Hi,
i am new to this list and to wicket.
i just played around trying to get WASP and Shiro work together, just to learn
about stuff, not on my job.
Here are some thoughts:
It is a bit confusing that WASP / wicket security uses the word "Principal" for
"to represent a set of permissions on the system.", whereas JAAS and Shiro use
the same word for:
"Principals represent Subject identities". The code glueing WASP to Shiro
becomes hard to read just due to that.
I think it would be good to have an abstract class extending
ClassAuthorizationStrategy like SwarmStrategy, except for isUserAuthenticated,
login, logoff and hasPermissions. it could have an abstract method
getSubject(). I did so myself in private to create a ShiroStrategy, copying the
other methods from SwarmStrategy into the abstract class. That abstract class
then just defers core authentication and authorisation to the WicketSubject
implementation.
I found it very confusing that SwarmStrategy.logoff(Object context) wants a
LoginContext, with JavaDoc saying "and must be the same (or equal) to the
logincontext used to log in.". That sounded as if the user had to enter his
password to logout, or that one should store the loginContext in the session.
Finally I believe there is a bug in SimpleRole.add(), at least in my version it
goes:
public void add(Permission permission) {
Set<Permission> permissions = getPermissions();
if (permissions == null) {
permissions = new LinkedHashSet<Permission>();
setPermissions(permissions);
}
permissions.add(permission);
}
so there is at least a set missing in the end. Not sure which JIRA that would
have to go into.
cheers
Thibault
