Hey,
I worked on shiro integration this week end and it's getting better now.
The unit test now involves @RequiresPermissions and @RequiresRoles.
I wrote some reusable composites to add persistent Permissions & Roles to a
domain.
To ease things I wrote a SecureHash ValueComposite too. With this and some
other code we can provide really easy
integration with good password security. The password hashing is done
accordingly to the PKCS#5 standard
recommendations. I did not implement the whole PBKDF2 algorithm but 1000
SHA-256 iterations with a random 64bit integer
salt should be enough.
To sum up, if you want to add username/password security to an existing app,
here are the steps needed:
- use ShiroDomainAssembler to register needed composites in your domain module
- have an Entity extending RoleAssignee and SecureHashSecurable
- write a Realm extending AbstractSecureHashQi4jRealm with the following
contract :
SecureHashSecurable getSecureHashSecurable( String username );
RoleAssignee getRoleAssignee( String username );
- write a RealmFactory extending AbstractSecureHashQi4jRealmFactory with the
following contract :
AbstractSecureHashQi4jRealm getSecureHashRealm();
- configure Shiro to use your brand new RealmFactory
- use the Shiro api to perform login/logout etc..
Done!
It's working well but as every first try I'm sure there's some issues lurking
around. If someone with good qi4j eyes
could read the code and tell me if there's something wrong going on there that
would be nice.
The shiro project is aiming at a 1.0.0 release soon (ie. when it's done, but
there are a few issues remaining). I hope
we can push this project to a really usable state.
I think that a complete example using qi4j-lib-shiro in a web context could be
nice too, wdyt ?
Paul
Le Jeudi 25 Février 2010 21:36:12, Paul Merlin a écrit :
> Hey,
>
> After struggling with Shiro CredentialMatchers I finaly managed to write a
> complete unit test for qi4j-lib-shiro that use a custom Realm loading user
> Principals and Credentials from Entities.
>
> For now it tests only the RequiresUserConcern but show nicely how the
> Shiro/Qi4j integration is done.
>
> I added the apache snapshots repository the the project's pom so that
> running the test is just a matter of issueing mvn test.
>
> That was the first step towards some documentation.
>
> See UsernamePasswordTest in qi4j-sandbox/libraries/shiro.
>
> Paul
_______________________________________________
qi4j-dev mailing list
[email protected]
http://lists.ops4j.org/mailman/listinfo/qi4j-dev
