[jira] [Commented] (SHIRO-386) Possibility to use DefaultWebSecurityContext without servlet api

Mon, 17 Sep 2012 06:38:09 -0700 

    [ 
https://issues.apache.org/jira/browse/SHIRO-386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13457012#comment-13457012
 ] 

Jared Bunting commented on SHIRO-386:
-------------------------------------

I'm not sure I understand.  DefaultWebSecurityManager is basically a subclass 
of DefaultSecurityManager that has specific integrations with the servlet API.  
Why would we want to be able to use it without the servlet api?
                
> Possibility to use DefaultWebSecurityContext without servlet api 
> -----------------------------------------------------------------
>
>                 Key: SHIRO-386
>                 URL: https://issues.apache.org/jira/browse/SHIRO-386
>             Project: Shiro
>          Issue Type: Wish
>          Components: Web
>    Affects Versions: 1.2.0, 1.2.1
>         Environment: OSGi
>            Reporter: Tuomas Kiviaho
>            Priority: Minor
>
> DefaultWebSecurityManager seems to be almost capable of functioning even if 
> servlet api isn't available DefaultSecurityManager. There are couple things 
> that currently prohibits utilizing this feature.
> 1. DefaultWebSecurityManager is fixed to deliver a WebSubjectContext 
> implementation but ClassUtils.isAvailable("javax.servlet.ServletRequest")  
> could be used to determine if falling back to super implementation would be 
> more appropriate. A pluggable subject context provider/factory would 
> eliminate the need of using classpath determination inside the implementation.
> 2. WebUtils has couple of static field dependencies to servlet api which are 
> trivial to factor out.
> 3. ServletContainerSessionManager is not designed to fall back to super class 
> when req/resp do not meet it's needs while creating a session and it only 
> generates an exception from such an attempt. A simple 
> ClassUtils.isAvailable("javax.servlet.http.HttpSession") could be used to 
> make a decision between it and DefaultWebSessionManager. Alternative approach 
> would be deriving the former from latter and using the fallback pattern 
> mentioned is case 1.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to