailing list.</p> +<a name="HowtoContribute-patches"></a> +<a name="HowtoContribute-Howtoprepareandcontributepatches"></a> +<h2>Contributing as a Non-Committer</h2> +<p>If you’re a committer on an Apache project, it means that you can commit directly to the project’s repository. For instance, with Apache Shiro committers are allowed to directly push commits into the git repository.</p> <p>Non-committers, however, have to submit patches for review. Apache Shiro accepts GitHub pull requests. If you are new to Git and GitHub, check these two links:</p> - <ul> - <li><a class="external-link" href="https://try.github.io/levels/1/challenges/1";>GitHub 15 minutes tutorial</a></li> - <li><a class="external-link" href="https://help.github.com/articles/creating-a-pull-request/";>Creating Pull Requests</a></li> + <li><a href="https://try.github.io/levels/1/challenges/1";>GitHub 15 minutes tutorial</a></li> + <li><a href="https://help.github.com/articles/creating-a-pull-request/";>Creating Pull Requests</a></li> </ul> - <p>Apache Shiro has a read-only mirror on GitHub that is kept in sync with the canonical Git repo maintained by the Apache Software Foundation. Submitting GitHub pull requests is the easiest way to get your contribution upstream. For detailed instructions see the link below:</p> -<a href="https://github.com/apache/shiro/blob/master/CONTRIBUTING.md";>GitHub Contribution Guidelines</a> - -<h3><a name="HowtoContribute-submitThroughJIRA">Submitting a patch through JIRA</a></h3> - -<p>While we encourage you to submit your contribution through GitHub pull requests, you can also attach a patch in a JIRA ticket. For the purpose of these instructions, we'll assume that you already have a system with Git and have found a bug to fix or have a feature that you'd like to submit, and you're willing to contribute that code or documentation under the Apache License 2.0.</p> - -<p>Further, if you're fixing a bug we'll assume that you've either filed a bug report (where you will attach your patch) or are submitting a fix for a known bug. If you find a bug and would like to fix it, that's awesome! Please be sure to file the bug too, though.</p> - -<p>If you want to add a feature, you should bring it up for discussion on the [email protected] mailing list before implementing it. This ensures that it meshes with the plans that other contributors have for Apache Shiro, and that you're not doing redundant work. Other developers may also have ideas for the feature or suggestions that will help you land the feature without having to re-do the work. More information about our mailing lists can be found here.</p> - +<p><a href="https://github.com/apache/shiro/blob/master/CONTRIBUTING.md";>GitHub Contribution Guidelines</a></p> +<a name="HowtoContribute-submitThroughJIRA"></a> +<h3><a href="#submitting-a-patch-through-jira" name="submitting-a-patch-through-jira">Submitting a patch through JIRA</a></h3> +<p>While we encourage you to submit your contribution through GitHub pull requests, you can also attach a patch in a JIRA ticket. For the purpose of these instructions, we’ll assume that you already have a system with Git and have found a bug to fix or have a feature that you’d like to submit, and you’re willing to contribute that code or documentation under the Apache License 2.0.</p> +<p>Further, if you’re fixing a bug we’ll assume that you’ve either filed a bug report (where you will attach your patch) or are submitting a fix for a known bug. If you find a bug and would like to fix it, that’s awesome! Please be sure to file the bug too, though.</p> +<p>If you want to add a feature, you should bring it up for discussion on the <a href="mailto:dev@shiro.apache.org";>dev@shiro.apache.org</a> mailing list before implementing it. This ensures that it meshes with the plans that other contributors have for Apache Shiro, and that you’re not doing redundant work. Other developers may also have ideas for the feature or suggestions that will help you land the feature without having to re-do the work. More information about our mailing lists can be found here.</p> <p>In short, communication is a vital part of making a contribution to an Apache project.</p> - -<h3><a name="HowtoContribute-gettingStartedGit">Getting Started</a></h3> - -<p>First, lets make sure that you've added your name and email to your `~/.gitconfig`:</p> - -<pre> -$ git config --global user.name "Your Name" +<a name="HowtoContribute-gettingStartedGit"></a> +<h3><a href="#getting-started" name="getting-started">Getting Started</a></h3> +<p>First, lets make sure that you’ve added your name and email to your <code>~/.gitconfig</code>:</p> +<pre><code class="bash">$ git config --global user.name "Your Name" $ git config --global user.email [email protected] -</pre> -You'll grab the Shiro source with git: - -<pre> -$ git clone https://git-wip-us.apache.org/repos/asf/shiro.git -</pre> - -<p>If you already have the source, make sure you're working with the most recent version. Do a `git pull` if you cloned the source more than a few hours ago. (Apache Shiro development can move pretty fast!)</p> - -<pre> -$ git checkout -b mybranch -</pre> - -<p>This does two things: One, it creates the branch mybranch and two, it changes your working branch to mybranch. Running `git branch` will show you which branch you're working on, with an asterisk next to the active branch, like so:</p> - -<pre> -[user@localhost shiro]$ git branch +</code></pre> +<p>You’ll grab the Shiro source with git:</p> +<pre><code class="bash">$ git clone https://git-wip-us.apache.org/repos/asf/shiro.git +</code></pre> +<p>If you already have the source, make sure you’re working with the most recent version. Do a <code>git pull</code> if you cloned the source more than a few hours ago. (Apache Shiro development can move pretty fast!)</p> +<pre><code class="bash">$ git checkout -b mybranch +</code></pre> +<p>This does two things: One, it creates the branch mybranch and two, it changes your working branch to mybranch. Running <code>git branch</code> will show you which branch you’re working on, with an asterisk next to the active branch, like so:</p> +<pre><code class="bash">[user@localhost shiro]$ git branch master * mybranch -</pre> - -<p>Make whatever changes you're going to make, be sure to use git add to stage the changes, and then you're going to commit the changes to your working branch:</p> - -<pre> -git commit -m "Insert a meaningful summary of changes here." -</pre> - +</code></pre> +<p>Make whatever changes you’re going to make, be sure to use git add to stage the changes, and then you’re going to commit the changes to your working branch:</p> +<pre><code class="bash">git commit -m "Insert a meaningful summary of changes here." +</code></pre> <p>Finally, you can create a patch and attach it to the JIRA issue that you created for the bug you are fixing.</p> - -<pre> -git format-patch master --stdout > ~/patch-name.patch -</pre> - -<h3><a name="HowtoContribute-review">Review</a></h3> - -<p>Once you've submitted your pull request, you should receive a response within a few days. If you receive no response within a week, please ping the shiro-dev mailing list ([email protected]).</p> - -<p><a name="HowtoContribute-tips"></a></p> -<h2><a name="HowtoContribute-ContributionNotesandTips"></a>Contribution Notes and Tips</h2> - +<pre><code class="bash">git format-patch master --stdout > ~/patch-name.patch +</code></pre> +<a name="HowtoContribute-review"></a> +<h3><a href="#review" name="review">Review</a></h3> +<p>Once you’ve submitted your pull request, you should receive a response within a few days. If you receive no response within a week, please ping the shiro-dev mailing list (<a href="mailto:dev@shiro.apache.org)";>dev@shiro.apache.org)</a>.</p> +<a name="HowtoContribute-tips"></a> +<a name="HowtoContribute-ContributionNotesandTips"></a> +<h2><a href="#contribution-notes-and-tips" name="contribution-notes-and-tips">Contribution Notes and Tips</a></h2> <p>This is a collection of tips for contributing to the project in a manner that is productive for all parties.</p> - -<ul><li>See general ASF <a class="external-link" href="http://www.apache.org/dev/contrib-email-tips.html";>Tips for email contributors</a></li><li>There is no such thing as a dumb question. Always check the <a href="mailing-lists.html" title="Mailing Lists">archives</a> to see if someone else asked it first and maybe already received an answer.</li><li>Every contribution is worthwhile. Even if the code isn't perfect. Even if the documentation has typos. Even if you got it wrong the first time around. Any contribution is a start of something special. Through your continued effort and the help of the community, your contribution will evolve and get ever closer to "perfect".</li><li>Use sensible and concise email subject headings. Search engines, and humans trying to browse a voluminous list, will respond favourably to a descriptive title.</li><li>Start new threads with new Subject for new topics, rather than reusing the previous Subject line.</li><li>Keep each topic focused. If som e new topic arises then start a new discussion. This leaves the original topic to continue uncluttered.<br clear="none"> -Whenever you decide to start a new topic, then start with a fresh new email message window. Do not use the "Reply to" button, because threaded mail-readers get confused (they utilise the In-reply-to header). If so, then your new topic will get lost in the previous thread and go unanswered.</li><li>Prepend your email subject line with a marker when that is appropriate, e.g. [Proposal], [RT] (Random Thought which quickly blossom into research topics <img align="middle" class="emoticon" src="https://cwiki.apache.org/confluence/images/icons/emoticons/smile.png"; height="20" width="20" alt="" border="0">, [STATUS] (development status of a certain facility).</li><li>Remember that most people are participating in development on a volunteer basis and in their "spare time". These enthusiasts will attempt to respond to issues. It may take a little while to get your answers.</li><li>Research your topic thoroughly before beginning to discuss a new development issue. Search and browse through the email archives - your issue may have been discussed before. Do not just perceive a problem and then rush out with a question - instead, delve.</li><li>Try to at least offer a partial solution and not just a problem statement.</li><li>Take the time to clearly explain your issue and write a concise email message. Less confusion facilitates fast and complete resolution.</li><li>Do not bother to send an email reply that simply says "thanks". When the issue is resolved, that is the finish - end of thread. Reduce clutter.</li><li>You would usually do any development work against the master branch in Git.</li><li>When sending a patch, you usually do not need to worry about which Git branch it should be applied to. The maintainers of the repository will decide.</li><li>Keep all project-related discussion on the mailing list. It is much better to utilise the wider audience, rather than to break off into private discussion groups. You never know who else will have the answer to your issues, and anyway other people are interested in the outcome.</li><li>Become familiar with the mailing lists. As you browse and search, you will see the way other people do things. Follow the leading examples.</li></ul> - +<ul> + <li>See general ASF <a href="http://www.apache.org/dev/contrib-email-tips.html";>Tips for email contributors</a></li> + <li>There is no such thing as a dumb question. Always check the <a href="mailing-lists.html" title="Mailing Lists">archives</a> to see if someone else asked it first and maybe already received an answer.</li> + <li>Every contribution is worthwhile. Even if the code isn’t perfect. Even if the documentation has typos. Even if you got it wrong the first time around. Any contribution is a start of something special. Through your continued effort and the help of the community, your contribution will evolve and get ever closer to “perfect”.</li> + <li>Use sensible and concise email subject headings. Search engines, and humans trying to browse a voluminous list, will respond favourably to a descriptive title.</li> + <li>Start new threads with new Subject for new topics, rather than reusing the previous Subject line.</li> + <li>Keep each topic focused. If some new topic arises then start a new discussion. This leaves the original topic to continue uncluttered.<br/>Whenever you decide to start a new topic, then start with a fresh new email message window. Do not use the “Reply to” button, because threaded mail-readers get confused (they utilise the In-reply-to header). If so, then your new topic will get lost in the previous thread and go unanswered.</li> + <li>Prepend your email subject line with a marker when that is appropriate, e.g. [Proposal], [RT] (Random Thought which quickly blossom into research topics <img src="https://cwiki.apache.org/confluence/images/icons/emoticons/smile.png"; />, [STATUS] (development status of a certain facility).</li> + <li>Remember that most people are participating in development on a volunteer basis and in their “spare time”. These enthusiasts will attempt to respond to issues. It may take a little while to get your answers.</li> + <li>Research your topic thoroughly before beginning to discuss a new development issue. Search and browse through the email archives - your issue may have been discussed before. Do not just perceive a problem and then rush out with a question - instead, delve.</li> + <li>Try to at least offer a partial solution and not just a problem statement.</li> + <li>Take the time to clearly explain your issue and write a concise email message. Less confusion facilitates fast and complete resolution.</li> + <li>Do not bother to send an email reply that simply says “thanks”. When the issue is resolved, that is the finish - end of thread. Reduce clutter.</li> + <li>You would usually do any development work against the master branch in Git.</li> + <li>When sending a patch, you usually do not need to worry about which Git branch it should be applied to. The maintainers of the repository will decide.</li> + <li>Keep all project-related discussion on the mailing list. It is much better to utilise the wider audience, rather than to break off into private discussion groups. You never know who else will have the answer to your issues, and anyway other people are interested in the outcome.</li> + <li>Become familiar with the mailing lists. As you browse and search, you will see the way other people do things. Follow the leading examples.</li> +</ul> </div>
Modified: shiro/site/publish/inclusionslibrary.html URL: http://svn.apache.org/viewvc/shiro/site/publish/inclusionslibrary.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/inclusionslibrary.html (original) +++ shiro/site/publish/inclusionslibrary.html Mon Oct 24 14:33:52 2016 @@ -78,29 +78,19 @@ <div id="content"> - <p>The children of this page contain information which is <b>included in other pages</b>. This is a library of re-usable information chunks. </p> - -<p>If you want to change any of these pages, be aware that: </p> -<ul><li>Changing page names is problematic — you will need to change all the {include} and {excerpt-include} macros manually.</li><li>The content is used in many places — make sure your change is generic enough to fit the contexts in which the pages are used.</li></ul> - - -<p>To include an excerpt from a page: </p> -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -{excerpt-include:_page name|nopanel=<span class="code-keyword">true</span>} -</pre> -</div></div> -<p>Note that the page titled '_page name' must contain the {excerpt} macro, otherwise the {excerpt-include} will not work. </p> - -<p>To include the entire contents of a page" </p> -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -{include:page name|nopanel=<span class="code-keyword">true</span>} -</pre> -</div></div> - -<h6><a name="_InclusionsLibrary-ChildrenofthisPage"></a>Children of this Page </h6> - + <p>The children of this page contain information which is <strong>included in other pages</strong>. This is a library of re-usable information chunks.</p> +<p>If you want to change any of these pages, be aware that:</p> +<ul> + <li>Changing page names is problematic â you will need to change all the {include} and {excerpt-include} macros manually.</li> + <li>The content is used in many places â make sure your change is generic enough to fit the contexts in which the pages are used.</li> +</ul> +<p>To include an excerpt from a page:</p> +<pre><code>{excerpt-include:_page name|nopanel=true} +</code></pre> +<p>Note that the page titled ’_page name’ must contain the {excerpt} macro, otherwise the {excerpt-include} will not work.</p> +<p>To include the entire contents of a page"</p> +<pre><code>{include:page name|nopanel=true} +</code></pre> </div> Modified: shiro/site/publish/introduction.html URL: http://svn.apache.org/viewvc/shiro/site/publish/introduction.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/introduction.html (original) +++ shiro/site/publish/introduction.html Mon Oct 24 14:33:52 2016 @@ -78,52 +78,52 @@ <div id="content"> - <h1><a name="Introduction-IntroductiontoApacheShiro"></a>Introduction to Apache Shiro</h1> - -<h2><a name="Introduction-WhatisApacheShiro%3F"></a>What is Apache Shiro?</h2> - + <a name="Introduction-IntroductiontoApacheShiro"></a> +<h1><a href="#introduction-to-apache-shiro" name="introduction-to-apache-shiro">Introduction to Apache Shiro</a></h1> +<a name="Introduction-WhatisApacheShiro%3F"></a> +<h2><a href="#what-is-apache-shiro-" name="what-is-apache-shiro-">What is Apache Shiro?</a></h2> <p>Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management and cryptography.</p> - -<p>Apache Shiro's first and foremost goal is to be easy to use and understand. Security can be very complex at times, even painful, but it doesn't have to be. A framework should mask complexities where possible and expose a clean and intuitive API that simplifies the developer's effort to make their application(s) secure.</p> - +<p>Apache Shiro’s first and foremost goal is to be easy to use and understand. Security can be very complex at times, even painful, but it doesn’t have to be. A framework should mask complexities where possible and expose a clean and intuitive API that simplifies the developer’s effort to make their application(s) secure.</p> <p>Here are some things that you can do with Apache Shiro:</p> - -<ul><li>Authenticate a user to verify their identity</li><li>Perform access control for a user, such as: - <ul><li>Determine if a user is assigned a certain security role or not</li><li>Determine if a user is permitted to do something or not</li></ul> - </li><li>Use a Session API in any environment, even without web or EJB containers.</li><li>React to events during authentication, access control, or during a session's lifetime.</li><li>Aggregate 1 or more data sources of user security data and present this all as a single composite user 'view'.</li><li>Enable Single Sign On (SSO) functionality</li><li>Enable 'Remember Me' services for user association without login<br clear="none"> -...<br clear="none"> -and much more - all integrated into a cohesive easy-to-use API.</li></ul> - - -<p>Shiro attempts to achieve these goals for all application environments - from the simplest command line application to the largest enterprise applications, without forcing dependencies on other 3rd party frameworks, containers, or application servers. Of course the project aims to integrate into these environments wherever possible, but it could be used out-of-the-box in any environment.</p> - -<h2><a name="Introduction-ApacheShiroFeatures"></a>Apache Shiro Features</h2> - -<p>Apache Shiro is a comprehensive application security framework with many features. The following diagram shows where Shiro focuses its energy, and this reference manual will be organized similarly:</p> - -<p><br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"> -<span class="image-wrap" style="display: block; text-align: center"><img src="assets/images/ShiroFeatures.png" style="border: 0px solid black"></span> -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></p> - -<p>Shiro targets what the Shiro development team calls "the four cornerstones of application security" - Authentication, Authorization, Session Management, and Cryptography:</p> - -<ul><li><b>Authentication:</b> Sometimes referred to as 'login', this is the act of proving a user is who they say they are. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li><li><b>Authorization:</b> The process of access control, i.e. determining 'who' has access to 'what'. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li><li><b>Session Management:</b> Managing user-specific sessions, even in non-web or EJB applications. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li><li><b>Cryptography:</b> Keeping data secure using cryptographic algorithms while still being easy to use.</li></ul> - - +<ul> + <li>Authenticate a user to verify their identity</li> + <li>Perform access control for a user, such as: + <ul> + <li>Determine if a user is assigned a certain security role or not</li> + <li>Determine if a user is permitted to do something or not</li> + </ul> + </li> + <li>Use a Session API in any environment, even without web or EJB containers.</li> + <li>React to events during authentication, access control, or during a session’s lifetime.</li> + <li>Aggregate 1 or more data sources of user security data and present this all as a single composite user ‘view’.</li> + <li>Enable Single Sign On (SSO) functionality</li> + <li>Enable ‘Remember Me’ services for user association without login<br/>…<br/>and much more - all integrated into a cohesive easy-to-use API.</li> +</ul> +<p>Shiro attempts to achieve these goals for all application environments - from the simplest command line application to the largest enterprise applications, without forcing dependencies on other 3rd party frameworks, containers, or application servers. Of course the project aims to integrate into these environments wherever possible, but it could be used out-of-the-box in any environment.</p> +<a name="Introduction-ApacheShiroFeatures"></a> +<h2><a href="#apache-shiro-features" name="apache-shiro-features">Apache Shiro Features</a></h2> +<p>Apache Shiro is a comprehensive application security framework with many features. The following diagram shows where Shiro focuses its energy, and this reference manual will be organized similarly:</p> +<img src="assets/images/ShiroFeatures.png" style="margin:0px auto;display:block"></img> +<p>Shiro targets what the Shiro development team calls “the four cornerstones of application security” - Authentication, Authorization, Session Management, and Cryptography:</p> +<ul> + <li> + <p><strong>Authentication:</strong> Sometimes referred to as ‘login’, this is the act of proving a user is who they say they are.</p></li> + <li> + <p><strong>Authorization:</strong> The process of access control, i.e. determining ‘who’ has access to ‘what’.</p></li> + <li> + <p><strong>Session Management:</strong> Managing user-specific sessions, even in non-web or EJB applications.</p></li> + <li> + <p><strong>Cryptography:</strong> Keeping data secure using cryptographic algorithms while still being easy to use.</p></li> +</ul> <p>There are also additional features to support and reinforce these concerns in different application environments, especially:</p> - -<ul><li>Web Support: Shiro's web support APIs help easily secure web applications.</li><li>Caching: Caching is a first-tier citizen in Apache Shiro's API to ensure that security operations remain fast and efficient.</li><li>Concurrency: Apache Shiro supports multi-threaded applications with its concurrency features.</li><li>Testing: Test support exists to help you write unit and integration tests and ensure your code will be secured as expected.</li><li>"Run As": A feature that allows users to assume the identity of another user (if they are allowed), sometimes useful in administrative scenarios.</li><li>"Remember Me": Remember users' identities across sessions so they only need to log in when mandatory.</li></ul> - - -<p></p> +<ul> + <li>Web Support: Shiro’s web support APIs help easily secure web applications.</li> + <li>Caching: Caching is a first-tier citizen in Apache Shiro’s API to ensure that security operations remain fast and efficient.</li> + <li>Concurrency: Apache Shiro supports multi-threaded applications with its concurrency features.</li> + <li>Testing: Test support exists to help you write unit and integration tests and ensure your code will be secured as expected.</li> + <li>“Run As”: A feature that allows users to assume the identity of another user (if they are allowed), sometimes useful in administrative scenarios.</li> + <li>“Remember Me”: Remember users’ identities across sessions so they only need to log in when mandatory.</li> +</ul> </div> Modified: shiro/site/publish/issues.html URL: http://svn.apache.org/viewvc/shiro/site/publish/issues.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/issues.html (original) +++ shiro/site/publish/issues.html Mon Oct 24 14:33:52 2016 @@ -78,19 +78,22 @@ <div id="content"> - <h2><a name="Issues-ApacheShiroBug%26IssueTracking"></a>Apache Shiro Bug & Issue Tracking</h2> - -<p>Apache Shiro uses Atlassian Jira for tracking tasks, feature requests, bugs, and other issues related to the project development.</p> - -<h2><a name="Issues-UsageGuidelines"></a>Usage Guidelines</h2> - + <a name="Issues-ApacheShiroBug%26IssueTracking"></a> +<h2>Apache Shiro Bug & Issue Tracking</h2> +<p>Apache Shiro uses Atlassian Jira for tracking tasks, feature requests, bugs, and other issues related to the project development.</p> +<a name="Issues-UsageGuidelines"></a> +<h2><a href="#usage-guidelines" name="usage-guidelines">Usage Guidelines</a></h2> <p>Jira is provided as a Shiro software development resource. It is meant to be for managing bugs, tasks and improvements in the software itself - it is not a support portal to ask for advice or help. For community advice and help in using Apache Shiro, please visit the <a href="support.html" title="Support">Support</a> page.</p> - -<p><b>Prior to using Jira, we ask that:</b></p> -<ul><li>You do your due diligence to ensure a suspected error is actually a bug.</li><li>You search the issue tracker to ensure what you want to report has not already been reported by someone else.</li><li>If your problem is actually a bug, we would appreciate it if you could attach a simple JUnit test case that allows us to repeat the problem so we can fix it as fast as possible.</li><li>If a unit test is not available (please really try to make one!), attach a stack trace and Shiro's TRACE or DEBUG log output.</li><li>If you've already fixed the problem, please submit a patch and we'll likely include it in the next release.</li></ul> - - -<h2><a name="Issues-ClickheretovisittheApacheShiroJiraissuetrackerhttps%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FSHIRO"></a><a class="external-link" href="https://issues.apache.org/jira/browse/SHIRO";>Click here to visit the Apache Shiro Jira issue tracker</a> </h2> +<p><strong>Prior to using Jira, we ask that:</strong></p> +<ul> + <li>You do your due diligence to ensure a suspected error is actually a bug.</li> + <li>You search the issue tracker to ensure what you want to report has not already been reported by someone else.</li> + <li>If your problem is actually a bug, we would appreciate it if you could attach a simple JUnit test case that allows us to repeat the problem so we can fix it as fast as possible.</li> + <li>If a unit test is not available (please really try to make one!), attach a stack trace and Shiro’s TRACE or DEBUG log output.</li> + <li>If you’ve already fixed the problem, please submit a patch and we’ll likely include it in the next release.</li> +</ul> +<a name="Issues-ClickheretovisittheApacheShiroJiraissuetrackerhttps%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FSHIRO"></a> +<h2><a href="https://issues.apache.org/jira/browse/SHIRO";>Click here to visit the Apache Shiro Jira issue tracker</a></h2> </div> Modified: shiro/site/publish/java-annotations-list.html URL: http://svn.apache.org/viewvc/shiro/site/publish/java-annotations-list.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/java-annotations-list.html (original) +++ shiro/site/publish/java-annotations-list.html Mon Oct 24 14:33:52 2016 @@ -78,24 +78,21 @@ <div id="content"> - <h1><a name="JavaAnnotationsList-JavaAnnotationsList"></a>Java Annotations List</h1> - + <a name="JavaAnnotationsList-JavaAnnotationsList"></a> +<h1><a href="#java-annotations-list" name="java-annotations-list">Java Annotations List</a></h1> <p>Below are a list of the different Shiro annotations you can use in your application.</p> - -<ul><li><b><a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/annotation/RequiresAuthentication.html">RequiresAuthentication</a></b> - Requires the current Subject to have been authenticated during their current session for the annotated class/instance/method to be accessed or invoked</li></ul> - - -<ul><li><b><a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/annotation/RequiresGuest.html">RequiresGuest</a></b> - Requires the current Subject to be a "guest", that is, they are not authenticated or remembered from a previous session for the annotated class/instance/method to be accessed or invoked.</li></ul> - - -<ul><li><b><a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/annotation/RequiresPermissions.html">RequiresPermissions</a></b> - Requires the current executor's Subject to imply a particular permission in order to execute the annotated method. If the executor's associated Subject determines that the executor does not imply the specified permission, the method will not be executed.</li></ul> - - -<ul><li><b><a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/annotation/RequiresRoles.html">RequiresRoles</a></b> - Requires the currently executing Subject to have all of the specified roles. If they do not have the role(s), the method will not be executed and an AuthorizationException is thrown.</li></ul> - - -<ul><li><b><a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/annotation/RequiresUser.html">RequiresUser</a></b> - Requires the current Subject to be an application user for the annotated class/instance/method to be accessed or invoked.</li></ul> - +<ul> + <li> + <p><strong><a href="static/current/apidocs/org/apache/shiro/authz/annotation/RequiresAuthentication.html">RequiresAuthentication</a></strong> - Requires the current Subject to have been authenticated during their current session for the annotated class/instance/method to be accessed or invoked</p></li> + <li> + <p><strong><a href="static/current/apidocs/org/apache/shiro/authz/annotation/RequiresGuest.html">RequiresGuest</a></strong> - Requires the current Subject to be a “guest”, that is, they are not authenticated or remembered from a previous session for the annotated class/instance/method to be accessed or invoked.</p></li> + <li> + <p><strong><a href="static/current/apidocs/org/apache/shiro/authz/annotation/RequiresPermissions.html">RequiresPermissions</a></strong> - Requires the current executor’s Subject to imply a particular permission in order to execute the annotated method. If the executor’s associated Subject determines that the executor does not imply the specified permission, the method will not be executed.</p></li> + <li> + <p><strong><a href="static/current/apidocs/org/apache/shiro/authz/annotation/RequiresRoles.html">RequiresRoles</a></strong> - Requires the currently executing Subject to have all of the specified roles. If they do not have the role(s), the method will not be executed and an AuthorizationException is thrown.</p></li> + <li> + <p><strong><a href="static/current/apidocs/org/apache/shiro/authz/annotation/RequiresUser.html">RequiresUser</a></strong> - Requires the current Subject to be an application user for the annotated class/instance/method to be accessed or invoked.</p></li> +</ul> </div> Modified: shiro/site/publish/java-annotations.html URL: http://svn.apache.org/viewvc/shiro/site/publish/java-annotations.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/java-annotations.html (original) +++ shiro/site/publish/java-annotations.html Mon Oct 24 14:33:52 2016 @@ -78,21 +78,18 @@ <div id="content"> - <h1><a name="JavaAnnotations-JavaAnnotationSupport"></a>Java Annotation Support</h1> -<p>Before you can use Java annotations, you'll need to enable AOP support in your application. There are a number of different AOP frameworks so, unfortunately, there is no standard way to enable AOP in an application.</p> - -<p>For AspectJ, you can review our <a class="external-link" href="https://github.com/apache/shiro/tree/master/samples/aspectj";>AspectJ sample application</a>.</p> - + <a name="JavaAnnotations-JavaAnnotationSupport"></a> +<h1><a href="#java-annotation-support" name="java-annotation-support">Java Annotation Support</a></h1> +<p>Before you can use Java annotations, you’ll need to enable AOP support in your application. There are a number of different AOP frameworks so, unfortunately, there is no standard way to enable AOP in an application.</p> +<p>For AspectJ, you can review our <a href="https://github.com/apache/shiro/tree/master/samples/aspectj";>AspectJ sample application</a>.</p> <p>For Spring, you can look into our <a href="spring.html" title="Spring">Spring Integration</a> documentation.</p> - -<h2><a name="JavaAnnotations-Shiro%27sJavaAnnotations."></a>Shiro's Java Annotations.</h2> -<p>Once you have AOP enabled in our application, you can use Shiro's set of annotations found in the <a href="java-annotations-list.html" title="Java Annotations List">Java Annotations List</a></p> - -<h2><a name="JavaAnnotations-Lendahandwithdocumentation"></a>Lend a hand with documentation </h2> - -<p>While we hope this documentation helps you with the work you're doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you'd like to help the Shiro project, please consider corrected, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro. </p> - -<p>The easiest way to contribute your documentation is to send it to the <a class="external-link" href="http://shiro-user.582556.n2.nabble.com/"; rel="nofollow">User Forum</a> or the <a href="mailing-lists.html" title="Mailing Lists">User Mailing List</a>.</p> +<a name="JavaAnnotations-Shiro%27sJavaAnnotations."></a> +<h2>Shiro’s Java Annotations.</h2> +<p>Once you have AOP enabled in our application, you can use Shiro’s set of annotations found in the <a href="java-annotations-list.html" title="Java Annotations List">Java Annotations List</a></p> +<a name="JavaAnnotations-Lendahandwithdocumentation"></a> +<h2><a href="#lend-a-hand-with-documentation" name="lend-a-hand-with-documentation">Lend a hand with documentation</a></h2> +<p>While we hope this documentation helps you with the work you’re doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you’d like to help the Shiro project, please consider corrected, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro.</p> +<p>The easiest way to contribute your documentation is to send it to the <a href="http://shiro-user.582556.n2.nabble.com/";>User Forum</a> or the <a href="mailing-lists.html" title="Mailing Lists">User Mailing List</a>.</p> </div> Modified: shiro/site/publish/java-authentication-guide.html URL: http://svn.apache.org/viewvc/shiro/site/publish/java-authentication-guide.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/java-authentication-guide.html (original) +++ shiro/site/publish/java-authentication-guide.html Mon Oct 24 14:33:52 2016 @@ -78,131 +78,97 @@ <div id="content"> - <h1><a name="JavaAuthenticationGuide-JavaAuthenticationGuidewithApacheShiro"></a>Java Authentication Guide with Apache Shiro</h1> - -<p><br clear="none" class="atl-forced-newline"> -Authentication is the process of identity verification-- you are trying to prove a user is who they say they are. To do so, a user needs to provide some sort of proof of identity that your system understands and trust.</p> - -<p>The goal of this guide is to walk you through how Authentication in Java is performed in Shiro. If you haven't already please take moment and go through Shiro's <a href="10-minute-tutorial.html" title="10 Minute Tutorial">10 Minute Tutorial</a> so that you get a basic understanding of how to work with Shiro.</p> - -<h2><a name="JavaAuthenticationGuide-Terminologyyou%27llneed"></a>Terminology you'll need</h2> - -<table align="right" width="275" style="margin-left: 20px; margin-bottom: 20px; border-style: solid; border-width: 2px; border-color: navy" cellpadding="10px"> - -<tr> -<td> + <a name="JavaAuthenticationGuide-JavaAuthenticationGuidewithApacheShiro"></a> +<h1><a href="#java-authentication-guide-with-apache-shiro" name="java-authentication-guide-with-apache-shiro">Java Authentication Guide with Apache Shiro</a></h1> +<p>Authentication is the process of identity verification– you are trying to prove a user is who they say they are. To do so, a user needs to provide some sort of proof of identity that your system understands and trust.</p> +<p>The goal of this guide is to walk you through how Authentication in Java is performed in Shiro. If you haven’t already please take moment and go through Shiro’s <a href="10-minute-tutorial.html" title="10 Minute Tutorial">10 Minute Tutorial</a> so that you get a basic understanding of how to work with Shiro.</p> +<a name="JavaAuthenticationGuide-Terminologyyou%27llneed"></a> +<h2>Terminology you’ll need</h2> +<table align="right" width="275" style="margin-left: 20px; margin-bottom: 20px; border-style: solid; border-width: 2px; border-color: navy" cellpadding="10px"><tr><td> <div id="border"> <h2>Related Content</h2> - + <h3><a href="authentication-features.html">Authentication Features</a></h3> <p>Quick overview of easy, subject-based authentication in Shiro. </br><span style="font-size:11"><a href="authentication-features.html">Read More >></a></span></p> - + <h3><a href="authentication.html">Authentication Docs</a></h3> <p>Full documentation on Apache Shiro's Authentication functionality. </br><span style="font-size:11"><a href="authentication.html">Read More >></a></span></p> - + <h3><a href="10-minute-tutorial.html">10-Minute Shiro Tutorial</a></h3> <p>Try Apache Shiro for yourself in under 10 minutes. </br><span style="font-size:11"><a href="10-minute-tutorial.html">Read More >></a></span></p> - + <h3><a href="webapp-tutorial.html">Web App Tutorial</a></h3> <p>Step-by-step tutorial for securing a web application with Shiro. </br><span style="font-size:11"><a href="webapp-tutorial.html">Read More >></a></span></p> </div> -</td> -</tr> -</table> - -<ul><li><b>Subject</b> - Security specific user 'view' of an application user. It can be a human being, a third-party process, a server connecting to you application application, or even a cron job. Basically, it is anything or anyone communicating with your application.</li></ul> - - -<ul><li><b>Principals</b> - A subjects identifying attributes. First name, last name, social security number, username</li></ul> - - -<ul><li><b>Credentials</b> - secret data that are used to verify identities. Passwords, Biometric data, x509 certificates,</li></ul> - - -<ul><li><b>Realms</b> - Security specific DAO, data access object, software component that talkts to a backend data source. If you have usernames and password in LDAP, then you would have an LDAP Realm that would communicate with LDAP. The idea is that you would use a realm per back-end data source and Shiro would know how to coordinate with these realms together to do what you have to do.</li></ul> - - -<h2><a name="JavaAuthenticationGuide-HowtoAuthenticateinJavawithShiro"></a>How to Authenticate in Java with Shiro</h2> - -<p>In Shiro's framework, and most every other framework for that matter, the Java authentication process can be broken up into three distinct steps.</p> - -<h3><a name="JavaAuthenticationGuide-Steps"></a>Steps</h3> - -<ol><li>Collect the subject's principals and credentials</li><li>Submit the principals and credentials to an authentication system.</li><li>Allow access, retry authentication, or block access</li></ol> - - +</td></tr></table> +<ul> + <li> + <p><strong>Subject</strong> - Security specific user ‘view’ of an application user. It can be a human being, a third-party process, a server connecting to you application application, or even a cron job. Basically, it is anything or anyone communicating with your application.</p></li> + <li> + <p><strong>Principals</strong> - A subjects identifying attributes. First name, last name, social security number, username</p></li> + <li> + <p><strong>Credentials</strong> - secret data that are used to verify identities. Passwords, Biometric data, x509 certificates,</p></li> + <li> + <p><strong>Realms</strong> - Security specific DAO, data access object, software component that talkts to a backend data source. If you have usernames and password in LDAP, then you would have an LDAP Realm that would communicate with LDAP. The idea is that you would use a realm per back-end data source and Shiro would know how to coordinate with these realms together to do what you have to do.</p></li> +</ul> +<a name="JavaAuthenticationGuide-HowtoAuthenticateinJavawithShiro"></a> +<h2><a href="#how-to-authenticate-in-java-with-shiro" name="how-to-authenticate-in-java-with-shiro">How to Authenticate in Java with Shiro</a></h2> +<p>In Shiro’s framework, and most every other framework for that matter, the Java authentication process can be broken up into three distinct steps.</p> +<a name="JavaAuthenticationGuide-Steps"></a> +<h3><a href="#steps" name="steps">Steps</a></h3> +<ol> + <li>Collect the subject’s principals and credentials</li> + <li>Submit the principals and credentials to an authentication system.</li> + <li>Allow access, retry authentication, or block access</li> +</ol> <p>Here is some code on how you do this in Shiro Specifically.</p> - -<h3><a name="JavaAuthenticationGuide-Step1Collectthesubject%27sprincipalsandcredentials"></a>Step 1 - Collect the subject's principals and credentials</h3> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-comment">//Example using most common scenario: -</span><span class="code-comment">//<span class="code-object">String</span> username and password. Acquire in -</span><span class="code-comment">//system-specific manner (HTTP request, GUI, etc) -</span> -UsernamePasswordToken token = - <span class="code-keyword">new</span> UsernamePasswordToken( username, password ); - -<span class="code-comment">//”Remember Me” built-in, just <span class="code-keyword">do</span> <span class="code-keyword">this</span>: -</span>token.setRememberMe(<span class="code-keyword">true</span>); - -</pre> -</div></div> - -<p>In this particular case, we’re using a class called <a class="external-link" href="static/current/apidocs/org/apache/shiro/authc/UsernamePasswordToken.html">UsernamePasswordToken</a>. It is the most common authentication token used in the framework.</p> - -<p>We use this token to bundle the username and password we acquired in someway in our Java application. Maybe they were submitted via a user web form, an HTTP header, or a command line. In Shiro, it does not matter how you acquire them-- it is protocol agnostic.</p> - -<p>In this example, we have decided that we want the application to remember users when they return. So once the token is created, we use Shiro's built-in "Remember-me" feature by setting it to true on the token. This is done using the token's <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/authc/UsernamePasswordToken.html#setRememberMe(boolean)">setRememberMe()</a></tt> method</p> - -<h3><a name="JavaAuthenticationGuide-Step2Submittheprincipalsandcredentialstoanauthenticationsystem."></a>Step 2 - Submit the principals and credentials to an authentication system.</h3> -<p>So we’ve collected the information in a token and set it to remember returning users. The next step is in the Authentication process is to submit the token to an authentication system. Your authentication system is represented in Shiro by security-specific DAOs, that are referred to as <a class="external-link" href="static/current/apidocs/">Realms</a>. For more information on realms please check out the <a class="external-link" href="realm.html">Shiro Realm Guide</a>.</p> - -<p>In Shiro we try to make this part as quick and easy as humanly possible. We have it down to one line of Java code!</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-comment">//With most of Shiro, you'll always want to make sure you're working with the currently executing user, referred to as the subject -</span>Subject currentUser = SecurityUtils.getSubject(); - -<span class="code-comment">//Authenticate the subject by passing -</span><span class="code-comment">//the user name and password token -</span><span class="code-comment">//into the login method -</span>currentUser.login(token); -</pre> -</div></div> - -<p>First, we need to acquire the currently executing user, referred to as the subject. A subject is just a security specific view of the user----it can be a human, a process, cron job, doesn&\#8217;t matter. In Shiro, there is always a subject instance available to the currently executing thread. The concept of a subject is core to Shiro and most of the framework is centered around working with subjects. In this example, we will name this instance of subject currentUser.</p> - -<p>To acquire the subject, we use the <a class="external-link" href="static/current/apidocs/org/apache/shiro/SecurityUtils.html">SecurityUtils</a> class which is also a core pat of Shiro's API. It will acquire the currently executing user via the <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/SecurityUtils.html#getSubject()">getsubject()</a></tt> method call. And we get back a subject instance that is representing who the current user is who is interacting with the system. At this point in the example, the subject currentUser is anonymous. There is no identity associated with them.</p> - -<p>Now with the user representation in hand, we authenticate them by just calling the <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#login(org.apache.shiro.authc.AuthenticationToken))">login()</a></tt> method and submit the token we just constructed a second ago.</p> - -<h3><a name="JavaAuthenticationGuide-Step3Allowaccess%2Cretryauthentication%2Corblockaccess"></a>Step 3 - Allow access, retry authentication, or block access</h3> -<p>Again really, really easy, single method call. If the <tt>login()</tt> method call is successful, then the user is logged in and associated with a user account or identity. From here, the user can go about using your application and retain their identity through their session or longer since we have set the "Remember Me" in our example.</p> - -<p>But what happens if something fails in the authentication attempt? What if they give you the wrong password or they accessed the system too many times, maybe their account is locked? In this case, Shiro will throw an exception. This is where Shiro's rich exception hierarchy comes into play.</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">try</span> { +<a name="JavaAuthenticationGuide-Step1Collectthesubject%27sprincipalsandcredentials"></a> +<h3>Step 1 - Collect the subject’s principals and credentials</h3> +<pre><code class="java">//Example using most common scenario: +//String username and password. Acquire in +//system-specific manner (HTTP request, GUI, etc) +UsernamePasswordToken token = new UsernamePasswordToken( username, password ); + +//âRemember Meâ built-in, just do this: +token.setRememberMe(true); +</code></pre> +<p>In this particular case, weâre using a class called <a href="static/current/apidocs/org/apache/shiro/authc/UsernamePasswordToken.html">UsernamePasswordToken</a>. It is the most common authentication token used in the framework.</p> +<p>We use this token to bundle the username and password we acquired in someway in our Java application. Maybe they were submitted via a user web form, an HTTP header, or a command line. In Shiro, it does not matter how you acquire them– it is protocol agnostic.</p> +<p>In this example, we have decided that we want the application to remember users when they return. So once the token is created, we use Shiro’s built-in “Remember-me” feature by setting it to true on the token. This is done using the token’s <a href="static/current/apidocs/org/apache/shiro/authc/UsernamePasswordToken.html#setRememberMe-boolean-"><code>setRememberMe()</code></a> method</p> +<a name="JavaAuthenticationGuide-Step2Submittheprincipalsandcredentialstoanauthenticationsystem."></a> +<h3>Step 2 - Submit the principals and credentials to an authentication system.</h3> +<p>So weâve collected the information in a token and set it to remember returning users. The next step is in the Authentication process is to submit the token to an authentication system. Your authentication system is represented in Shiro by security-specific DAOs, that are referred to as <a href="static/current/apidocs/">Realms</a>. For more information on realms please check out the <a href="realm.html">Shiro Realm Guide</a>.</p> +<p>In Shiro we try to make this part as quick and easy as humanly possible. We have it down to one line of Java code!</p> +<pre><code class="java">//With most of Shiro, you'll always want to make sure you're working with the currently +//executing user, referred to as the subject +Subject currentUser = SecurityUtils.getSubject(); + +//Authenticate the subject by passing +//the user name and password token +//into the login method +currentUser.login(token); +</code></pre> +<p>First, we need to acquire the currently executing user, referred to as the subject. A subject is just a security specific view of the user—-it can be a human, a process, cron job, doesn&#8217;t matter. In Shiro, there is always a subject instance available to the currently executing thread. The concept of a subject is core to Shiro and most of the framework is centered around working with subjects. In this example, we will name this instance of subject currentUser.</p> +<p>To acquire the subject, we use the <a href="static/current/apidocs/org/apache/shiro/SecurityUtils.html">SecurityUtils</a> class which is also a core pat of Shiro’s API. It will acquire the currently executing user via the <a href="static/current/apidocs/org/apache/shiro/SecurityUtils.html#getSubject--"><code>getsubject()</code></a> method call. And we get back a subject instance that is representing who the current user is who is interacting with the system. At this point in the example, the subject currentUser is anonymous. There is no identity associated with them.</p> +<p>Now with the user representation in hand, we authenticate them by just calling the <a href="static/current/apidocs/org/apache/shiro/subject/Subject.html#login-org.apache.shiro.authc.AuthenticationToken-"><code>login()</code></a>) method and submit the token we just constructed a second ago.</p> +<a name="JavaAuthenticationGuide-Step3Allowaccess%2Cretryauthentication%2Corblockaccess"></a> +<h3>Step 3 - Allow access, retry authentication, or block access</h3> +<p>Again really, really easy, single method call. If the <code>login()</code> method call is successful, then the user is logged in and associated with a user account or identity. From here, the user can go about using your application and retain their identity through their session or longer since we have set the “Remember Me” in our example.</p> +<p>But what happens if something fails in the authentication attempt? What if they give you the wrong password or they accessed the system too many times, maybe their account is locked? In this case, Shiro will throw an exception. This is where Shiro’s rich exception hierarchy comes into play.</p> +<pre><code class="java">try { currentUser.login(token); -} <span class="code-keyword">catch</span> ( UnknownAccountException uae ) { ... -} <span class="code-keyword">catch</span> ( IncorrectCredentialsException ice ) { ... -} <span class="code-keyword">catch</span> ( LockedAccountException lae ) { ... -} <span class="code-keyword">catch</span> ( ExcessiveAttemptsException eae ) { ... -} ... <span class="code-keyword">catch</span> your own ... -} <span class="code-keyword">catch</span> ( AuthenticationException ae ) { - <span class="code-comment">//unexpected error? -</span>} -<span class="code-comment">//No problems, show authenticated view…</span> -</pre> -</div></div> - -<p>You can take that method call and wrap it in a try/catch block and you can catch all sort of exceptions if you want to handle them and react accordingly. In addition to a rich set of exceptions that Shiro offers, you can create your own if you need custom functionality. For more information, follow this link documentation on <a class="external-link" href="static/current/apidocs/org/apache/shiro/authc/AuthenticationException.html">AuthenticationException</a>.</p> - +} catch ( UnknownAccountException uae ) { ... +} catch ( IncorrectCredentialsException ice ) { ... +} catch ( LockedAccountException lae ) { ... +} catch ( ExcessiveAttemptsException eae ) { ... +} ... your own ... +} catch ( AuthenticationException ae ) { + //unexpected error? +} +//No problems, show authenticated view⦠+</code></pre> +<p>You can take that method call and wrap it in a try/catch block and you can catch all sort of exceptions if you want to handle them and react accordingly. In addition to a rich set of exceptions that Shiro offers, you can create your own if you need custom functionality. For more information, follow this link documentation on <a href="static/current/apidocs/org/apache/shiro/authc/AuthenticationException.html">AuthenticationException</a>.</p> <div class="panelMacro"> <table class="tipMacro"> <colgroup span="1"> @@ -222,17 +188,12 @@ UsernamePasswordToken token = </tbody> </table> </div> - -<h2><a name="JavaAuthenticationGuide-%22RememberMe%22Support"></a>"Remember Me" Support</h2> - -<p>As shown in the example above, Shiro supports the notion of "remember me" in adition to the normal login process.  </p> - -<p>In Shiro, the Subject object supports two methods : <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#isRemembered()">isRemembered()</a></tt> and <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#isAuthenticated()">isAuthenticated()</a></tt>.</p> - -<p>A "remembered" subject has an identity (it is not anonymous) and their identifying attributes,referred to as principals, are remembered from a successful authentication during a previous session.</p> - +<a name="JavaAuthenticationGuide-%22RememberMe%22Support"></a> +<h2>“Remember Me” Support</h2> +<p>As shown in the example above, Shiro supports the notion of “remember me” in adition to the normal login process.  </p> +<p>In Shiro, the Subject object supports two methods : <a href="static/current/apidocs/org/apache/shiro/subject/Subject.html#isRemembered--"><code>isRemembered()</code></a> and <a href="static/current/apidocs/org/apache/shiro/subject/Subject.html#isAuthenticated--"><code>isAuthenticated()</code></a>.</p> +<p>A “remembered” subject has an identity (it is not anonymous) and their identifying attributes,referred to as principals, are remembered from a successful authentication during a previous session.</p> <p>An authenticated subject has proved their identity <em>during their current session</em>.</p> - <div class="panelMacro"> <table class="warningMacro"> <colgroup span="1"> @@ -254,37 +215,24 @@ UsernamePasswordToken token = </tbody> </table> </div> - -<h3><a name="JavaAuthenticationGuide-RememberedvsAuthenticated"></a>Remembered vs Authenticated</h3> -<p>In shiro it is very important to note that a remembered subject is not an authenticated subject. A check against <tt>isAuthenticated()</tt> is a much more strict check because authentication is the process of proving you are who you say you are. When a user is only remembered, the remembered identity gives the system an idea who that user probably is, but in reality, has no way of absolutely guaranteeing if the remembered Subject represents the user currently using the application. Once the subject is authenticated, they are no longer considered only remembered because their identity would have been verified during the current session.</p> - +<a name="JavaAuthenticationGuide-RememberedvsAuthenticated"></a> +<h3><a href="#remembered-vs-authenticated" name="remembered-vs-authenticated">Remembered vs Authenticated</a></h3> +<p>In shiro it is very important to note that a remembered subject is not an authenticated subject. A check against <code>isAuthenticated()</code> is a much more strict check because authentication is the process of proving you are who you say you are. When a user is only remembered, the remembered identity gives the system an idea who that user probably is, but in reality, has no way of absolutely guaranteeing if the remembered Subject represents the user currently using the application. Once the subject is authenticated, they are no longer considered only remembered because their identity would have been verified during the current session.</p> <p>So although many parts of the application can still perform user-specific logic based on the remembered principals, such as customized views, it should never perform highly-sensitive operations until the user has legitimately verified their identity by executing a successful authentication attempt.</p> - -<p>For example, a check to see if a subject can access financial information should almost always depend on <tt>isAuthenticated()</tt>, not <tt>isRemembered()</tt>, to guarantee a verified identity.</p> - +<p>For example, a check to see if a subject can access financial information should almost always depend on <code>isAuthenticated()</code>, not <code>isRemembered()</code>, to guarantee a verified identity.</p> <p>He is a scenario to help illustrate why the the distinction between isAuthenticated and isRemembered is important.</p> - -<p>Let's say you're using Amazon.com. You log in and you add some books to your shopping cart. A day goes by. Of course your user session has expired and you've been logged out. But Amazon "remembers" you, greets you by name, and is still giving you personalized book recommendations. To Amazon, <tt>isRemembered()</tt> would return <tt>TRUE</tt>. What happens if you try to use one of the credit cards on file or change your account information? While Amazon "remembers" you, <tt>isRemembered() = TRUE</tt>, it is not certain that you are in fact you, <tt>isAuthenticated()=FALSE</tt>. So before you can perform a sensitive action Amazon needs to verify your identity by forcing an authentication process which it does through a login screen. After the login, your identity has been verified and <tt>isAuthenticated()=TRUE</tt>.</p> - +<p>Let’s say you’re using Amazon.com. You log in and you add some books to your shopping cart. A day goes by. Of course your user session has expired and you’ve been logged out. But Amazon “remembers” you, greets you by name, and is still giving you personalized book recommendations. To Amazon, <code>isRemembered()</code> would return <code>TRUE</code>. What happens if you try to use one of the credit cards on file or change your account information? While Amazon “remembers” you, <code>isRemembered() = TRUE</code>, it is not certain that you are in fact you, <code>isAuthenticated()=FALSE</code>. So before you can perform a sensitive action Amazon needs to verify your identity by forcing an authentication process which it does through a login screen. After the login, your identity has been verified and <code>isAuthenticated()=TRUE</code>.</p> <p>This scenario happens very often over the web so the functionality is built into Shiro helping you easily make the distinction yourself.</p> - -<h2><a name="JavaAuthenticationGuide-LoggingOut"></a>Logging Out</h2> -<p>Finally, when the user is done using the application, they can log out. And in Shiro, we make logging out quick and easy with a single method call.</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -currentUser.logout(); <span class="code-comment">//removes all identifying information and invalidates their session too.</span> -</pre> -</div></div> - -<p>When you log out in Shiro it will close out the user session and removes any associated identity from the subject instance. If you're using RememberMe in a web environment, then <tt>.logout()</tt> will, by default, also delete the RememberMe cookie from the browser.</p> - -<h2><a name="JavaAuthenticationGuide-Lendahandwithdocumentation"></a>Lend a hand with documentation </h2> - -<p>While we hope this documentation helps you with the work you're doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you'd like to help the Shiro project, please consider corrected, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro. </p> - -<p>The easiest way to contribute your documentation is to send it to the <a class="external-link" href="http://shiro-user.582556.n2.nabble.com/"; rel="nofollow">User Forum</a> or the <a href="mailing-lists.html" title="Mailing Lists">User Mailing List</a>.</p> - +<a name="JavaAuthenticationGuide-LoggingOut"></a> +<h2><a href="#logging-out" name="logging-out">Logging Out</a></h2> +<p>Finally, when the user is done using the application, they can log out. And in Shiro, we make logging out quick and easy with a single method call.</p> +<pre><code class="java">currentUser.logout(); //removes all identifying information and invalidates their session too. +</code></pre> +<p>When you log out in Shiro it will close out the user session and removes any associated identity from the subject instance. If you’re using RememberMe in a web environment, then <code>.logout()</code> will, by default, also delete the RememberMe cookie from the browser.</p> +<a name="JavaAuthenticationGuide-Lendahandwithdocumentation"></a> +<h2><a href="#lend-a-hand-with-documentation" name="lend-a-hand-with-documentation">Lend a hand with documentation</a></h2> +<p>While we hope this documentation helps you with the work you’re doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you’d like to help the Shiro project, please consider corrected, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro.</p> +<p>The easiest way to contribute your documentation is to send it to the <a href="http://shiro-user.582556.n2.nabble.com/";>User Forum</a> or the <a href="mailing-lists.html" title="Mailing Lists">User Mailing List</a>.</p> </div>
![https://cwiki.apache.org/confluence/images/icons/emoticons/smile.png"](https://cwiki.apache.org/confluence/images/icons/emoticons/smile.png"){kind=link}