shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Les Hazlewood (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-311) allow the use of shiro as Autorization only framework
Date Thu, 07 Jul 2011 23:30:22 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-311?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13061671#comment-13061671
] 

Les Hazlewood commented on SHIRO-311:
-------------------------------------

Hi Elhanan,

What do you mean by this exactly?  Are you trying to support SPNEGO authentication for a Windows
domain?

Shiro does in fact support authorization only - as long as the Subject has an identity - either
from RememberMe or explicitly provided by the application developer - authorization will work
fine (and authentication is not required).  Shiro's design intentionally made authentication
orthogonal to authorization (and vice versa).

Some more detail (use cases, etc) or sample code would be appreciated to see what you are
trying to do exactly.  I'm sure we can help support what you need!

Cheers,

Les


> allow the use of shiro as Autorization only framework
> -----------------------------------------------------
>
>                 Key: SHIRO-311
>                 URL: https://issues.apache.org/jira/browse/SHIRO-311
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Authorization (access control) , Configuration,
Integration: JEE
>    Affects Versions: 1.1.0
>         Environment: java 6 , active directory
>            Reporter: Elhanan Maayan
>
> currently shiro uses login as the only entry point to the application which uses authentication
and authorization procedures, defined in the chosen subclasses realm.
> however in many organization's intranet , a domain authentication is already employed
making the authentication process in shiro redundant.
> in order to keep consistency with the framework, a new type of Token should be created
called AuthenticatedToken. the difference is  shiro would be able to create such a token in
it's filter by inspecting getRemoteUer of the HTTP request, which according to the spec is
!=null only when the user is authenticated. 

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message