[
https://issues.apache.org/jira/browse/SHIRO-160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12867769#action_12867769
]
Bryan Turner commented on SHIRO-160:
------------------------------------
Dave,
I assume this is a Java-side integration, but I'm curious if there is a
secondary framework (GraniteDS, BlazeDS, LiveCycle) which is associated
with/bound to it. Rather than coding intimate knowledge of the AMF wire
protocol into Shiro, where it will then have to be maintained, I wonder if it
might not make better sense to spin up 1 or more support modules which rely on
Granite or Blaze to handle AMF. For example, Granite offers a SecurityService
interface which can be used to directly integrate a specific security
implementation (a Spring Security integration is provided out of the box).
My project, on which I'm advocating to the other developers the use of Shiro
rather than our hand-rolled security underpinnings, is using GraniteDS as our
Java-side AMF provider. Rather than having 2 things in the system that know how
to do AMF deserialization, I'd prefer there only be one. Additionally,
something further up the filter chain than the Granite AMFMessageFilter which
reads the input stream and deserializes can potentially cause issues further
down and, even if not, it's still double work since the AMFMessageFilter is
also going to deserialize the object graph.
I only comment because I'm highly interested in an integration like this. It
could help function as a point in support of using Shiro for Java-side
authentication in our Flex application.
> Flex integration with Shiro
> ---------------------------
>
> Key: SHIRO-160
> URL: https://issues.apache.org/jira/browse/SHIRO-160
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Authorization (access control)
> Affects Versions: Incubation
> Reporter: david e. berry
>
> Commiters,
> I have created the following classes that I used to integrate Shiro with Flex
> AMF. I would like to contribute them to the shiro. Please let me know if
> there is interest and the procedure for doing so. I have included the class
> names with a brief description of what they do. They are currently outside of
> the Shiro code base that I checked out, but I could combine them if
> interested.
> Best Regards,
> Dave
> /* Authentication and Authorization need to let AMF Ping, Login, Logout
> messages pass through
> without processing. They call FlexMessageHelper to introspect the binary
> message to see if it is allowed to pass.
> If not, normal Authentication, and Authorization takes place.
> */
> public class FlexAuthenticationFilter extends AuthenticationFilter;
> public class FlexPermissionsAuthorizationFilter extends
> PermissionsAuthorizationFilter;
> public class FlexRolesAuthorizationFilter extends RolesAuthorizationFilter;
> /*Helper methods for introspecting the contents of the amf message. It is
> conceivable that a security handler
> might need to introspect the contents of a request. It would be nice if Shiro
> wrapped the request automatically so that anyone can read the contents without
> causing an end of stream error for a filter down the line.
> Message helper deserializes the AMF message and checks to see if it is a
> PING, LOGON, or LOGOUT request.
> */
> public class FlexHttpServletRequestWrapper extends HttpServletRequestWrapper;
> public class FlexMessageHelper;
> /* Custom Flex Login command that calls Subject.login returns a Principal
> back to Flex.
> */
> public class FlexLoginCommand implements LoginCommand;
> public class FlexPrincipal implements Principal;
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
