On 2010-02-07 00.45, Paul MERLIN wrote:
Just to keep you informed, I pushed qi4j-lib-shiro in sandbox. It is a start of
the integration of Apache Shiro [1] with Qi4j.
For now, it contains only the following annotations and their Concerns :
- RequiresGuest
- RequiresUser
- RequiresAuthentication
- RequiresRoles
- RequiresPermissions
I implemented Concerns both separately and in a single one named
SecurityConcern.
The separate Concerns are marked as deprecated and I will remove them when
QI-241 will be resolved.
No hurry, everything is working fine : )
The library depends on shiro-core-1.0-incubating-SNAPSHOT so cannot be
considered stable.
I'm using it within a qi4j powered webapp, and it's doing what I need.
I had a look at Shiro, and it looks quite interesting. Good that someone
is taking on this important problem.
I have some concerns regarding the above, which are more general
thoughts on RBAC.
Typically you will never want to couple code to application specifics
such as users (RequiresUser above) and roles (RequiresRoles above). It
is much better if you can create any user which can use any
application-defined role, which then implies application-specific (and
hardcoded) permissions. So you might have "rickard" user, with an
application-defined (i.e. defined by USER of the app, not the developer)
role "administrator", which implies the "user administration"
permission. Then you can check for "user administration" permission.
Don't check for "rickard", and don't check for "administrator".
So I personally would remove the RequiresUser and RequiresRoles above,
and stick with the guest/authentication/permissions annotations.
Let us know how it is progressing!
/Rickard
_______________________________________________
qi4j-dev mailing list
[email protected]
http://lists.ops4j.org/mailman/listinfo/qi4j-dev
