5

General Case: A simple application that exposes its services through EJB (3.1) - most of them Stateless Sessions beans (nothing funcy here) and SWING based clients that, call through remote interfaces these services and do what they have to do.

Security: I want to authenticate/authorize this cycle of calls and of course protect my services. The obvious answer would be to use JAAS in the server and any custom wiring setup on the underlying server. That is still an option

Apache Shiro: So lots of people talk about Apache Shiro and indeed it features a very simple API and mechanism - that could potentially be application server independent.

Technical Questions:

  1. Session: In my case I dont have an HTTP session - and from what I have understood Shiro at least needs some sort of SESSION ID that I need to pass around. Any nice way on injecting user credentials in my RMI/IIOP calls to the server with not polluting my business API?

  2. Server side implementation: For the few resources I have gone through I think I can implement a Shiro DefaultSecurityManager by 'referencing it' from a Singleton Ejb 3.1 bean. Any other ideas? Then I can easily create an interceptor and add it to my remote calls - so when a new call is going through my Remote EJB method - the Shiro Intereceptor to validate my user or check for specific rights.

Any comments/ tips / examples ?

Many thanks

kazanaki
  • 7,988
  • 8
  • 52
  • 79
javapapo
  • 1,342
  • 14
  • 26

1 Answers1

0

From shiro, try to use a ServiceLocator pattern. The lookup of EJB is different between containers (JBoss, Netweaver, Weblogig, etc).

In Application Server, try to use the the container based constraints of security (@RolesAllowed, @PermitAll, @Deny...). JAAS will create the subject with principals of user, so just use the container authorization (@RolesAllowed, @PermitAll, @Deny...). Can be better when you migrate from one container to other.

Marcelo
  • 1
  • Hello Marcelo, thanks for your answer - but If I am about to use JAAS anyway - then I dont find any great advantage of wiring shiro as well.. My idea was to by pass 100% JAAS and implement everything using Shiro. – javapapo Jun 13 '12 at 13:07
  • Ok. If you don't think problem to make the application a vendor dependent of shiro, there no problem. What I mean is, cotainer already have the security implementations, if you using the container. You maybe lose some functionalities like web.xml constrainsts or, Annotations constraints security. – Marcelo Jun 13 '12 at 17:17