Thanks, Jesse.
I like using Shiro as it's powerful yet simple.
In case somebody has the same challenge, here is what I ended up doing:
1. ShiroOAuth2Code is an extended OAuth2Code class, which stores the
logged in user
2. OAuth2ServiceImpl.generateAccessToken creates as access token an
instance of the extended OAuth2Code, thereby storing the user identified by
Shiro
3. OAuth2AuthenticationHandler.getSecurityTokenFromRequest gets the
extended access token and automatically logs the user into Shiro
4. Deactivate OAuth2NormalizedRequest.normalizeClientSecret because it
conflicts with basic authentication in Shiro (Shiro expects the
username/password whereas Shindig expects the client ID/credentials)
The code for OAuth2AuthenticationHandler.getSecurityTokenFromRequest:
if (normalizedReq.getAccessToken() != null) {
store.validateRequestForResource(normalizedReq, null);
// Get logged in user (attached to Shindig token)
OAuth2DataService dataService = store.getDataService();
OAuth2Code token =
dataService.getAccessToken(normalizedReq.getAccessToken());
ShiroOAuth2Code shiroToken = (ShiroOAuth2Code) token;
User principal = shiroToken.getPrincipal();
// Inform Shiro about the logged-in user
Subject currentUser = SecurityUtils.getSubject();
currentUser.login(new ShindigAuthenticationToken(principal));
return new BasicSecurityToken("", principal.getId(), "web", "", "",
"1234", "", "", token.getExpiration());
}
Ronny
On Fri, Dec 16, 2011 at 2:16 PM, Ciancetta, Jesse E. <jc...@mitre.org>wrote:
> >-----Original Message-----
> >From: Ronny Roeller [mailto:rroel...@gmail.com]
> >Sent: Thursday, December 15, 2011 6:04 PM
> >To: dev@shindig.apache.org
> >Subject: Authorization for REST API
> >
> >Hi,
> >
> >I want to add fine-granular authorization for calls to the REST API. For
> >example: a) users can read all fields of their own profile but only a
> >subset of fields in other profiles, or b) only administrators are allowed
> >to create new groups, etc.
> >
> >I thought of setting up Shiro after the AuthenticationServletFilter found
> a
> >SecurityToken, and then to verify the permissions in my PersonService
> >class. Does that make sense? What would be the proper way of authorizing
> >REST requests in Shindig?
>
> Makes sense to me. That sounds pretty similar to what we've done with our
> Shindig SPI implementations in Apache Rave except we're not using Shiro for
> any of it. In our case we're pulling all the context we need about the
> request (owner/viewer/application/...) from the security token and making
> our authorization decisions based on that. You can have a look at our
> appdata implementation to see what we're doing if you think it might help:
>
>
> http://svn.apache.org/repos/asf/incubator/rave/trunk/rave-shindig/src/main/java/org/apache/rave/opensocial/service/impl/DefaultAppDataService.java
>
> >
> >Many thanks,
> >Ronny
>
--
Mobile: +33.6.58471763
