[jira] [Commented] (SHIRO-277) JdbcRealm needs to be refactored

Mon, 19 Sep 2011 21:08:37 -0700 

    [ 
https://issues.apache.org/jira/browse/SHIRO-277?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13108355#comment-13108355
 ] 

Phil Steitz commented on SHIRO-277:
-----------------------------------

Sorry to take so long to get back to this. 

+1 for 1)
+0 for 2), assuming I understand it correctly.  The key here is to document 
carefully what Shiro requires in the salt data returned from the database or 
external source.
I don't think I understand 3), which looks more complicated to me than having 
the salt method configurable in the INI, which is what I was trying to set up.  
That's what I meant by externalizing the enum, so its values could be 
referenced in the INI and the setters would be invoked by the framework (so 
users would not have to subclass or override anything).  The exception would be 
EXTERNAL, where you really need the user to provide an impl.  I think I am most 
likely missing the point here.

Agreed on badness of using the username as salt in the default implementation 
of getSaltForUser, which is only called if salt style is EXTERNAL.  Other 
options here would be  a) throw UOE in the default impl, since EXTERNAL should 
only be used when this method is overridden or b) forget EXTERNAL altogether, 
but expose getSaltForUser and move the code that gets the salt using the other 
options into this method.  Then users can override if they wish.  IIUC, your 
suggestion enables b).

> JdbcRealm needs to be refactored
> --------------------------------
>
>                 Key: SHIRO-277
>                 URL: https://issues.apache.org/jira/browse/SHIRO-277
>             Project: Shiro
>          Issue Type: Improvement
>          Components: Realms 
>    Affects Versions: 1.1.0
>            Reporter: Ilya Pyatigorskiy
>             Fix For: 1.2.0
>
>         Attachments: jdbcRealm.patch
>
>
> There are at least 2 obvious problems:
> 1) the javadoc for JdbcRealm.setPermissionsQuery suggests that the query is 
> expected to have 3 columns ("containing the fully qualified name of the 
> permission class, the permission name, and the permission actions (in that 
> order)"), but the code actually looks only for 1 - permission actions on 
> index 0
> 2) it doesn't support salt - checks only for password matching

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to