[jira] [Commented] (SHIRO-798) Improvement in Shiro API

Mon, 09 Nov 2020 12:15:19 -0800 


    [ 
https://issues.apache.org/jira/browse/SHIRO-798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17228797#comment-17228797
 ] 

Pavel_K commented on SHIRO-798:
-------------------------------

[~bdemers] I am using Shiro as a security system in my CRUD framework. The crud 
framework is 100% JPMS. Most of the external libraries already support JPMS, 
so, they are used as named explicit modules (if you don't work with jpms this 
[CheatSheet|https://github.com/tfesenko/Java-Modules-JPMS-CheatSheet] can be 
helpful). Some libraries (including Shiro) doesn't support, so, they are used 
as named automatic modules. As Shiro 1 have split packages I use shiro-all and 
wait for Shiro 2.

When we work with jpms we forget about implementations. And this is great for 
library developers (read for Shiro developers). When implementation classes are 
absolutely hidden (they must be in packages that are not exported) they can do 
whatever they want from version to version and may not be afraid that code 
changes can break someone's code.

So, when I had to use 

{code:java}
DefaultSecurityManager securityManager = (DefaultSecurityManager) 
SecurityUtils.getSecurityManager();
DefaultSessionManager sessionManager = (DefaultSessionManager) 
securityManager.getSessionManager();
SessionDAO sessionDao = sessionManager.getSessionDAO();
{code}

I saw that it is a tragedy. Knowing about Shiro 2 I opened this issue.


> Improvement in Shiro API
> ------------------------
>
>                 Key: SHIRO-798
>                 URL: https://issues.apache.org/jira/browse/SHIRO-798
>             Project: Shiro
>          Issue Type: Improvement
>    Affects Versions: 1.7.0
>            Reporter: Pavel_K
>            Priority: Major
>             Fix For: 2.0.0
>
>
> This issue was inspired by [this 
> thread|http://shiro-user.582556.n2.nabble.com/How-to-get-all-logged-in-Subjects-td7582249.html]
>  in shiro user mailing list: 
> I suggest:
>  
> 1)To change API to open access to some top level objects, SessionManager, 
> SessionDAO etc.
> (return null if some implementation doesn’t have one of them)
> 2) To separate SecurityManager from SessionManager (leave only has relation).
> API must be more flexible. Particularly for Shiro 2.0 that, as I understand, 
> must support jpms. The main idea of jpms is to have a clear API and to hide 
> implementation. 
> If it is necessary to make casting and get implementations to get active 
> sessions we can conclude that is necessary to improve API.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to