I am very impressed with Shiro, pac4j and buji, though I struggle putting it all together in a Guice application using CAS for authentication. The examples I see are pretty dated, or are Guice using OAuth or some not-quite right permutation of components/versions/etc.
<p> Is there somewhere I can reference a current/recent application using Guice, Shiro, and CAS the "right" way? As a bonus, I'd like to avoid using .ini configuration, but if that is all I can get, I'll take it. I'm using Jersey 1.19, Guice 4.0. We deploy to App Engine "flex" environment. How would you succinctly describe the problems each of Shiro/Pac4j/Buji are trying to solve? When the problem space overlaps, which should I "prefer"? <p> As a bonus, how do the concepts represented in buji/pac4j <https://github.com/bujiio/buji-pac4j> map to Shiro's architecture model <http://shiro.apache.org/architecture.html> ? <p> I've had a rough couple of weeks, so be gentle please. I'm completely new to Shiro/Pac4j/Buji, pretty new to CAS, and a relatively recent convert to Guice (from Spring and <ugh>Spring Security</ugh>). <p> A few symptoms of the issues I've been having: <ul> <li> I'm never redirected where I initially wanted to go. I notice that <code>DefaultSecurityLogic</code> tries to save the <code>pac4jRequestedUrl</code> attribute to the session, but ultimately there is no Shiro session yet on the subject, so this "fails" silently (since the WebContext/J2EContext doesn't create a session if one doesn't exist). <li> I have found conversations from a long while ago about the perils of the order of configuring certain attributes (cache manager as an example). Is this still the case? Will I see issues if I don't set the cache manager attribute after everything else? How can I control this order in Guice? <li> I've only been able to use Guice injection by extending the <code>Default</code> classes, adding <code>@Inject</code> getters/setters. How can I inject only a few things (authorization generators, cache manager, realm) into the object graph correctly? <li> Speaking of <code>AuthorizationGenerator</code>, what is the difference between that and an <code>Authorizer</code>? <li> Speaking of Guice, how can I modify only a few attributes of a default security manager container configuration without manually stitching the entire object graph together manually, by means of using subclasses with <code>@Inject</code> all over the place? <li> <code>ShiroWebModule.bindSessionManager()</code> binds a <code>ServletContainerServletManager</code> but its javadoc says that it binds a <code>DefaultWebSessionManager</code>. What is going on here? What is right and why? <li> What is the minimal amount of implementation I need to provide a security manager (in Guice) so that I can use App Engine's <code>memcached</code> for my CAS session state/authentication credentials cache (to avoid a roundtrip to CAS every request)? I think it is <code>CacheManager</code>/<code>Cache</code> set on the security manager, but do I also need a <code>EnterpriseCacheSessionDAO</code>? Do I even need to, given that App Engine flex uses memcached sessions under the hood (I think)? <li> Again, shy of extending the object graph with injectable get/setters, how do I manipulate only that part of the object graph in Guice? Or even a single attribute of a component without newing up it and its subtree? <li> I've seen posts (again, somewhat dated) that indicated that if I <code>bind(CacheManager.class).to(MemcachedCacheManager.class).in(Singleton.class)</code>, that I also need to <code>bind(MemcachedCacheManager.class)</code> or some such thing. Is this still true? What is the purpose of that? What is the best practice here? </ul> <p> Since I know several on this user group are heavy hitters in the Java Security landscape, let me ask: <ul> <li> I'd like JWT across my fleet of services (with a few custom claims) using an identity managed by Apereo. We are in the process of upgrading our Jasig CAS 3.5.x to Apereo 4.2.x (long overdue, I know). How hard is it to get JWT working in 4.2 as the auth provider of my Guice application configured using a Shiro JWT client? <li> Are there any good tutorials for this? This seems like a really great place to be (Apereo + JWT + Shiro + Guice) </ul> -- View this message in context: http://shiro-user.582556.n2.nabble.com/A-White-Unicorn-Shiro-Pac4j-Buji-CAS-and-Guice-tp7581248.html Sent from the Shiro User mailing list archive at Nabble.com.
