Apache Shiro integration
604 views
Skip to first unread message
bsr
Jul 9, 2010, 2:15:56 PM7/9/10
to play-framework
Hello,
There was a thread about integrating apache shiro with Play. Shiro
gives fine grained access control, and the wildcard based permission
handling is highly scalable. I am trying this as my first play
application, and any pointer is highly appreciated. What is the right
approach, build on top of the existing security module?
thanks.
There was a thread about integrating apache shiro with Play. Shiro
gives fine grained access control, and the wildcard based permission
handling is highly scalable. I am trying this as my first play
application, and any pointer is highly appreciated. What is the right
approach, build on top of the existing security module?
thanks.
Guillaume Bort
Jul 12, 2010, 3:55:39 AM7/12/10
to play-fr...@googlegroups.com
I don't think apache shiro is a good match for play framework. It
seems that shiro is a framework for the standard JEE security API.
Since Play is a web framework the security must take place at the HTTP
level.
seems that shiro is a framework for the standard JEE security API.
Since Play is a web framework the security must take place at the HTTP
level.
> --
> You received this message because you are subscribed to the Google Groups "play-framework" group.
> To post to this group, send email to play-fr...@googlegroups.com.
> To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.
>
>
--
Guillaume Bort, http://guillaume.bort.fr
For anything work-related, use g...@zenexity.fr; for everything else,
write guillau...@gmail.com
Les
Jul 21, 2010, 1:17:54 PM7/21/10
to play-framework
Hi Guillaume,
Sorry, this is incorrect - Apache Shiro was made for all
environments. In fact, it was made because JEE security was simply
not good enough for applications (feel free to read the Project
History here: http://incubator.apache.org/shiro/about.html).
Shiro has it's own security API that allows it to be used from a small
standalone application to the largest enterprise Spring and JEE
applications. It has wonderful HTTP-level support via custom URL
filter chains that are more powerful and flexible than anything you
could define in web.xml
People use Shiro in all sorts of applications - from cell phones to
large webapps. Many different web frameworks already use Shiro to
support their security, such as Wicket, Grails, Tapestry and even
component oriented frameworks like Click and Vaadin. I'm sure it
would work wonderfully in Play as well.
HTH,
Les
On Jul 12, 12:55 am, Guillaume Bort <guillaume.b...@gmail.com> wrote:
> I don't think apache shiro is a good match for play framework. It
> seems that shiro is a framework for the standard JEE security API.
> Since Play is a web framework the security must take place at the HTTP
> level.
>
>
>
>
>
> On Fri, Jul 9, 2010 at 8:15 PM, bsr <bsr...@gmail.com> wrote:
> > Hello,
> > There was a thread about integrating apache shiro with Play. Shiro
> > gives fine grained access control, and the wildcard based permission
> > handling is highly scalable. I am trying this as my first play
> > application, and any pointer is highly appreciated. What is the right
> > approach, build on top of the existing security module?
> > thanks.
>
> > --
> > You received this message because you are subscribed to the Google Groups "play-framework" group.
> > To post to this group, send email to play-fr...@googlegroups.com.
> > To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
> > For more options, visit this group athttp://groups.google.com/group/play-framework?hl=en.
>
> --
> Guillaume Bort,http://guillaume.bort.fr
> write guillaume.b...@gmail.com
Sorry, this is incorrect - Apache Shiro was made for all
environments. In fact, it was made because JEE security was simply
not good enough for applications (feel free to read the Project
History here: http://incubator.apache.org/shiro/about.html).
Shiro has it's own security API that allows it to be used from a small
standalone application to the largest enterprise Spring and JEE
applications. It has wonderful HTTP-level support via custom URL
filter chains that are more powerful and flexible than anything you
could define in web.xml
People use Shiro in all sorts of applications - from cell phones to
large webapps. Many different web frameworks already use Shiro to
support their security, such as Wicket, Grails, Tapestry and even
component oriented frameworks like Click and Vaadin. I'm sure it
would work wonderfully in Play as well.
HTH,
Les
On Jul 12, 12:55 am, Guillaume Bort <guillaume.b...@gmail.com> wrote:
> I don't think apache shiro is a good match for play framework. It
> seems that shiro is a framework for the standard JEE security API.
> Since Play is a web framework the security must take place at the HTTP
> level.
>
>
>
>
>
> On Fri, Jul 9, 2010 at 8:15 PM, bsr <bsr...@gmail.com> wrote:
> > Hello,
> > There was a thread about integrating apache shiro with Play. Shiro
> > gives fine grained access control, and the wildcard based permission
> > handling is highly scalable. I am trying this as my first play
> > application, and any pointer is highly appreciated. What is the right
> > approach, build on top of the existing security module?
> > thanks.
>
> > --
> > You received this message because you are subscribed to the Google Groups "play-framework" group.
> > To post to this group, send email to play-fr...@googlegroups.com.
> > To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
> > For more options, visit this group athttp://groups.google.com/group/play-framework?hl=en.
>
> --
> write guillaume.b...@gmail.com
GrailsDeveloper
Jul 21, 2010, 2:25:32 PM7/21/10
to play-framework
Hi Les,
are not used in play.
So you must look, how to define something like grails-filters. I would
start looking how the included security works.
Niels
> Shiro has it's own security API that allows it to be used from a small
> standalone application to the largest enterprise Spring and JEE
> applications. It has wonderful HTTP-level support via custom URL
> filter chains that are more powerful and flexible than anything you
> could define in web.xml
But as far as I know Shiro use for Webapps a servlet-filter. Servlets
> standalone application to the largest enterprise Spring and JEE
> applications. It has wonderful HTTP-level support via custom URL
> filter chains that are more powerful and flexible than anything you
> could define in web.xml
are not used in play.
So you must look, how to define something like grails-filters. I would
start looking how the included security works.
Niels
Les Hazlewood
Jul 21, 2010, 3:07:26 PM7/21/10
to play-fr...@googlegroups.com
Something must process an incoming HTTP request/response pair -
whether it is a Servlet or not, Shiro can still work in this
environment. Instead of using Shiro's out-of-the-box IniShiroFilter,
a Play-specific interception mechanism would need to be created. The
IniShiroFilter source code could essentially be copy and pasted into
this Play-specific component, and then everything else would work.
whether it is a Servlet or not, Shiro can still work in this
environment. Instead of using Shiro's out-of-the-box IniShiroFilter,
a Play-specific interception mechanism would need to be created. The
IniShiroFilter source code could essentially be copy and pasted into
this Play-specific component, and then everything else would work.
But this begs the question - why isn't there a master PlayServlet that
acts as a FrontController for all HTTP requests? Even if all that
Servlet did was delegate to Play's existing mechanism, it would still
be hugely beneficial. Without this, you immediately lose integration
support from the overwhelming majority of all other frameworks (like
Shiro) that already have standard web support. You'd have to
replicate that logic in a Play-specific way for every single
integration. Sounds like a short-sighted architectural design
decision to me...
--
Les Hazlewood
CTO, Katasoft, Inc.
http://www.katasoft.com
Julien Tournay
Jul 22, 2010, 4:56:23 AM7/22/10
to play-fr...@googlegroups.com
"why isn't there a master PlayServlet that
acts as a FrontController for all HTTP requests"The all point of Play! is to get rid of the JEE complexity. There's no PlayServlet because there's no Servlet at all.
@see: http://iam.guillaume.bort.fr/post/558830013/why-there-is-no-servlets-in-play which pretty much answers to all your questions.
Julien
--
Real Programmers don't need comments-- the code is obvious.
Real Programmers don't need comments-- the code is obvious.
Reply all
Reply to author
Forward
0 new messages