I'm happy with Spring Security, it's easier to get volunteers to be
willing to work with it as it's a more marketable skill as well get more
integrators willing to adopt Roller into their environment as presumably
they've used Spring elsewhere (or don't mind learning it themselves).
That said, I suspect the Roller WAR would be trimmer switching from
Spring to Shiro due to the latter's smaller JARs (is that the case?),
also, the Shiro configuration style holds out the hope that it can
someday be directly incorporated into the roller-custom.properties files
without needing "WAR surgery" of opening up the WAR and modifying the
security.xml file as we presently have to do with Spring.
At any rate, Shiro is an acceptable security solution, so I'm -0 on it.
However, if you wish to switch to it, (1) LDAP[1] and Open ID (both open
ID only and Dual open ID <-> password authentication) would need to be
working prior to updating Roller with it, i.e., we should have the same
basic capabilities with Shiro that we have with Spring Security (2)
We'll need to update Roller's version to 5.2 as it's no longer a minor
version release, (3) the comments in the current Spring security.xml
explaining how to switch to LDAP or Open ID will need to carry over to
the Shiro equivalent so people know how to get their LDAP or Open ID
activated, and do a search in the Roller install guide's for
"security.xml" and update it accordingly with Shiro info.
Glen
[1] https://cwiki.apache.org/confluence/display/ROLLER/Roller+5.1+with+LDAP
On 12/23/2014 05:56 PM, Dave wrote:
I'm learning about Apache Shiro, so I decided to see how hard it would be
to replace Spring Security in Roller with Shiro. It was a little painful,
but I eventually got it working. Shiro seems a lot easier to deal with, and
it allowed me to complete remove all Spring dependencies from my fork of
Roller.
You can see my DIFFs here:
https://github.com/snoopdave/rollarcus/compare/shiro_not_spring?expand=1
And the shiro.ini config file is here:
https://github.com/snoopdave/rollarcus/blob/shiro_not_spring/app/src/main/resources/shiro.ini
Most of the changes are removal of Spring specific code. However, my branch
does not support LDAP or OpenID yet, so I would expect that some Shiro
specific code would have to be added to enable those things.
I'm not convinced that Roller should switched to Shiro, but this is some
food for thought...
- Dave