Modified: shiro/site/publish/java-authorization-guide.html URL: http://svn.apache.org/viewvc/shiro/site/publish/java-authorization-guide.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/java-authorization-guide.html (original) +++ shiro/site/publish/java-authorization-guide.html Mon Oct 24 14:33:52 2016 @@ -78,22 +78,16 @@ <div id="content"> - <h1><a name="JavaAuthorizationGuide-JavaAuthorizationGuidewithApacheShiro"></a>Java Authorization Guide with Apache Shiro</h1> - -<p><br clear="none" class="atl-forced-newline"> -Authorization, or access control, is the function of specifying access rights to resources. In other words, <em>who</em> has access to <em>what</em>.</p> - -<p>Examples of authorization checks are: Is the user allowed to look at this webpage, edit this data, view this button, or print to this printer? Those are all decisions determining what a user has access to.</p> - -<h2><a name="JavaAuthorizationGuide-ElementsofAuthorization"></a>Elements of Authorization</h2> -<p>Authorization has three core elements that we reference quite a bit in Shiro-- permissions, roles, and users. </p> - -<h3><a name="JavaAuthorizationGuide-PermissionsDefined"></a>Permissions Defined</h3> - -<table align="right" width="275" style="margin-left: 20px; margin-bottom: 20px; border-style: solid; border-width: 2px; border-color: navy" cellpadding="10px"> - -<tr> -<td> + <a name="JavaAuthorizationGuide-JavaAuthorizationGuidewithApacheShiro"></a> +<h1><a href="#java-authorization-guide-with-apache-shiro" name="java-authorization-guide-with-apache-shiro">Java Authorization Guide with Apache Shiro</a></h1> +<p>Authorization, or access control, is the function of specifying access rights to resources. In other words, <em>who</em> has access to <em>what</em>.</p> +<p>Examples of authorization checks are: Is the user allowed to look at this webpage, edit this data, view this button, or print to this printer? Those are all decisions determining what a user has access to.</p> +<a name="JavaAuthorizationGuide-ElementsofAuthorization"></a> +<h2><a href="#elements-of-authorization" name="elements-of-authorization">Elements of Authorization</a></h2> +<p>Authorization has three core elements that we reference quite a bit in Shiro– permissions, roles, and users.</p> +<a name="JavaAuthorizationGuide-PermissionsDefined"></a> +<h3><a href="#permissions-defined" name="permissions-defined">Permissions Defined</a></h3> +<table align="right" width="275" style="margin-left: 20px; margin-bottom: 20px; border-style: solid; border-width: 2px; border-color: navy" cellpadding="10px"><tr><td> <div id="border"> <h2>Related Content</h2> @@ -113,44 +107,35 @@ Authorization, or access control, is the <p>Step-by-step tutorial for securing a web application with Shiro. </br><span style="font-size:11"><a href="webapp-tutorial.html">Read More >></a></span></p> </div> -</td> -</tr> -</table> - -<p>Permissions are the most atomic level of a security policy and they are statements of functionality. Permissions represent what can be done in your application. A well formed permission describes a resource types and what actions are possible when you interact with those resources. Can you <em>open</em> a <em>door</em>? Can you <em>read</em> a <em>file</em>? Can you <em>delete</em> a <em>customer record</em>? Can you <em>push</em> a <em>button</em>? </p> - +</td></tr></table> +<p>Permissions are the most atomic level of a security policy and they are statements of functionality. Permissions represent what can be done in your application. A well formed permission describes a resource types and what actions are possible when you interact with those resources. Can you <em>open</em> a <em>door</em>? Can you <em>read</em> a <em>file</em>? Can you <em>delete</em> a <em>customer record</em>? Can you <em>push</em> a <em>button</em>?</p> <p>Common actions for data-related resources are create, read, update, and delete, commonly referred to as CRUD.</p> - -<p>It is important to understand that permissions do not have knowledge of <em>who</em> can perform the actions-- they are just statements of <em>what</em> actions can be performed.</p> - -<h4><a name="JavaAuthorizationGuide-Levelsofpermissiongranularity"></a>Levels of permission granularity</h4> -<p>The permissions above all specify an actions (open, read, delete, etc) on a resource (door, file, customer record, etc). In Shiro, you can define a permission to any depth you like. Here are a few common permission levels in order of granularity.</p> - -<ul><li>Resource Level - This is the broadest and easiest to build. A user can edit customer records or open doors. The resource is specified but not a specific instance of that resource.</li><li>Instance Level - The permission specifies the instance of a resource. A user can edit the customer record for IBM or open the kitchen door.</li><li>Attribute Level - The permission now specifies an attribute of an instance or resource. A user can edit the address on the IBM customer record.</li></ul> - - +<p>It is important to understand that permissions do not have knowledge of <em>who</em> can perform the actions– they are just statements of <em>what</em> actions can be performed.</p> +<a name="JavaAuthorizationGuide-Levelsofpermissiongranularity"></a> +<h4><a href="#levels-of-permission-granularity" name="levels-of-permission-granularity">Levels of permission granularity</a></h4> +<p>The permissions above all specify an actions (open, read, delete, etc) on a resource (door, file, customer record, etc). In Shiro, you can define a permission to any depth you like. Here are a few common permission levels in order of granularity.</p> +<ul> + <li>Resource Level - This is the broadest and easiest to build. A user can edit customer records or open doors. The resource is specified but not a specific instance of that resource.</li> + <li>Instance Level - The permission specifies the instance of a resource. A user can edit the customer record for IBM or open the kitchen door.</li> + <li>Attribute Level - The permission now specifies an attribute of an instance or resource. A user can edit the address on the IBM customer record.</li> +</ul> <p>For more information on Permissions please check out the <a href="permissions.html" title="Permissions">Permissions Documentation</a></p> - -<h3><a name="JavaAuthorizationGuide-RolesDefined"></a>Roles Defined</h3> -<p>In the context of Authorization, Roles are effectively a collection of permissions used to simplify the management of permissions and users. So users can be assigned roles instead of being assigned permissions directly, which can get complicated with larger user bases and more complex applications. So, for example, a bank application might have an <em>administrator</em> role or a <em>bank teller</em> role.</p> - +<a name="JavaAuthorizationGuide-RolesDefined"></a> +<h3><a href="#roles-defined" name="roles-defined">Roles Defined</a></h3> +<p>In the context of Authorization, Roles are effectively a collection of permissions used to simplify the management of permissions and users. So users can be assigned roles instead of being assigned permissions directly, which can get complicated with larger user bases and more complex applications. So, for example, a bank application might have an <em>administrator</em> role or a <em>bank teller</em> role.</p> <p>There are two types of roles that you need to be aware of and Shiro will support both.</p> - -<h4><a name="JavaAuthorizationGuide-ImplicitRoles"></a>Implicit Roles</h4> -<p>Most people view roles as what we define as an implicit role where your application <em>implies</em> a set of permissions because a user has a particular role as opposed to the role explicitly being assigned permissions or your application checking for those permissions. Role checks in code are generally a reflection of an implicit role. You can view patient data because you have the <em>administrator</em> role. You can create an account because you have the <em>bank teller</em> role. The fact that these names exist does not have a correlation to what the software can actually do. Most people use roles in this manner. It is easiest but it can create a lot of maintenance and management problems for all the but the simplest application.</p> - -<h4><a name="JavaAuthorizationGuide-ExplicitRoles"></a>Explicit Roles</h4> -<p>An explicit role has permissions <em>explicitly</em> assigned to it and therefore is an <em>explicit</em> collection of permissions. Permission checks in code are a reflection of an explicit role. You can view patient data because because you have the <em>view patient data</em> permission as part of your <em>administrator</em> role. You can create an account because you have the <em>create account</em> permission as part of your <em>bank teller</em> role. You can perform these actions, not because of some implicit role name based on a string but because the corresponding permission was explicitly assigned to your role.</p> - -<p>The big benefits of explicit roles are easier manageability and lower maintenance of your application. If you ever need to add, remove, or change a role, you can do so without touching your source code. And in Shiro, you'll also be able to dynamically add, remove, or change roles at runtime and your authorization checks will always have up to date values. This means you won't have to force users to log out and log back in order to get their new permissions.</p> - -<h3><a name="JavaAuthorizationGuide-UsersDefined"></a>Users Defined</h3> -<p>A user is the "who" of an application. In Shiro, though, the concept of a user is really the <a href="subject.html" title="Subject">Subject</a> instance. We use word Subject instead of user because user usually implies a human being and in Shiro a Subject can be anything interacting with your application-- whether it be a human or a service. </p> - -<p>Users are allowed to perform certain actions in your application through their association with roles or direct permissions. So you are able to open a customer record because you've been assigned the <em>open customer record</em> permission, either through a role you've been assigned or through a direct permission assignment.</p> - +<a name="JavaAuthorizationGuide-ImplicitRoles"></a> +<h4><a href="#implicit-roles" name="implicit-roles">Implicit Roles</a></h4> +<p>Most people view roles as what we define as an implicit role where your application <em>implies</em> a set of permissions because a user has a particular role as opposed to the role explicitly being assigned permissions or your application checking for those permissions. Role checks in code are generally a reflection of an implicit role. You can view patient data because you have the <em>administrator</em> role. You can create an account because you have the <em>bank teller</em> role. The fact that these names exist does not have a correlation to what the software can actually do. Most people use roles in this manner. It is easiest but it can create a lot of maintenance and management problems for all the but the simplest application.</p> +<a name="JavaAuthorizationGuide-ExplicitRoles"></a> +<h4><a href="#explicit-roles" name="explicit-roles">Explicit Roles</a></h4> +<p>An explicit role has permissions <em>explicitly</em> assigned to it and therefore is an <em>explicit</em> collection of permissions. Permission checks in code are a reflection of an explicit role. You can view patient data because because you have the <em>view patient data</em> permission as part of your <em>administrator</em> role. You can create an account because you have the <em>create account</em> permission as part of your <em>bank teller</em> role. You can perform these actions, not because of some implicit role name based on a string but because the corresponding permission was explicitly assigned to your role.</p> +<p>The big benefits of explicit roles are easier manageability and lower maintenance of your application. If you ever need to add, remove, or change a role, you can do so without touching your source code. And in Shiro, you’ll also be able to dynamically add, remove, or change roles at runtime and your authorization checks will always have up to date values. This means you won’t have to force users to log out and log back in order to get their new permissions.</p> +<a name="JavaAuthorizationGuide-UsersDefined"></a> +<h3><a href="#users-defined" name="users-defined">Users Defined</a></h3> +<p>A user is the “who” of an application. In Shiro, though, the concept of a user is really the <a href="subject.html" title="Subject">Subject</a> instance. We use word Subject instead of user because user usually implies a human being and in Shiro a Subject can be anything interacting with your application– whether it be a human or a service.</p> +<p>Users are allowed to perform certain actions in your application through their association with roles or direct permissions. So you are able to open a customer record because you’ve been assigned the <em>open customer record</em> permission, either through a role you’ve been assigned or through a direct permission assignment.</p> <p>For more information on Users, aka Subjects, please check out the <a href="subject.html" title="Subject">Subject Documentation</a>.</p> - <div class="panelMacro"> <table class="infoMacro"> <colgroup span="1"> @@ -174,167 +159,121 @@ Authorization, or access control, is the </tbody> </table> </div> - -<h2><a name="JavaAuthorizationGuide-HowtoperformAuthorizationinJavawithShiro"></a>How to perform Authorization in Java with Shiro</h2> +<a name="JavaAuthorizationGuide-HowtoperformAuthorizationinJavawithShiro"></a> +<h2><a href="#how-to-perform-authorization-in-java-with-shiro" name="how-to-perform-authorization-in-java-with-shiro">How to perform Authorization in Java with Shiro</a></h2> <p>Authorization in Shiro can be handled in four ways.</p> - -<ul><li>Programmatically - You can perform authorization checks in your java code with structures like <tt>if</tt> and <tt>else</tt> blocks.</li><li>JDK annotations - You can attach an authorization annotation to your Java methods</li><li>JSP/GSP TagLibs - You can control jsp or gsp page output based on roles and permissions</li></ul> - - -<h3><a name="JavaAuthorizationGuide-ProgrammaticAuthorization"></a>Programmatic Authorization</h3> -<p>Checking for permissions and roles, programmatically in your Java code is the traditional way of handling authorization. Here's how you can perform a permission check or role check in Shiro.</p> - -<h4><a name="JavaAuthorizationGuide-RoleCheck"></a>Role Check</h4> -<p>This is an example of how you do a role check programmatically in your application. We want to check if a user has the <em>administrator</em> role and if they do, then we'll show a special button, otherwise we won't show it.</p> - -<p>First we get access to the current user, the <a href="subject.html" title="Subject">Subject</a>. Then we pass the <em>adminstrator</em> to the Subject's <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#hasRole(java.lang.String)">.hasRole()</a></tt> method. It will return <tt>TRUE</tt> or <tt>FALSE</tt>. </p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-comment">//get the current Subject -</span>Subject currentUser = - SecurityUtils.getSubject(); - -<span class="code-keyword">if</span> (currentUser.hasRole(“administrator”)) { - <span class="code-comment">//show a special button‏ -</span>} <span class="code-keyword">else</span> { - <span class="code-comment">//don’t show the button?)‏ -</span>} -</pre> -</div></div> - +<ul> + <li>Programmatically - You can perform authorization checks in your java code with structures like <code>if</code> and <code>else</code> blocks.</li> + <li>JDK annotations - You can attach an authorization annotation to your Java methods</li> + <li>JSP/GSP TagLibs - You can control jsp or gsp page output based on roles and permissions</li> +</ul> +<a name="JavaAuthorizationGuide-ProgrammaticAuthorization"></a> +<h3><a href="#programmatic-authorization" name="programmatic-authorization">Programmatic Authorization</a></h3> +<p>Checking for permissions and roles, programmatically in your Java code is the traditional way of handling authorization. Here’s how you can perform a permission check or role check in Shiro.</p> +<a name="JavaAuthorizationGuide-RoleCheck"></a> +<h4><a href="#role-check" name="role-check">Role Check</a></h4> +<p>This is an example of how you do a role check programmatically in your application. We want to check if a user has the <em>administrator</em> role and if they do, then we’ll show a special button, otherwise we won’t show it.</p> +<p>First we get access to the current user, the <a href="subject.html" title="Subject">Subject</a>. Then we pass the <em>adminstrator</em> to the Subject’s <a href="static/current/apidocs/org/apache/shiro/subject/Subject.html#hasRole-java.lang.String-"><code>.hasRole()</code></a> method. It will return <code>TRUE</code> or <code>FALSE</code>.</p> +<pre><code class="java">//get the current Subject +Subject currentUser = SecurityUtils.getSubject(); + +if (currentUser.hasRole("administrator")) { + //show a special buttonâ +} else { + //donât show the button?)â +} +</code></pre> <p>Now a role based check is quick and easy to implement but it has a major drawback. It is implicit.</p> +<p>What if you just want to add, remove, or redefine a role later? You’ll have to crack open your source code and change all your role checks to reflect the change in your security model. You’ll have to shut down the application, crack open the code, test it, and then restart it everytime.</p> +<p>In very simple applications this is probably good enough but for larger apps this can be a major problem throughout the life of your application and drive a large maintenance cost for your software.</p> +<a name="JavaAuthorizationGuide-PermissionCheck"></a> +<h4><a href="#permission-check" name="permission-check">Permission Check</a></h4> +<p>This is an example of how you do security checks by permission. We want to check if a user has permission to print to laserjet3000n and if they do, then we’ll show a print button, otherwise we won’t show it. This is an example of an instance level permission or instance level authorization.</p> +<p>Again, first you get access to the current user, the <a href="subject.html" title="Subject">Subject</a>. Then you construct a <a href="static/current/apidocs/org/apache/shiro/authz/Permission.html"><code>Permission</code></a> object or an instance that represents an action on a resource. In this case, the instance is named <code>printerPermission</code>, the resource is <em>laserjet3000n</em>, and the action is <em>print</em>. Then we pass <code>printerPermission</code> to the Subject’s <a href="static/current/apidocs/org/apache/shiro/subject/Subject.html#isPermitted-java.util.List-"><code>.isPermitted()</code></a> method. It will return true or false.</p> +<pre><code class="java">Subject currentUser = SecurityUtils.getSubject(); -<p>What if you just want to add, remove, or redefine a role later? You'll have to crack open your source code and change all your role checks to reflect the change in your security model. You'll have to shut down the application, crack open the code, test it, and then restart it everytime. </p> - -<p>In very simple applications this is probably good enough but for larger apps this can be a major problem throughout the life of your application and drive a large maintenance cost for your software. </p> - -<h4><a name="JavaAuthorizationGuide-PermissionCheck"></a>Permission Check</h4> -<p>This is an example of how you do security checks by permission. We want to check if a user has permission to print to laserjet3000n and if they do, then we'll show a print button, otherwise we won't show it. This is an example of an instance level permission or instance level authorization.</p> - -<p>Again, first you get access to the current user, the <a href="subject.html" title="Subject">Subject</a>. Then you construct a <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/Permission.html">Permission</a></tt> object or an instance that represents an action on a resource. In this case, the instance is named <tt>printerPermission</tt>, the resource is <em>laserjet3000n</em>, and the action is <em>print</em>. Then we pass <tt>printerPermission</tt> to the Subject's <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#isPermitted(java.util.List)">.isPermitted()</a></tt> method. It will return true or false. </p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -Subject currentUser = - SecurityUtils.getSubject(); - -Permission printPermission = -<span class="code-keyword">new</span> PrinterPermission(“laserjet3000n”,“print”); +Permission printPermission = new PrinterPermission("laserjet3000n","print"); If (currentUser.isPermitted(printPermission)) { - <span class="code-comment">//<span class="code-keyword">do</span> one thing (show the print button?)‏ -</span>} <span class="code-keyword">else</span> { - <span class="code-comment">//don’t show the button? -</span>} -</pre> -</div></div> - -<h4><a name="JavaAuthorizationGuide-PermissionCheck%28Stringbased%29"></a>Permission Check (String-based)</h4> + //do one thing (show the print button?)â +} else { + //donât show the button? +} +</code></pre> +<a name="JavaAuthorizationGuide-PermissionCheck%28Stringbased%29"></a> +<h4>Permission Check (String-based)</h4> <p>You can also a permission check using a simple string instead of a permission class.</p> +<p>So, if you don’t want to implement our <a href="static/current/apidocs/org/apache/shiro/authz/Permission.html">permission interface</a> then you just pass in a String. In this example, we pass the <code>.isPermitted()</code> method a string, <code>printer:print:LaserJet4400n</code></p> +<pre><code class="java">String perm = "printer:print:laserjet4400n"; -<p>So, if you don't want to implement our <a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/Permission.html">permission interface</a> then you just pass in a String. In this example, we pass the <tt>.isPermitted()</tt> method a string, <tt>printer:print:LaserJet4400n</tt></p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-object">String</span> perm = “printer:print:laserjet4400n”; - -<span class="code-keyword">if</span>(currentUser.isPermitted(perm)){ - <span class="code-comment">//show the print button? -</span>} <span class="code-keyword">else</span> { - <span class="code-comment">//don’t show the button? -</span>} -</pre> -</div></div> - -<p>You can construct the permission string the way you want so long as your <a href="realm.html" title="Realm">Realm</a> knows how to work with it. In this example we use Shiro's optional permission syntax, <a href="permissions.html" title="Permissions">WildCardPermissions</a>. WildCardPermissions are powerful and intuitive. If you'd like to learn more about them then check out the <a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/Permission.html">Permissions Documentation</a>.</p> - -<p>With string-based permission checks, you get the same functionality as the example before. The benefit is that you are not forced to implement a permission interface and you can construct the permission via a simple string. The downside is that you don't have type safety and if you needed more complicated permission capabilitues that are outside the scope of what this represents, you're going to want to implement your own permission objects based on the permission interface.</p> - -<h3><a name="JavaAuthorizationGuide-AnnotationAuthorization"></a>Annotation Authorization</h3> - -<p>If you don't want to do code level authorization checks, then you can use Java Annotations as well. Shiro offers a number of <a href="java-annotations-list.html" title="Java Annotations List">Java annotations</a> that allow you to annotate methods. </p> - -<h4><a name="JavaAuthorizationGuide-EnablingAnnotationSupport"></a>Enabling Annotation Support</h4> -<p>Before you can use Java annotations, you'll need to enable AOP support in your application. There are a number of different AOP frameworks so, unfortunately, there is no standard way to enable AOP in an application.</p> - -<p>For AspectJ, you can review our <a class="external-link" href="https://github.com/apache/shiro/tree/master/samples/aspectj";>AspectJ sample application</a>.</p> - +if(currentUser.isPermitted(perm)){ + //show the print button? +} else { + //donât show the button? +} +</code></pre> +<p>You can construct the permission string the way you want so long as your <a href="realm.html" title="Realm">Realm</a> knows how to work with it. In this example we use Shiro’s optional permission syntax, <a href="permissions.html" title="Permissions">WildCardPermissions</a>. WildCardPermissions are powerful and intuitive. If you’d like to learn more about them then check out the <a href="static/current/apidocs/org/apache/shiro/authz/Permission.html">Permissions Documentation</a>.</p> +<p>With string-based permission checks, you get the same functionality as the example before. The benefit is that you are not forced to implement a permission interface and you can construct the permission via a simple string. The downside is that you don’t have type safety and if you needed more complicated permission capabilitues that are outside the scope of what this represents, you’re going to want to implement your own permission objects based on the permission interface.</p> +<a name="JavaAuthorizationGuide-AnnotationAuthorization"></a> +<h3><a href="#annotation-authorization" name="annotation-authorization">Annotation Authorization</a></h3> +<p>If you don’t want to do code level authorization checks, then you can use Java Annotations as well. Shiro offers a number of <a href="java-annotations-list.html" title="Java Annotations List">Java annotations</a> that allow you to annotate methods.</p> +<a name="JavaAuthorizationGuide-EnablingAnnotationSupport"></a> +<h4><a href="#enabling-annotation-support" name="enabling-annotation-support">Enabling Annotation Support</a></h4> +<p>Before you can use Java annotations, you’ll need to enable AOP support in your application. There are a number of different AOP frameworks so, unfortunately, there is no standard way to enable AOP in an application.</p> +<p>For AspectJ, you can review our <a href="https://github.com/apache/shiro/tree/master/samples/aspectj";>AspectJ sample application</a>.</p> <p>For Spring, you can look into our <a href="spring.html" title="Spring">Spring Integration</a> documentation.</p> - <p>For Guice, you can look into our <a href="guice.html" title="Guice">Guice Integration</a> documentation.</p> - -<h4><a name="JavaAuthorizationGuide-PermissionCheck"></a>Permission Check</h4> -<p>In this example, we want to check that a user has the <tt>account:create</tt> permission before they can invoke the <tt>openAccount</tt> method. If they do, then the method is called as expected, and if they don't, then an exception is thrown. </p> - -<p>Like programmatic checks, you can use the <a class="external-link" href="static/current/apidocs/org/apache/shiro/authz/Permission.html">Permission</a> objects or the simple string methods with this annotation.</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-comment">//Will <span class="code-keyword">throw</span> an AuthorizationException <span class="code-keyword">if</span> none -</span><span class="code-comment">//of the caller’s roles imply the Account -</span><span class="code-comment">//'create' permission� -</span>@RequiresPermissions(“account:create”)‏ -<span class="code-keyword">public</span> void openAccount( Account acct ) { - <span class="code-comment">//create the account -</span>} -</pre> -</div></div> - -<h4><a name="JavaAuthorizationGuide-RoleCheck"></a>Role Check</h4> -<p>In this example, we want to check that a user has the <tt>teller</tt> role before they can invoke the <tt>openAccount</tt> method. If they do, then the method is called as expected, and if they don't, then an exception is thrown.</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-comment">//Throws an AuthorizationException <span class="code-keyword">if</span> the caller -</span><span class="code-comment">//doesn’t have the ‘teller’ role: -</span> -@RequiresRoles( “teller” ) -<span class="code-keyword">public</span> void openAccount( Account acct ) { - <span class="code-comment">//<span class="code-keyword">do</span> something in here that only a teller -</span> <span class="code-comment">//should <span class="code-keyword">do</span> -</span>} -</pre> -</div></div> - -<h3><a name="JavaAuthorizationGuide-JSPTagLibAuthorization"></a>JSP TagLib Authorization</h3> -<p>For JSP/GSP based web applications, Shiro also offers a <a href="jsp-tag-library.html" title="JSP Tag Library">tag library</a> for you to use. </p> - -<p>In this example, we're going to show users with the <em>users:manage</em> permission a link to the Manage Users page. If they do not have the permission, then we'll show them a nice message.</p> - -<p>First, we'll need to add the Shiro taglib to our web application. Next, we add the <tt><shiro:hasPermission></tt> tag with a check for <em>users:manage</em>. Within the <tt><shiro:hasPermission></tt> tags we will place the code we want to execute if the user has the permission we're checking for. If we want to take an action if the user lacks the permission, then we need to also add the <tt><shiro:lacksPermission></tt> tag, again checking for <em>users:manage</em>. And any code we want to excute if the user lacks the permission will need to be placed within the <tt><shiro:lacksPermission></tt> tags.</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<%@ taglib prefix=“shiro” uri=http:<span class="code-comment">//shiro.apache.org/tags %> -</span><html> +<a name="JavaAuthorizationGuide-PermissionCheck"></a> +<h4><a href="#permission-check" name="permission-check">Permission Check</a></h4> +<p>In this example, we want to check that a user has the <code>account:create</code> permission before they can invoke the <code>openAccount</code> method. If they do, then the method is called as expected, and if they don’t, then an exception is thrown.</p> +<p>Like programmatic checks, you can use the <a href="static/current/apidocs/org/apache/shiro/authz/Permission.html">Permission</a> objects or the simple string methods with this annotation.</p> +<pre><code class="java">//Will throw an AuthorizationException if none +//of the callerâs roles imply the Account +//'create' permission +@RequiresPermissions("account:create")â +public void openAccount( Account acct ) { + //create the account +} +</code></pre> +<a name="JavaAuthorizationGuide-RoleCheck"></a> +<h4><a href="#role-check" name="role-check">Role Check</a></h4> +<p>In this example, we want to check that a user has the <code>teller</code> role before they can invoke the <code>openAccount</code> method. If they do, then the method is called as expected, and if they don’t, then an exception is thrown.</p> +<pre><code class="java">//Throws an AuthorizationException if the caller +//doesnât have the âtellerâ role: +@RequiresRoles( "teller" ) +public void openAccount( Account acct ) { + //do something in here that only a teller + //should do +} +</code></pre> +<a name="JavaAuthorizationGuide-JSPTagLibAuthorization"></a> +<h3><a href="#jsp-taglib-authorization" name="jsp-taglib-authorization">JSP TagLib Authorization</a></h3> +<p>For JSP/GSP based web applications, Shiro also offers a <a href="jsp-tag-library.html" title="JSP Tag Library">tag library</a> for you to use.</p> +<p>In this example, we’re going to show users with the <em>users:manage</em> permission a link to the Manage Users page. If they do not have the permission, then we’ll show them a nice message.</p> +<p>First, we’ll need to add the Shiro taglib to our web application. Next, we add the <code><shiro:hasPermission></code> tag with a check for <em>users:manage</em>. Within the <code><shiro:hasPermission></code> tags we will place the code we want to execute if the user has the permission we’re checking for. If we want to take an action if the user lacks the permission, then we need to also add the <code><shiro:lacksPermission></code> tag, again checking for <em>users:manage</em>. And any code we want to excute if the user lacks the permission will need to be placed within the <code><shiro:lacksPermission></code> tags.</p> +<pre><code class="html"><%@ taglib prefix="shiro" uri=http://shiro.apache.org/tags %> +<html> <body> - <shiro:hasPermission name=“users:manage”> - <a href=“manageUsers.jsp”> + <shiro:hasPermission name="users:manage"> + <a href="manageUsers.jsp"> Click here to manage users </a> </shiro:hasPermission> - <shiro:lacksPermission name=“users:manage”> - No user management <span class="code-keyword">for</span> you! + <shiro:lacksPermission name="users:manage"> + No user management for you! </shiro:lacksPermission> </body> </html> -</pre> -</div></div> - +</code></pre> <p>Of course, there also tags for checking roles and other user data and states.</p> - <p>For more information on JSP/GSP Tags please check out the <a href="jsp-tag-library.html" title="JSP Tag Library">JSP Tag Library</a> and for more information on integration your application in your web application, please read the <a href="web.html" title="Web">Web Integration Documentation</a></p> - -<h2><a name="JavaAuthorizationGuide-CachingAuthorization"></a>Caching Authorization</h2> +<a name="JavaAuthorizationGuide-CachingAuthorization"></a> +<h2><a href="#caching-authorization" name="caching-authorization">Caching Authorization</a></h2> <p>TBD</p> - -<h2><a name="JavaAuthorizationGuide-Lendahandwithdocumentation"></a>Lend a hand with documentation </h2> - -<p>While we hope this documentation helps you with the work you're doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you'd like to help the Shiro project, please consider corrected, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro. </p> - -<p>The easiest way to contribute your documentation is to send it to the <a class="external-link" href="http://shiro-user.582556.n2.nabble.com/"; rel="nofollow">User Forum</a> or the <a href="mailing-lists.html" title="Mailing Lists">User Mailing List</a>.</p> - +<a name="JavaAuthorizationGuide-Lendahandwithdocumentation"></a> +<h2><a href="#lend-a-hand-with-documentation" name="lend-a-hand-with-documentation">Lend a hand with documentation</a></h2> +<p>While we hope this documentation helps you with the work you’re doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you’d like to help the Shiro project, please consider corrected, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro.</p> +<p>The easiest way to contribute your documentation is to send it to the <a href="http://shiro-user.582556.n2.nabble.com/";>User Forum</a> or the <a href="mailing-lists.html" title="Mailing Lists">User Mailing List</a>.</p> </div>
Modified: shiro/site/publish/java-cryptography-guide.html URL: http://svn.apache.org/viewvc/shiro/site/publish/java-cryptography-guide.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/java-cryptography-guide.html (original) +++ shiro/site/publish/java-cryptography-guide.html Mon Oct 24 14:33:52 2016 @@ -78,9 +78,8 @@ <div id="content"> - <h1><a name="JavaCryptographyGuide-JavaCryptographyGuidewithApacheShiro"></a>Java Cryptography Guide with Apache Shiro</h1> - - + <a name="JavaCryptographyGuide-JavaCryptographyGuidewithApacheShiro"></a> +<h1><a href="#java-cryptography-guide-with-apache-shiro" name="java-cryptography-guide-with-apache-shiro">Java Cryptography Guide with Apache Shiro</a></h1> <div class="addthis_toolbox addthis_default_style"> <a class="addthis_button_compact" href="http://www.addthis.com/bookmark.php?v=250&pubid=ra-4d66ef016022c3bd";>Share</a> <span class="addthis_separator">|</span> @@ -91,53 +90,45 @@ </div> <script type="text/javascript">var addthis_config = {"data_track_clickback":true};</script> <script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#pubid=ra-4d66ef016022c3bd";></script> - - -<p><br clear="none" class="atl-forced-newline"> -Cryptography is the protecting of information from undesired access by hiding it or converting it into nonsense so that no one can read it.</p> - -<p>Shiro is a major part of Shiro because we wanted to provide you with simplicity on what is typically a very complex topic. For example, the Java Cryptophay Environments (JCE) already handles cryptogrpahy in a Java environment but is very difficult to learn and use. So we grabbed the concepts made available by the JCE API and make them available to us mortals. In addition, all of the calls in the JCE are procedural which doesn't fit in Java's Object Oriented paradigm. So in Shiro, our cryptography features are all object oriented.</p> - -<h2><a name="JavaCryptographyGuide-ElementsofCryptography"></a>Elements of Cryptography</h2> -<p>Cryptogrpahy has two core elements in Shiro-- ciphers and hashes. </p> - -<h3><a name="JavaCryptographyGuide-CiphersDefined"></a>Ciphers Defined</h3> +<p>Cryptography is the protecting of information from undesired access by hiding it or converting it into nonsense so that no one can read it.</p> +<p>Shiro is a major part of Shiro because we wanted to provide you with simplicity on what is typically a very complex topic. For example, the Java Cryptophay Environments (JCE) already handles cryptogrpahy in a Java environment but is very difficult to learn and use. So we grabbed the concepts made available by the JCE API and make them available to us mortals. In addition, all of the calls in the JCE are procedural which doesn’t fit in Java’s Object Oriented paradigm. So in Shiro, our cryptography features are all object oriented.</p> +<a name="JavaCryptographyGuide-ElementsofCryptography"></a> +<h2><a href="#elements-of-cryptography" name="elements-of-cryptography">Elements of Cryptography</a></h2> +<p>Cryptogrpahy has two core elements in Shiro– ciphers and hashes.</p> +<a name="JavaCryptographyGuide-CiphersDefined"></a> +<h3><a href="#ciphers-defined" name="ciphers-defined">Ciphers Defined</a></h3> <p>Ciphers are algorightms that can either encrypt or decrypt based on public or private key pair. And there are two different types of ciphers:</p> - -<ul class="alternate" type="square"><li>Symmetric Cipher - encrypts and decrypts using the same key.</li></ul> - - -<ul class="alternate" type="square"><li>Asymmetric Cipher - uses different keys for encryption and decryption.</li></ul> - - +<ul> + <li> + <p>Symmetric Cipher - encrypts and decrypts using the same key.</p></li> + <li> + <p>Asymmetric Cipher - uses different keys for encryption and decryption.</p></li> +</ul> <p>Both cipher type are support in Shiro.</p> +<a name="JavaCryptographyGuide-HashesDefined"></a> +<h3><a href="#hashes-defined" name="hashes-defined">Hashes Defined</a></h3> +<p>A hash is a one-way irreversible conversion of an input source. In the JDK, a hash is referred to as a message digest. A cryptographic hash and a message digests are the same thing and both terms or correct.</p> +<a name="JavaCryptographyGuide-CommonusesforHashes"></a> +<h4><a href="#common-uses-for-hashes" name="common-uses-for-hashes">Common uses for Hashes</a></h4> +<p>Hashes are often used to transforms credentials like passwords or biometric data. It’s a one way transformation so you can never see what the original value was. This is a very safe way of storing passwords so that no one other than the user will ever know a password, even if your system is compromised.</p> +<p>In addition, Shiro’s hashes can be used with any type of data with an underlying byte array. Examples of this data include files, streams, byte arrays, strings, and character arrays.</p> +<a name="JavaCryptographyGuide-CipherFeatures"></a> +<h2><a href="#cipher-features" name="cipher-features">Cipher Features</a></h2> +<a name="JavaCryptographyGuide-Shiro%27sCipherServiceInterface"></a> +<h3>Shiro’s CipherService Interface</h3> +<pre><code class="java">public interface CipherService { -<h3><a name="JavaCryptographyGuide-HashesDefined"></a>Hashes Defined</h3> -<p>A hash is a one-way irreversible conversion of an input source. In the JDK, a hash is referred to as a message digest. A cryptographic hash and a message digests are the same thing and both terms or correct.</p> - -<h4><a name="JavaCryptographyGuide-CommonusesforHashes"></a>Common uses for Hashes</h4> -<p>Hashes are often used to transforms credentials like passwords or biometric data. It's a one way transformation so you can never see what the original value was. This is a very safe way of storing passwords so that no one other than the user will ever know a password, even if your system is compromised.</p> + ByteSource encrypt( byte[] raw, byte[] key); -<p>In addition, Shiro's hashes can be used with any type of data with an underlying byte array. Examples of this data include files, streams, byte arrays, strings, and character arrays.</p> + void encrypt(InputStream in, OutputStream out, byte[] key); -<h2><a name="JavaCryptographyGuide-CipherFeatures"></a>Cipher Features</h2> -<h3><a name="JavaCryptographyGuide-Shiro%27sCipherServiceInterface"></a>Shiro's CipherService Interface</h3> -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">public</span> <span class="code-keyword">interface</span> CipherService { + ByteSource decrypt( byte[] cipherText, byte[] key); - ByteSource encrypt( <span class="code-object">byte</span>[] raw, <span class="code-object">byte</span>[] key); - - void encrypt(InputStream in, OutputStream out, <span class="code-object">byte</span>[] key); - - ByteSource decrypt( <span class="code-object">byte</span>[] cipherText, <span class="code-object">byte</span>[] key); - - void decrypt(InputStream in, OutputStream out, <span class="code-object">byte</span>[] key); + void decrypt(InputStream in, OutputStream out, byte[] key); } -</pre> -</div></div> - -<h2><a name="JavaCryptographyGuide-HashFeatures"></a>Hash Features</h2> +</code></pre> +<a name="JavaCryptographyGuide-HashFeatures"></a> +<h2><a href="#hash-features" name="hash-features">Hash Features</a></h2> <div class="panelMacro"> <table class="tipMacro"> <colgroup span="1"> @@ -157,7 +148,6 @@ Cryptography is the protecting of inform </tbody> </table> </div> - <div class="panelMacro"> <table class="tipMacro"> <colgroup span="1"> @@ -177,38 +167,29 @@ Cryptography is the protecting of inform </tbody> </table> </div> - -<h3><a name="JavaCryptographyGuide-Shiro%27sHashInterface"></a>Shiro's Hash Interface</h3> -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">public</span> <span class="code-keyword">interface</span> Hash { - <span class="code-object">byte</span>[] getBytes(); - <span class="code-object">String</span> toHex(); - <span class="code-object">String</span> toBase64(); +<a name="JavaCryptographyGuide-Shiro%27sHashInterface"></a> +<h3>Shiro’s Hash Interface</h3> +<pre><code class="java">public interface Hash { + byte[] getBytes(); + String toHex(); + String toBase64(); } -</pre> -</div></div> - -<h3><a name="JavaCryptographyGuide-ExamplesofhowtouseHashesinyourcode"></a>Examples of how to use Hashes in your code</h3> -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-comment">//some examples: -</span><span class="code-keyword">new</span> Md5Hash(“foo”).toHex(); - -<span class="code-comment">//File MD5 Hash value <span class="code-keyword">for</span> checksum: -</span><span class="code-keyword">new</span> MD5Hash( aFile ).toHex(); - -<span class="code-comment">//store a password, but not raw: -</span><span class="code-keyword">new</span> Sha256(aPassword, salt, - 1024).toBase64(); -</pre> -</div></div> - -<h2><a name="JavaCryptographyGuide-Lendahandwithdocumentation"></a>Lend a hand with documentation </h2> - -<p>While we hope this documentation helps you with the work you're doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you'd like to help the Shiro project, please consider corrected, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro. </p> - -<p>The easiest way to contribute your documentation is to send it to the <a class="external-link" href="http://shiro-user.582556.n2.nabble.com/"; rel="nofollow">User Forum</a> or the <a href="mailing-lists.html" title="Mailing Lists">User Mailing List</a>.</p> +</code></pre> +<a name="JavaCryptographyGuide-ExamplesofhowtouseHashesinyourcode"></a> +<h3><a href="#examples-of-how-to-use-hashes-in-your-code" name="examples-of-how-to-use-hashes-in-your-code">Examples of how to use Hashes in your code</a></h3> +<pre><code class="java">//some examples: +new Md5Hash(âfooâ).toHex(); + +//File MD5 Hash value for checksum: +new MD5Hash( aFile ).toHex(); + +//store a password, but not raw: +new Sha256(aPassword, salt, 1024).toBase64(); +</code></pre> +<a name="JavaCryptographyGuide-Lendahandwithdocumentation"></a> +<h2><a href="#lend-a-hand-with-documentation" name="lend-a-hand-with-documentation">Lend a hand with documentation</a></h2> +<p>While we hope this documentation helps you with the work you’re doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you’d like to help the Shiro project, please consider corrected, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro.</p> +<p>The easiest way to contribute your documentation is to send it to the <a href="http://shiro-user.582556.n2.nabble.com/";>User Forum</a> or the <a href="mailing-lists.html" title="Mailing Lists">User Mailing List</a>.</p> </div> Modified: shiro/site/publish/jsp-tag-library.html URL: http://svn.apache.org/viewvc/shiro/site/publish/jsp-tag-library.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/jsp-tag-library.html (original) +++ shiro/site/publish/jsp-tag-library.html Mon Oct 24 14:33:52 2016 @@ -78,37 +78,30 @@ <div id="content"> - <h1><a name="JSPTagLibrary-JSP%2FGSPTagLibraryforApacheShiro"></a>JSP/GSP Tag Library for Apache Shiro</h1> - -<ul><li><b><shiro:guest/></b> - Displays body content only if the current Subject IS NOT known to the system, either because they have not logged in or they have no corresponding 'RememberMe' identity. It is logically opposite to the 'user' tag.</li></ul> - - -<ul><li><b><shiro:user/></b> - Displays body content only if the current Subject has a known identity, either from a previous login or from 'RememberMe' services. Note that this is semantically different from the 'authenticated' tag, which is more restrictive. It is logically opposite to the 'guest' tag.</li></ul> - - -<ul><li><b><shiro:principal/></b> - Displays the user's principal or a property of the user's principal.</li></ul> - - -<ul><li><b><shiro:hasPermission/></b> - Displays body content only if the current Subject (user) 'has' (implies) the specified permission (i.e the user has the specified ability).</li></ul> - - -<ul><li><b><shiro:lacksPermission/></b> - Displays body content only if the current Subject (user) does NOT have (not imply) the specified permission (i.e. the user lacks the specified ability)</li></ul> - - -<ul><li><b><shiro:hasRole/></b> - Displays body content only if the current user has the specified role.</li></ul> - - -<ul><li><b><shiro:lacksRole/></b> - Displays body content only if the current user does NOT have the specified role (i.e. they explicitly lack the specified role)</li></ul> - - -<ul><li><b><shiro:hasAnyRoles/></b> - Displays body content only if the current user has one of the specified roles from a comma-separated list of role names</li></ul> - - -<ul><li><b><shiro:authenticated/></b> - Displays body content only if the current user has successfully authenticated <em>during their current session</em>. It is more restrictive than the 'user' tag. It is logically opposite to the 'notAuthenticated' tag.</li></ul> - - -<ul><li><b><shiro:notAuthenticated/></b> - Displays body content only if the current user has NOT succesfully authenticated <em>during their current session</em>. It is logically opposite to the 'authenticated' tag.</li></ul> - + <a name="JSPTagLibrary-JSP%2FGSPTagLibraryforApacheShiro"></a> +<h1><a href="#jsp-gsp-tag-library-for-apache-shiro" name="jsp-gsp-tag-library-for-apache-shiro">JSP/GSP Tag Library for Apache Shiro</a></h1> +<ul> + <li> + <p><strong><shiro:guest/></strong> - Displays body content only if the current Subject IS NOT known to the system, either because they have not logged in or they have no corresponding ‘RememberMe’ identity. It is logically opposite to the ‘user’ tag.</p></li> + <li> + <p><strong><shiro:user/></strong> - Displays body content only if the current Subject has a known identity, either from a previous login or from ‘RememberMe’ services. Note that this is semantically different from the ‘authenticated’ tag, which is more restrictive. It is logically opposite to the ‘guest’ tag.</p></li> + <li> + <p><strong><shiro:principal/></strong> - Displays the user’s principal or a property of the user’s principal.</p></li> + <li> + <p><strong><shiro:hasPermission/></strong> - Displays body content only if the current Subject (user) ‘has’ (implies) the specified permission (i.e the user has the specified ability).</p></li> + <li> + <p><strong><shiro:lacksPermission/></strong> - Displays body content only if the current Subject (user) does NOT have (not imply) the specified permission (i.e. the user lacks the specified ability)</p></li> + <li> + <p><strong><shiro:hasRole/></strong> - Displays body content only if the current user has the specified role.</p></li> + <li> + <p><strong><shiro:lacksRole/></strong> - Displays body content only if the current user does NOT have the specified role (i.e. they explicitly lack the specified role)</p></li> + <li> + <p><strong><shiro:hasAnyRoles/></strong> - Displays body content only if the current user has one of the specified roles from a comma-separated list of role names</p></li> + <li> + <p><strong><shiro:authenticated/></strong> - Displays body content only if the current user has successfully authenticated <em>during their current session</em>. It is more restrictive than the ‘user’ tag. It is logically opposite to the ‘notAuthenticated’ tag.</p></li> + <li> + <p><strong><shiro:notAuthenticated/></strong> - Displays body content only if the current user has NOT succesfully authenticated <em>during their current session</em>. It is logically opposite to the ‘authenticated’ tag.</p></li> +</ul> </div> Modified: shiro/site/publish/license.html URL: http://svn.apache.org/viewvc/shiro/site/publish/license.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/license.html (original) +++ shiro/site/publish/license.html Mon Oct 24 14:33:52 2016 @@ -78,10 +78,9 @@ <div id="content"> - <h1><a name="License-TheApacheSoftwareLicense%2CVersion2.0"></a>The Apache Software License, Version 2.0</h1> -<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> -<pre> - Apache License + <a name="License-TheApacheSoftwareLicense%2CVersion2.0"></a> +<h1>The Apache Software License, Version 2.0</h1> +<pre><code class="nohighlight"> Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ @@ -89,38 +88,38 @@ 1. Definitions. - "License" shall mean the terms and conditions for use, reproduction, + "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. - "Licensor" shall mean the copyright owner or entity authorized by + "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. - "Legal Entity" shall mean the union of the acting entity and all + "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the + "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. - "You" (or "Your") shall mean an individual or Legal Entity + "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. - "Source" form shall mean the preferred form for making modifications, + "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. - "Object" form shall mean any form resulting from mechanical + "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. - "Work" shall mean the work of authorship, whether in Source or + "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). - "Derivative Works" shall mean any work, whether in Source or Object + "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes @@ -128,21 +127,21 @@ separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. - "Contribution" shall mean any work of authorship, including + "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" + the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." + designated in writing by the copyright owner as "Not a Contribution." - "Contributor" shall mean Licensor and any individual or Legal Entity + "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. @@ -186,7 +185,7 @@ excluding those notices that do not pertain to any part of the Derivative Works; and - (d) If the Work includes a "NOTICE" text file as part of its + (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not @@ -225,7 +224,7 @@ 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, + Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A @@ -261,29 +260,28 @@ APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier + same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] - Licensed under the Apache License, Version 2.0 (the "License"); + Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -</pre> -</div></div> +</code></pre> </div> Modified: shiro/site/publish/mailing-lists.html URL: http://svn.apache.org/viewvc/shiro/site/publish/mailing-lists.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/mailing-lists.html (original) +++ shiro/site/publish/mailing-lists.html Mon Oct 24 14:33:52 2016 @@ -78,8 +78,15 @@ <div id="content"> - <h1><a name="MailingLists-ApacheShiroMailingLists"></a>Apache Shiro Mailing Lists</h1> - + <a name="MailingLists-ApacheShiroMailingLists"></a> +<h1><a href="#apache-shiro-mailing-lists" name="apache-shiro-mailing-lists">Apache Shiro Mailing Lists</a></h1> +<!-- Markdown tables need some style before switchig +| List Name | List Address | Subscribe | Unsubscribe | ASF Archive | Nabble (Online Forums) | +|----------------------|-----------------------------------|--------------------------------------------------------|------------------------------------------------------------|------------------------------------------------------------------------|--------------------------------------------------------------------------| +| Shiro User List | [mailto:[email protected]] | [Subscribe](mailto:[email protected]) | [Unsubscribe](mailto:[email protected]) | [ASF Archive](http://mail-archives.apache.org/mod_mbox/shiro-user/) | [Nabble Forum and Archive](http://shiro-user.582556.n2.nabble.com/) | +| Shiro Developer List | [mailto:[email protected]] | [Subscribe](mailto:[email protected]) | [Unsubscribe](mailto:[email protected]) | [ASF Archive](http://mail-archives.apache.org/mod_mbox/shiro-dev) | [Nabble Forum and Archive](http://shiro-developer.582600.n2.nabble.com/) | +| Shiro SCM List | [mailto:[email protected]] | [Subscribe](mailto:[email protected]) | [Unsubscribe](mailto:[email protected]) | [ASF Archive](http://mail-archives.apache.org/mod_mbox/shiro-commits/) | | +--> <div class="table-wrap"> <table class="confluenceTable"> <tbody> @@ -119,11 +126,9 @@ </tbody> </table> </div> - - -<h3><a name="MailingLists-DiscussionForums"></a>Discussion Forums</h3> - -<p>If you prefer you could use our discussion <a href="forums.html" title="Forums">Forums</a> which are sync'd with the above mailing lists.</p> +<a name="MailingLists-DiscussionForums"></a> +<h3><a href="#discussion-forums" name="discussion-forums">Discussion Forums</a></h3> +<p>If you prefer you could use our discussion <a href="forums.html" title="Forums">Forums</a> which are sync’d with the above mailing lists.</p> </div> Modified: shiro/site/publish/navigation.html URL: http://svn.apache.org/viewvc/shiro/site/publish/navigation.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/navigation.html (original) +++ shiro/site/publish/navigation.html Mon Oct 24 14:33:52 2016 @@ -78,28 +78,48 @@ <div id="content"> - <ul id="navlist" class="sf-menu rc"><li class="current rc"><a href="index.html" title="Index">Home</a></li><li><a href="download.html" title="Download">Download</a></li><li> - -<p><a href="about.html" title="About">About</a></p> - -<ul><li><a href="what-is-shiro.html" title="What is Shiro">What is Shiro</a></li><li><a href="features.html" title="Features">Features</a></li><li><a href="news.html" title="News">News</a></li><li><a href="events.html" title="Events">Events</a></li><li><a href="license.html" title="License">License</a></li></ul> -</li><li> - -<p><a href="documentation.html" title="Documentation">Documentation</a></p> - -<ul><li><a href="10-minute-tutorial.html" title="10 Minute Tutorial">10 Minute Tutorial</a></li><li><a href="guides.html" title="Guides">Guides</a></li><li><a href="reference.html" title="Reference">Reference Manual</a></li><li><a href="articles.html" title="Articles">Articles</a></li><li><a class="external-link" href="http://incubator.apache.org/shiro/static/current/apidocs";>API</a></li></ul> -</li><li> - -<p><a href="contribute.html" title="Contribute">Contribute</a></p> - -<ul><li><a href="how-to-contribute.html" title="How to Contribute">How to Contribute</a></li><li><a class="external-link" href="http://www.apache.org/foundation/sponsorship.html";>Donate to ASF</a></li><li><a href="developer-resources.html" title="Developer Resources">Developer Resources</a></li></ul> -</li><li> - -<p><a href="support.html" title="Support">Community Support</a></p> - -<ul><li><a href="mailing-lists.html" title="Mailing Lists">Mailing Lists</a></li><li><a href="forums.html" title="Forums">Forums</a></li><li><a href="issues.html" title="Issues">Issue & Bug Tracking</a></li></ul> -</li><li><a href="commercial-support.html" title="Commercial Support">Commercial Support</a></li></ul> - + <ul> + <li><a href="index.html">Home</a></li> + <li><a href="download.html">Download</a></li> + <li> + <p><a href="about.html">About</a></p> + <ul> + <li><a href="what-is-shiro.html">What is Shiro</a></li> + <li><a href="features.html">Features</a></li> + <li><a href="news.html">News</a></li> + <li><a href="events.html">Events</a></li> + <li><a href="license.html">License</a></li> + </ul> + </li> + <li> + <p><a href="documentation.html">Documentation</a></p> + <ul> + <li><a href="10-minute-tutorial.html">10 Minute Tutorial</a></li> + <li><a href="guides.html">Guides</a></li> + <li><a href="reference.html">Reference Manual</a></li> + <li><a href="articles.html">Articles</a></li> + <li><a href="http://shiro.apache.org/static/current/apidocs";>API</a></li> + </ul> + </li> + <li> + <p><a href="contribute.html">Contribute</a></p> + <ul> + <li><a href="how-to-contribute.html">How to Contribute</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html";>Donate to ASF</a></li> + <li><a href="developer-resources.html">Developer Resources</a></li> + </ul> + </li> + <li> + <p><a href="support.html">Community Support</a></p> + <ul> + <li><a href="mailing-lists.html">Mailing Lists</a></li> + <li><a href="forums.html">Forums</a></li> + <li><a href="issues.html">Issue & Bug Tracking</a></li> + </ul> + </li> + <li> + <p><a href="commercial-support.html">Commercial Support</a></p></li> +</ul> </div>
