Hi Jeroen, Had a quick look at Shiro ... yes, seems to fit the bill. It has an API so that Isis can call into it, and it has an SPI (realms) provide the actual authentication/authorization data from various data sources as need be.
Could you raise an Isis JIRA ticket to track this? If you want to get a head start on the implementation, you could hack away in the isis-extras site [1]. There's nothing there as of yet, but it's good staging ground for stuff that hasn't gone through the whole ICLA legal stuff [2]. At any rate, I've added your email as a committer. Cheers Dan [1] http://code.google.com/a/apache-extras.org/p/isis-extras/ [2] http://www.apache.org/licenses/icla.txt On 16 June 2012 22:51, Jeroen van der Wal <[email protected]> wrote: > Would it be feasable to integrate Apache Shiro [1] into Isis? A lot of > frameworks use it to handle authentication, authorization and session > management. It supports LDAP, JDBC and ActiveDirectory out-of-the-box > and from what I've seen it shouldn't be hard to make it use domain > objects too. > > In the the project I'm currently working on we have a future desire to > hook up ActiveDirectory with Isis. I don't expect to be working on > this in the next 6 months but if more people share this idea we might > be able to give it some thrust. > > Cheers, > > Jeroen > > [1] http://shiro.apache.org/index.html > > On Mon, Jun 11, 2012 at 2:09 PM, Dan Haywood > <[email protected]> wrote: > > > > On 11 June 2012 12:58, Kevin Meyer - KMZ <[email protected]> wrote: > > > > > > > > > Thanks Kevin, it is working now. Is there anything on sql based > > > > authorization? > > > > > > Errrmm... good question. > > > > > > I think I once toyed with a proto sql authorization that was a more-or- > > > less direct copy of the file based one, just that it fetched data from > a > > > table.. but I don't recall if I committed it. > > > > > > > There does seem to be a SqlAuthorizationManagerInstaller, however the > > implementation of SqlAuthorizer appears to be a no-op. > > > > > > > > > > > > My issue is that I never had a UI to edit the roles - so all the > back-end > > > stuff (adding roles, methods, etc) had to be managed via another tool > > > (e.g. phpMyAdmin!). > > > > > > > The big project over in Ireland has the roles/permissions stuff as domain > > objects, so you get the UI for free ;-) ! > > > > Basically, the Authorizor implementation would connect directly (via JDBC > > or equiv) to the underlying tables to which the domain objects are > > persisted. > > > > As a good practice, probably worth defining some SQL views to create a > > level of decoupling. > > > > > > > > > > > > > > > > And don't ask about auto-learning! > > > > > > > This would require the Authorizor impl to automatically insert rows into > > the domain object tables ... not sure if that's a good idea myself, > either. > > > > > > I don't think you'll find it particularly difficult to write an > > implementation... with a following wind you could probably get something > > workable in an afternoon. > > > > Dan >
