[
https://issues.apache.org/jira/browse/AURORA-351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14111153#comment-14111153
]
Kevin Sweeney commented on AURORA-351:
--------------------------------------
I looked at integrating this yesterday and I like a lot of the features it has,
specifically its permissions model and automatic mapping to REST endpoints. I
can send a proposal to dev@ later but here are some notes:
Advantages:
- Guice integration, either via AOP and @RequiresPermission/@RequiresRole
annotations or a set of servlet filters and a straightforward ini configuration.
- A simple permission syntax. Permissions for REST resources can be
auto-generated via the REST resource name. For example {{GET /maintenance}}
would require {{maintenance:read}} and {{POST /maintenance}} would require
{{maintenance:create}}.
- Built in filters for POST formdata authentication and HTTP basic auth
- Built in support for flat-file and LDAP realms (using JNDI)
- Possible to support "complex" workflows, such as authenticate via SPNEGO,
then authorization via information in LDAP.
Potential roadblocks:
- ShiroWebModule needs a handle to the ServletContext in its constructor - this
is currently hidden from us in Twitter's HttpServerDispatch module.
- Shiro provides 2 HTTP authentication filters out of the box - form auth and
basic auth. We'd need to write some glue for SPNEGO authentication if we want
to use that.
- We probably won't need Shiro's Remember Me or Session management features.
> Consider using Apache Shiro for scheduler Authentication and Authorization
> --------------------------------------------------------------------------
>
> Key: AURORA-351
> URL: https://issues.apache.org/jira/browse/AURORA-351
> Project: Aurora
> Issue Type: Story
> Components: Scheduler, Security
> Reporter: Kevin Sweeney
> Assignee: Kevin Sweeney
>
--
This message was sent by Atlassian JIRA
(v6.2#6252)
