Re: Shiro not Spring

Thu, 25 Dec 2014 17:13:49 -0800

I'm happy with Spring Security, it's easier to get volunteers to be willing to work with it as it's a more marketable skill as well get more integrators willing to adopt Roller into their environment as presumably they've used Spring elsewhere (or don't mind learning it themselves). That said, I suspect the Roller WAR would be trimmer switching from Spring to Shiro due to the latter's smaller JARs (is that the case?), also, the Shiro configuration style holds out the hope that it can someday be directly incorporated into the roller-custom.properties files without needing "WAR surgery" of opening up the WAR and modifying the security.xml file as we presently have to do with Spring.
At any rate, Shiro is an acceptable security solution, so I'm -0 on it. However, if you wish to switch to it, (1) LDAP[1] and Open ID (both open ID only and Dual open ID <-> password authentication) would need to be working prior to updating Roller with it, i.e., we should have the same basic capabilities with Shiro that we have with Spring Security (2) We'll need to update Roller's version to 5.2 as it's no longer a minor version release, (3) the comments in the current Spring security.xml explaining how to switch to LDAP or Open ID will need to carry over to the Shiro equivalent so people know how to get their LDAP or Open ID activated, and do a search in the Roller install guide's for "security.xml" and update it accordingly with Shiro info. 

Glen

[1] https://cwiki.apache.org/confluence/display/ROLLER/Roller+5.1+with+LDAP

On 12/23/2014 05:56 PM, Dave wrote:

I'm learning about Apache Shiro, so I decided to see how hard it would be
to replace Spring Security in Roller with Shiro. It was a little painful,
but I eventually got it working. Shiro seems a lot easier to deal with, and
it allowed me to complete remove all Spring dependencies from my fork of
Roller.

You can see my DIFFs here:
https://github.com/snoopdave/rollarcus/compare/shiro_not_spring?expand=1

And the shiro.ini config file is here:
https://github.com/snoopdave/rollarcus/blob/shiro_not_spring/app/src/main/resources/shiro.ini

Most of the changes are removal of Spring specific code. However, my branch
does not support LDAP or OpenID yet, so I would expect that some Shiro
specific code would have to be added to enable those things.

I'm not convinced that Roller should switched to Shiro, but this is some
food for thought...

- Dave

























					Reply via email to