Hi Martin, I just added this:
http://cwiki.apache.org/confluence/display/SHIRO/Web Cheers, Les 2010/2/1 Martin Asenov <[email protected]>: > Les, I'm going through the sample hibernate-spring app and I can't see where > the sampleRealm class is referenced, since it's everything I need. I need to > set such realm in my webapp, so I want to ask where do I do so? in web.xml, > or somewhere else? > > Thanks, > Martin > > -----Original Message----- > From: Martin Asenov [mailto:[email protected]] > Sent: Monday, February 01, 2010 10:20 AM > To: [email protected] > Subject: RE: Some info needed regarding authentication config with JPA and > JSecurity > > Thanks , Les! > > Now I think I've got the basics on how to implement SHIRO on my webapp. > And remember that the only thing to fear is running out of beer ;) > > Cheers, > Martin > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Les Hazlewood > Sent: Thursday, January 28, 2010 5:01 PM > To: [email protected] > Subject: Re: Some info needed regarding authentication config with JPA and > JSecurity > > Hi Martin, > > Have you looked at the Shiro Spring/Hibernate sample application? It > shows how authentication and authorization occur with Shiro when using > Hibernate, but trivial substitutions can be made for JPA. > >> Well I wasn't talking only about page instantiation permissions, but >> metadataroleauthorizationstrategy permissions, also creating my own >> UserContext object, which is session specific (which tells me about roles, >> usernames), etc. etc. > > Shiro already handles this for you, but does it in a much more > efficient manner by using an authorization cache that you can > configure. Session objects should be kept as lightweight as possible, > typically only storing pointers to get to the data you need (user IDs, > usernames, etc). > >> I'm wondering if SHIRO is the most convenient framework for usage in my >> case. I've already done authz in Wicket manner, so it's lot of work to >> convert it into a SHIRO one. Just can't think of an alternative. > > Yep, you can use Shiro for only authentication if you want - > authorization and authentication are orthogonal and have no dependency > on each other so you can use one or both depending on your needs. > >> I'm using JPA persistency layer for obtaining User objects and I still don't >> know how to import this in my webapp for authc. Wonder if I could write >> myself some authc module... > > Yep, check out the Spring/Hibernate sample app - you'll see that it is > mostly finished already :) > > Cheers, > > Les > >> >> What do you say? >> >> BR, >> Martin >> >> -----Original Message----- >> From: Tauren Mills [mailto:[email protected]] >> Sent: Tuesday, January 26, 2010 11:53 AM >> To: [email protected] >> Subject: Re: Some info needed regarding authentication config with JPA and >> JSecurity >> >> When you say "use wicket for authorization", what exactly do you mean? What >> I'm envisioning is you hard-coding lots of permissions logic into your >> pages. If you have shiro's authentication already going, it isn't hard to >> add the authorization as well. >> >> Using the wicket-shiro project, you can add something like this to the top >> of your page and only authenticated users will be able to access that page: >> >> @ShiroSecurityConstraint( >> constraint = ShiroConstraint.HasRole, >> value = "member", >> loginMessage = "You must be member to view this page", >> unauthorizedMessage = "You need to be a member" >> ) >> public abstract class SiteBasePage<T> extends BasePage<T> implements >> IAjaxIndicatorAware { >> ... >> } >> >> If I was in your shoes, I'd start with the wicket-shiro examples. Just >> check them out, use maven to build, and then run them. They should run >> without any hassles and show you what it can do as far as authc goes. There >> isn't a whole lot in the samples in regards to authz, which is why I posted >> that tutorial. >> >> Hope this helps! >> Tauren >> >> >> >> >> On Tue, Jan 26, 2010 at 1:46 AM, Martin Asenov <[email protected]> wrote: >> >>> Great, Tauren, thx for the article! However, I'm planning to rely on wicket >>> for authorization, and only do authentication through jSecurity. I guess I >>> could use the very first snippet of code in your article? Do you encourage >>> me to do so? :) >>> >>> Thank you, >>> Martin >>> >>> -----Original Message----- >>> From: Tauren Mills [mailto:[email protected]] >>> Sent: Tuesday, January 26, 2010 11:33 AM >>> To: [email protected] >>> Subject: Re: Some info needed regarding authentication config with JPA and >>> JSecurity >>> >>> Martin, >>> >>> I started to write a long response to you, but decided it made a better >>> blog >>> post. So I just posted a tutorial on using Shiro with Wicket. It includes >>> code samples for doing dynamic permissions-based authorization as well. You >>> might want to take a look at it: >>> http://blog.tauren.com/2010/01/using-wicket-with-shiro-for.html >>> >>> I'm still using blogger, so the code snippets are not formatted well at >>> all. >>> Sorry, I know I really need to take some time to change... >>> >>> Tauren >>> >>> >>> >>> On Mon, Jan 25, 2010 at 11:50 PM, Martin Asenov <[email protected]> wrote: >>> >>> > Hello, Les! :) >>> > >>> > As I said I've got a wicket webapp, which stores objects in session. But >>> it >>> > complains about the JSecurity objects, since they are not serializable. >>> > >>> > I'm thinking of authenticating through JSecurity and authorizing through >>> > Wicket. >>> > I just want to create an authenticated realm with JSecurity and somehow >>> > avoid the serialization issues with Wicket. >>> > >>> > Can someone tell me what's the most safe and easy method to achieve that, >>> > since I don't need any super-hyper security restrictions and checks... >>> Using >>> > AuthorizingRealm only? >>> > >>> > Thanks in advance! >>> > >>> > Regards, >>> > Martin >>> > >>> > -----Original Message----- >>> > From: [email protected] [mailto:[email protected]] On >>> > Behalf Of Les Hazlewood >>> > Sent: Thursday, January 07, 2010 4:44 PM >>> > To: [email protected] >>> > Subject: Re: Some info needed regarding authentication config with JPA >>> and >>> > JSecurity >>> > >>> > If you're doing authentication only, then yes, you can subclass >>> > AuthenticatingRealm. >>> > >>> > However, it is usually better to subclass AuthorizingRealm so you only >>> > have 2 methods to implement: doGetAuthenticationInfo and >>> > doGetAuthorizationInfo. Then you'll have everything you need for both >>> > authentication and authorization in very short order. >>> > >>> > You would only need to override any of the Authorizer methods on your >>> > Realm implementation if you want more control over how an access check >>> > happens beyond what the SimpleAuthorizationInfo class can do (an >>> > instance of which is usually returned from the doGetAuthorizationInfo >>> > method). >>> > >>> > Cheers, >>> > >>> > Les >>> > >>> > On Thu, Jan 7, 2010 at 7:13 AM, Martin Asenov <[email protected]> wrote: >>> > > Hello, everyone.. I need to implement >>> > > authentication module in my webapp and I want to use JSecyrity, but I >>> > can't >>> > > figure out how to connect the authc process with my JPA module I use >>> for >>> > > accessing user details (i.e. username, password, roles, etc..). Suppose >>> I >>> > > have to set AuthenticatingRealm to my SecurityManager and implemenent >>> all >>> > > these methods, inherited from Authorizer interface, but since I'll do >>> > authr >>> > > in my Wicket app, I suppose i just need to implement the >>> > > 'doGetAuthenticationInfo(AuthenticationToken token)' method with the >>> > means >>> > > of the JPA implementation I have. Am I right? :) >>> > > >>> > > Thank you in advance for your time! :) >>> > > >>> > > >>> > >>> >> >
