Hi Alex, > I am assessing the potential for use of Shiro in this context. My > understanding is that Shiro supports neither SAML nor WS-*. However, I > wonder if Shiro could be extended to support these perhaps through some kind
This is most definitely feasible. And I'd have no problem trying to support this as part of Shiro (or as an extension to it) so others would benefit from it. It just doesn't exist at the moment since most of our end users appear not to need it (I guess they go w/ REST/JSON mostly). But if people ask for it or contribute it, then we could work with it. In any event I'd be very happy collaborating on this and helping out where I can. > Also, I would need an abstraction layer for authentication & authorization > within the web services implementation to deal with the enforcement of > fine-grained access control and similar. Is JAAS the best option here or can > Shiro fill in this spot too? Oh no, that is most one of Shiro's biggest strengths :) Shiro was created many years ago as a replacement for JAAS because of how frustrating JAAS is to use; this recent tweet says nicely: http://twitter.com/#!/jagregory/status/83995488403210240 ;). Although it is possible to integrate w/ JAAS, most people never go through that effort once they see how much nicer Shiro is. It also handles fine-grained security better than any other security framework that we know of via Shiro's Permission concept (this should help a bit: http://shiro.apache.org/permissions.html). Shiro is a unified API that can be used in any application - web, non-web, smart phone, command-line, etc - and it can integrate with any other security mechanisms or data sources that might come and go over time. It has been built with this (and simplicity and ease of use) as its highest priorities. I hope that helps! Best regards, -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com
