shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From timniblett <>
Subject Re: OAuth demo
Date Tue, 09 Oct 2012 09:20:57 GMT

Thanks very much for the reply.

I agree that OAuth is for authorization.  Its like the old song, "If you
can't be with the one you love, love the one you're with".  So, for easy
login that people will use this seems to be the only game in town at the
moment.   From what I've seen OAuth 2 /is/ being sold as an
identity/authentication solution.

I'm not quite sure what you're saying about accessing data about the user. 
I've chosen to only access the Email, but could access other data.  The
issue here for me is that each provider returns data in a different format. 
So, a useful function of a library would be to provide a uniform API to the
data returned (as far as possible).  Is this something you do?

Given that I'm interested only in identity I ask: "what should the best
practices be and what's the simplest way to implement them?".  It would be
helpful  to have a library available that lets me hook into Shiro for OAuth. 
My sample could lead to that with: (a) some interface classes to Shiro and
(b) a login servlet and logout filter.  I'd be much happier using someone
else's code though!  I'd be happy to use yours if the implementation effort
is less.

The other issue, which I'm still unclear about, is how secure is OAuth in
practice compared to username/password?  It looks pretty insecure to me, but
I'm not at all well informed in this area.


View this message in context:
Sent from the Shiro User mailing list archive at

View raw message