shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "david e. berry (JIRA)" <j...@apache.org>
Subject [jira] Commented: (SHIRO-160) Flex integration with Shiro
Date Sat, 15 May 2010 02:50:42 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12867785#action_12867785
] 

david e. berry commented on SHIRO-160:
--------------------------------------

I am using BlazeDS as my AMF provider. I had no plans to right my own implementation and still
have no plans. 

I actually got a little carried away with shiro one day and decided to see if I could use
shiro to lock down all traffic to the site, even traffic like AMF whose security interface
I still wanted to use. 

I could have left the amf end-point unsecured by shiro and just used the FlexLoginCommand
that I wrote which implements the Blaze flex.messaging.security.LoginCommand interface, which
in turn calls shiro, but I guess I am a control freak and wanted to get shiro to monitor everything.
This is how the FlexPermissionsAuthorizationFilter and FlexRolesAuthorizationFilter came to
be. They are AMF aware filters that can be used around flex security. 

This is not much different to shiro allowing http login requests to pass through and block
everything else. I use deserialization to determine if a login is occurring. A login consists
of a PING and a LOGIN. These two Command Messages get a free ride, everything else is blocked
until the user is logged in. 

WIth these files you can just use flex security with FlexLoginCommand calling Shiro without
the deserialization and let flex secure the enpoint, or you can use both Shiro and Flex to
watch the endpoint, with double deserialization. 

Future use of this is to have a security scheme where a role or permission must exist that
matches the name of the service being called. The filters would need no other configuration
but to know that they are a rest resource filter or amf service filter. Dynamic service to
role checking would be possible, and if you have a class loader that loads services dynamically,
then you really have something flexible. 

Sorry for the long winded comment. 


> Flex integration with Shiro
> ---------------------------
>
>                 Key: SHIRO-160
>                 URL: https://issues.apache.org/jira/browse/SHIRO-160
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Authorization (access control) 
>    Affects Versions: Incubation
>            Reporter: david e. berry
>
> Commiters,
> I have created the following classes that I used to integrate Shiro with Flex AMF. I
would like to contribute them to the shiro. Please let me know if there is interest and the
procedure for doing so. I have included the class names with a brief description of what they
do. They are currently outside of the Shiro code base that I checked out, but I could combine
them if interested.
> Best Regards,
> Dave 
> /* Authentication and Authorization need to let AMF Ping, Login, Logout messages pass
through
> without processing. They call FlexMessageHelper to introspect the binary message to see
if it is allowed to pass. 
> If not, normal Authentication, and Authorization takes place.
> */  
> public class FlexAuthenticationFilter extends AuthenticationFilter;
> public class FlexPermissionsAuthorizationFilter extends PermissionsAuthorizationFilter;
> public class FlexRolesAuthorizationFilter extends RolesAuthorizationFilter;
> /*Helper methods for introspecting the contents of the amf message. It is conceivable
that a security handler
> might need to introspect the contents of a request. It would be nice if Shiro wrapped
the request automatically so that anyone can read the contents without
> causing an end of stream error for a filter down the line. 
> Message helper deserializes the AMF message and checks to see if it is a PING, LOGON,
or LOGOUT request. 
> */ 
> public class FlexHttpServletRequestWrapper extends HttpServletRequestWrapper;
> public class FlexMessageHelper;
> /* Custom Flex Login command that calls Subject.login returns a Principal back to Flex.
> */
> public class FlexLoginCommand implements LoginCommand;
> public class FlexPrincipal implements Principal;

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message