I'm a complete newbie on the concepts of web security and I was having a pre-conceived notion that securing the application is incredibly hard.
Looking at a video on Apache shiro, I have a feeling that the complexity of security has all been abstracted in form of a nice, simple, unified API.
I'm trying to write a security layer which will be responsible for Authorization and SSO for my underlying SOAP based webservices.
The permissions will all be sourced from LDAP (OpenDS) which will be maintained on my side (ie not external), as they reflect the bunch of functionality available on my system.
I have a requirement that clients can have their user management in Active Directory (external) and once they log-in to AD (probably their windows login), they should automatically be authenticated to be able to consume my services.
Then I will check whether the user has got the right authorization to consume a specific service.
This effectively means, Authentication is done externally but authorisation is done internally as far as my boundaries are concerned. But my security layer has to understand that the user has been authenticated and know who the user is.
Is this achievable in Shiro? Any pointers would be of great help.
