On Sunday 18 July 2010 14:08:44 Thibault Kruse wrote:
> Hi,
>
> i am new to this list and to wicket.
>
> i just played around trying to get WASP and Shiro work together, just to
> learn about stuff, not on my job.
>
> Here are some thoughts:
> It is a bit confusing that WASP / wicket security uses the word "Principal"
> for "to represent a set of permissions on the system.", whereas JAAS and
> Shiro use the same word for:
> "Principals represent Subject identities". The code glueing WASP to Shiro
> becomes hard to read just due to that.
Yes, WASP indeed uses the word 'Principal' in a different, if not wrong way.
Unfortunately, that is not easy to fix, because it would break all
applications using WASP.
> I think it would be good to have an abstract class extending
> ClassAuthorizationStrategy like SwarmStrategy, except for
> isUserAuthenticated, login, logoff and hasPermissions. it could have an
> abstract method getSubject(). I did so myself in private to create a
> ShiroStrategy, copying the other methods from SwarmStrategy into the
> abstract class. That abstract class then just defers core authentication
> and authorisation to the WicketSubject implementation.
This seems like a reasonable change. I should be able to get this in a next
release.
> I found it very confusing that SwarmStrategy.logoff(Object context) wants a
> LoginContext, with JavaDoc saying "and must be the same (or equal) to the
> logincontext used to log in.". That sounded as if the user had to enter his
> password to logout, or that one should store the loginContext in the
> session.
This part of the code of SWARM is still a mystery to me. Unfortunately, the
only person that knew what this code is supposed to do is no longer with us.
If you can figure out what it does, and how it can be made better, you are
more than welcome to send me some patches and I'll give a look at it.
In our application we simple do this on logout:
return ((WaspSession) Session.get()).logoff(new EduArteLogin());
The only reason I can think of that the login context is required to logoff is
to support multiple logins. In that case, it must be clear what login is
logging off.
>
> Finally I believe there is a bug in SimpleRole.add(), at least in my
> version it goes:
> public void add(Permission permission) {
> Set<Permission> permissions = getPermissions();
> if (permissions == null) {
> permissions = new LinkedHashSet<Permission>();
> setPermissions(permissions);
> }
> permissions.add(permission);
> }
> so there is at least a set missing in the end. Not sure which JIRA that
> would have to go into.
SimpleRole isn't part of WASP/SWARM, is it part of auth-roles? In that case,
perhaps some Wicket developer can comment on this?
Best regards,
Emond Papegaaij
