> On May 1, 2016, at 5:08 PM, Ioan Eugen Stan <[email protected]> wrote: > > I am working on a SaaS project and of course we need proper security. > Right now we are using our built in solution but I know in the future we > will need more features and a better tool. As far as I have read Fortress > fits the bill. > > However we use vertx.io and spring for networking and don't use Servlets or > JavaEE . Can I use Fortress to manage Identities? >
Hello Stan, welcome! Fortress does not depend on servlets, spring or any other javaEE technologies. > > On May 1, 2016, at 5:08 PM, Ioan Eugen Stan <[email protected]> wrote: > > > How would I go about doing it? You can either invoke the apis directly (if your app is Java) or call the rest APIs, if on some other platform. Typically when we’re securing apps, we look at these apis: 1. createSession 2. checkAccess if your app is a web or gui and you have lots of permissions to check per page, you might use this api: 3. sessionPermissions which pulls all perms for that user and allows you to cache then for faster response times. How you code is up to you. Typically I favor declarative security which means the programmer doesn’t have to worry about calling apis in their code rather the ‘container’ the app runs in calls the apis for them. This is where technologies like Java EE or spring security come in. There are some samples out there that show ways to invoke the apis. The simplest one is here: https://github.com/shawnmckinney/wicket-sample while this code sample uses Java EE security, again it isn’t required. Take a look at the pages, Page1, Page2, Page3. Here there is a wrapper for the wicket ajax button that calls the apis before it renders to page, or allows user to click on them. You can also look at this coding sample which shows you how to invoke the apis I mentioned above: https://github.com/apache/directory-fortress-core/blob/master/src/test/java/org/apache/directory/fortress/core/samples/AccessMgrSample.java The main thing to keep in mind, you call createSession in the beginning (at same time user authenticates), and hold onto the transient ‘session’ object that is returned because it’s needed for authZ (checkAccess, sessionPermissions). It can get more complicated than that, but for starters, this is close enough. Good luck! Shawn
