Hi,
We have software components that are essentially web services
accompanied by administrative web apps. These components can be deployed
in a variety of software environments with different authentication
methods. SSO is a paramount while compatibility with SAML 2.0 and WS-*
stack is highly desirable but not necessary in all configurations (i.e.
it depends on the project). In some configurations it would be enough to
use Active Directory and Kerberos. Software platform-wise it's mostly
Java, i .e. J2EE servlet web apps, EJBs, though there are also Flash
clients as well as .NET desktop apps. SSO has to apply equally across
all of these technologies.
I am assessing the potential for use of Shiro in this context. My
understanding is that Shiro supports neither SAML nor WS-*. However, I
wonder if Shiro could be extended to support these perhaps through some
kind of bindings to frameworks that do support them (e.g. Shibboleth)?
If so, I'd use Shiro in its current form for simpler use cases where
Kerberos is sufficient and rely on the integration with SAML/WS-*
frameworks when the respective functionalities are needed. Is this
feasible?
Also, I would need an abstraction layer for authentication &
authorization within the web services implementation to deal with the
enforcement of fine-grained access control and similar. Is JAAS the best
option here or can Shiro fill in this spot too? The idea is that this
layer wouldn't change regardless of whether externally we use SAML,
WS-*, Kerberos with LDAP (user roles potentially defined as attributes),
or something else.
Thanks
Alex
