4

I want to know if I can use Apache Shiro to secure the business tier of an (container managed) Java EE application. I'm asking because I haven't found any examples but only statements like "it works in web, EJB, and IoC environments".

Apache Shiro, in comparison with the default Java role-based access control, seams to have more extensive ways to authorize users (e.g. permission strings), which I hope one can use as a replacement to secure the methods of session beans in an annotation based manner.

Is this possible and has anyone tried it? Are there restrictions? An example or tutorial would be nice, too.

tsh
  • 303
  • 1
  • 3
  • 12

2 Answers2

3

Ok, I had overseen that answer from Les Hazlewood from 2010.

The essence is that support for securing EJBs is given, if the subject could be bound to the current thread. This happens automatically through the Shiro Filter if the request is initiated from a web environment.

He further states:

Once the Subject is associated with a thread, AOP is one of easiest ways of enforcing security restrictions. Then you can annotate your EJB methods [...].

tsh
  • 303
  • 1
  • 3
  • 12
0

You can use the shiro API as simple java code in ejb.

You can use https://issues.apache.org/jira/browse/SHIRO-337 too

rmannibucau
  • 1
  • Thanks, this would be the "programmatic" way. My goal is to use annotations to better separate the business logic from security concerns. Does Shiro therefore make use of the Java EE interceptors? – tsh Aug 07 '12 at 07:03