On Mon, Sep 26, 2011 at 10:32 AM, matan_a <[email protected]> wrote: > It seems like i'd need a custom filter to retrieve the Facebook credentials > and a custom Realm that doesn't do much more than see if the user already > exists in the store + some other roles logic.
Based on that I'm assuming you are currently using fb.login or similar, purely client-side integration. > So any help would be appreciated for helping me answer: > 1. What is the ideal way anyone here has done this (i'm sure i'm not the > first)? Ideal depends on the use case, but if you want a deeper integration, you need to initiate the oauth flow yourself on the server side. I've created a shiro/fb integration for Tapestry5 at http://tynamo.org/tynamo-federatedaccounts+guide (with a larger scope than FB only). Perhaps you can lift some code from http://svn.codehaus.org/tynamo/trunk/tynamo-federatedaccounts/tynamo-federatedaccounts-facebook/src/main/java/org/tynamo/security/federatedaccounts/facebook/base/AbstractFacebookOauthPage.java and related classes. The idea is that the account is merged (answering to the same need as in your second question below), so you first login via fb, but then have a local account component that participates in authorizing (or even authenticating) the user via a Shiro realm (as implemented in http://svn.codehaus.org/tynamo/trunk/tynamo-federatedaccounts/tynamo-federatedaccounts-facebook/src/main/java/org/tynamo/security/federatedaccounts/facebook/services/FacebookRealm.java). The realm uses restfb (http://restfb.com/) for communicating via FB's graph api. Kalle > 2. I have some custom "login" logic to check if the user exists and create > the user if not + some other locked status stuff. I assume this goes in the > Realm? > 3. What kind of data does Shiro actually save in the Session? We're very > keen on keeping it as lean as possible and easily serializable using Kryo or > other performant library (these libraries usually use default constructors > and reflection). > 4. We have some functionality that sends requests that don't contain the > SessionID (from flash) so we just include the SessionID as a request > parameter and "inject" the security context using a filter in the request > thread. Is that possible with Shiro without doing a complete "login" > process? It should allow Session lookup by id. > > Thanks in advance and again, much appreciated! > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Advice-on-Shira-with-FB-Connect-Session-Clustering-Efficiency-tp6832777p6832777.html > Sent from the Shiro User mailing list archive at Nabble.com. >
