Re: [DISCUSS] Security Frameworks
On Thu 18.10.2012 13:18, Carl-Eric Menzel wrote: > > [X] I use Shiro > > We use Shiro on our project (using wicketstuff's shiro integration and > our own custom Shiro realm implementation). We use it because it gives > us a permission-based approach (not just roles-based) and is more > easily configured than e.g. SWARM/WASP. I also quite like the > hierarchical approach to permissions that Shiro allows. That are exactly the reasons, why I have chosen Shiro as well. -Timo - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [DISCUSS] Security Frameworks
[x] I use WASP/Swarm Since we started our project we adopted Swarm as our security framework and for several reasons we didn't scout other possibilities to secure our pages. By the way our experience with Swarm is pretty good, we don't need any changes in our dependencies... -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/DISCUSS-Security-Frameworks-tp4653049p4653225.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [DISCUSS] Security Frameworks
[ X ] I use my own custom framework [ X ] I use Shiro For my current Wicket project we started out with Shiro as it promised to be easy to use. However, even though Shiro is feature rich, it still lacks the feature we needed to make it secure (1) and stable (2). We ended up using Shiro as a convenient library with all integration points with Wicket written ourselves. We also needed to extend LDAP integration to get roles/permissions and override Shiro's idea of configuration (it didn't match our way of getting properties files). (1) forget an annotation and your page is visible, we turned that around (2) the annotations are based on Strings, we like Enums better Kind regards, Erik. On 18-10-12 06:08, Jeremy Thomerson wrote: Our of curiosity: among the wider community: what security framework(s) do you use with with Wicket, and why? [ ] I use my own custom framework [ ] I use Shiro [ ] I use Spring Security [ ] I use WASP/Swarm [ ] Other (please specify) And don't forget the "why". -- Erik van Oosten http://www.day-to-day-stuff.blogspot.com/ - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
RE: [DISCUSS] Security Frameworks
[ ] I use my own custom framework We rolled our own too because we needed multi-tenant support "on steroids" for our enterprise content management system. Eg, A group called "admin" can not give administer rights to all organizations in the system - only one specific organization. In other words each role has an organization context which eliminates most of the off the shelf security solutions. The ones that do support this (and I'm not aware of any) would likely not support the other part of our requirements: the "on steroids" part where we have hierarchies of groups/roles so that we can have natural, organic configuration via classic OO inheritance. It maybe hard to understand and implement but it's extremely powerful and makes configuration extremely easy. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [DISCUSS] Security Frameworks
[x] I use my own custom framework We needed to have a group-based authentication: a relation between a secured-item (a bean, linked to a DB item) and some allowed-groups for that item. But the relation itself is quite complex to establish (because Items are in a graph), so we decided to implement our own authorization mechanism (but to be honest, we did not really looked to existing 3rd parties...). I a few word: The Authentication is made trough a JAAS login module which gets GroupPrincipal(s) for the current user. We have implemented an IGroupCheckingStrategy, similar to IRoleCheckingStrategy, then we bound a custom IAuthorizationStrategy to the application, in charge to check whether the item being displayed (in an edit page for instance) has a group that also belongs to the user. Sebastien. On Thu, Oct 18, 2012 at 4:09 PM, Nick Pratt wrote: > [X] I use my own custom framework > > We rolled our own because it gave us the most flexibility (components are > annotated and the permissions are kept separate from users and > groups/roles). We can reconfigure the permissions on the fly (since > everything is stored in the DB, cached in mem) and plug in different > authentication and authorization strategies to facilitate different > deployment scenarios and also for unit testing. > > We're not aware of a 3rd party lib that will do this - but Id be happy to > use one if there is one out there. > > N > > On Thu, Oct 18, 2012 at 12:08 AM, Jeremy Thomerson < > jer...@wickettraining.com> wrote: > > > Our of curiosity: among the wider community: what security framework(s) > do > > you use with with Wicket, and why? > > > > [ ] I use my own custom framework > > [ ] I use Shiro > > [ ] I use Spring Security > > [ ] I use WASP/Swarm > > [ ] Other (please specify) > > > > And don't forget the "why". > > > > -- > > Jeremy Thomerson > > http://wickettraining.com > > >
Re: [DISCUSS] Security Frameworks
We use an in house designed system very similar to Shiro. The security framework only works on permissions (not roles), but the permissions that a user has depends on the roles they belong to (implementation detail the framework does not care about). It also does not allow Shiro style string permissions, only a class hierarchy extending Permission. Why? Because its a lot easier with only permissions, and only class hierarchy for permissions. On 18/10/2012 06:08, Jeremy Thomerson wrote: Our of curiosity: among the wider community: what security framework(s) do you use with with Wicket, and why? [ ] I use my own custom framework [ ] I use Shiro [ ] I use Spring Security [ ] I use WASP/Swarm [ ] Other (please specify) And don't forget the "why". - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [DISCUSS] Security Frameworks
[X] I use my own custom framework We rolled our own because it gave us the most flexibility (components are annotated and the permissions are kept separate from users and groups/roles). We can reconfigure the permissions on the fly (since everything is stored in the DB, cached in mem) and plug in different authentication and authorization strategies to facilitate different deployment scenarios and also for unit testing. We're not aware of a 3rd party lib that will do this - but Id be happy to use one if there is one out there. N On Thu, Oct 18, 2012 at 12:08 AM, Jeremy Thomerson < jer...@wickettraining.com> wrote: > Our of curiosity: among the wider community: what security framework(s) do > you use with with Wicket, and why? > > [ ] I use my own custom framework > [ ] I use Shiro > [ ] I use Spring Security > [ ] I use WASP/Swarm > [ ] Other (please specify) > > And don't forget the "why". > > -- > Jeremy Thomerson > http://wickettraining.com >
Re: [DISCUSS] Security Frameworks
[X] I use Shiro We use Shiro on our project (using wicketstuff's shiro integration and our own custom Shiro realm implementation). We use it because it gives us a permission-based approach (not just roles-based) and is more easily configured than e.g. SWARM/WASP. I also quite like the hierarchical approach to permissions that Shiro allows. Carl-Eric - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [DISCUSS] Security Frameworks
[X] I use Shiro Because it's simple in use and simple to integrate with Wicket or other frameworks, but still powerful enough for most security related tasks. And because I liked it more than Spring Security three years or so ago. I think Spring Security is more feature complete out of the box though. On Thu, Oct 18, 2012, at 06:08, Jeremy Thomerson wrote: > Our of curiosity: among the wider community: what security framework(s) > do > you use with with Wicket, and why? > > [ ] I use my own custom framework > [ ] I use Shiro > [ ] I use Spring Security > [ ] I use WASP/Swarm > [ ] Other (please specify) > > And don't forget the "why". > > -- > Jeremy Thomerson > http://wickettraining.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
