[CONF] Apache Syncope > [DISCUSS] Apache Shiro integration for authentication and authorization
Title: Message Title Colm O hEigeartaigh commented on a page Re: [DISCUSS] Apache Shiro integration for authentication and authorization I don't know if Spring Security's Session management is done internally or whether it delegates to the underlying J2EE container. If the latter then wouldn't this suffice, as we could rely on container clustering etc.? Reply • Like In reply to Francesco Chicchiricco I believe we need - for Syncope 2.1 at earliest, anyway - to introduce a proper session store abstraction which will allow to select among different implementations - from simpler (in-memory) to more advanced (LDAP, RDBMS, ...) which can be empowered in HA scenarios. Does Fediz provide something similar? AFAIU Spring Security's session management does not provide such feature, while Spring Session does. Stop watching space • Manage notifications This message was sent by Atlassian Confluence 5.8.4
[CONF] Apache Syncope > [DISCUSS] Apache Shiro integration for authentication and authorization
Title: Message Title Francesco Chicchiricco commented on a page Re: [DISCUSS] Apache Shiro integration for authentication and authorization I believe we need - for Syncope 2.1 at earliest, anyway - to introduce a proper session store abstraction which will allow to select among different implementations - from simpler (in-memory) to more advanced (LDAP, RDBMS, ...) which can be empowered in HA scenarios. Does Fediz provide something similar? AFAIU Spring Security's session management does not provide such feature, while Spring Session does. Reply • Like In reply to Colm O hEigeartaigh I agree that Shiro is not needed. Do we really need to introduce Spring Session though, won't Spring Security take care of it already, via for example ""? Perhaps Apache CXF Fediz could give us some pointers here. It ships with a plugin for Spring Security for WS-Federation, that sets up a session based on parsing a SAML Token received as part of the redirection process involved in WS-Federation SSO: https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=tree;f=plugins/spring;h=f4f6d060128b96872d3eadff6955897658163443;hb=HEAD A webapp configuration using this module is here: https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=blob;f=systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml;h=2f5a518d013c8fedd672b14fc96f21398e523158;hb=HEAD Stop watching space • Manage notifications This message was sent by Atlassian Confluence 5.8.4
[CONF] Apache Syncope > [DISCUSS] Apache Shiro integration for authentication and authorization
Title: Message Title Colm O hEigeartaigh commented on a page Re: [DISCUSS] Apache Shiro integration for authentication and authorization I agree that Shiro is not needed. Do we really need to introduce Spring Session though, won't Spring Security take care of it already, via for example ""? Perhaps Apache CXF Fediz could give us some pointers here. It ships with a plugin for Spring Security for WS-Federation, that sets up a session based on parsing a SAML Token received as part of the redirection process involved in WS-Federation SSO: https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=tree;f=plugins/spring;h=f4f6d060128b96872d3eadff6955897658163443;hb=HEAD A webapp configuration using this module is here: https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=blob;f=systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml;h=2f5a518d013c8fedd672b14fc96f21398e523158;hb=HEAD Reply • Like In reply to Francesco Chicchiricco I am actually not sure if Shiro is the right choice to implement what described. As alternative approach, once can think of enhancing the current Spring Security usage and introducing Spring Session for session management. Stop watching space • Manage notifications This message was sent by Atlassian Confluence 5.8.4
[CONF] Apache Syncope > [DISCUSS] Apache Shiro integration for authentication and authorization
Title: Message Title Francesco Chicchiricco commented on a page Re: [DISCUSS] Apache Shiro integration for authentication and authorization I am actually not sure if Shiro is the right choice to implement what described. As alternative approach, once can think of enhancing the current Spring Security usage and introducing Spring Session for session management. Reply • Like Stop watching space • Manage notifications This message was sent by Atlassian Confluence 5.8.4
[CONF] Apache Syncope > [DISCUSS] Apache Shiro integration for authentication and authorization
Title: Message Title
Francesco Chicchiricco created a page
[DISCUSS] Apache Shiro integration for authentication and authorization
Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications. In the following an integration proposal with Shiro, for improved authentication and authorization handling, is outlined. References are provided against master branch in GIT, with version currently set to upcoming 2.0.0. Current implementation The current implementation relies directly on Spring Security and configuration is defined in securityContext.xml and parametrized by security.properties. core Authentication By default, basic authentication with no session is defined. The credentials verification is essentially implemented by SyncopeAuthenticationProvider (and related), based on the passed domain, username and password:
check for special username values is performed ("admin" and "anonymous" get different handling)
for non-special users, password value is encrypted according to the cipher algorithm selected for the given user and then compared with the stored value
if password verification succeeds, authenticating user is given the subset of defined entitlements, according to owned roles (see details of the new security model)
Authorization All public methods belonging to classes of the business logic layer are annotated via Spring Security's @PreAuthorize with several _expression_ language built-ins. console Authentication and authorization are built around wicket-auth-roles's AuthenticatedWebApplication in SyncopeConsoleApplication (and related). In particular, fine-grained conditions are set on individual components based on the entitlements owned by current user. Integration proposal The idea is to empower Shiro for enhancing several aspects:
introduce session management
avoid checking the internal storage for each and every operation
make the upgrade from basic to digest authentication cost-effective
bonus 1: clustering support is there
bonus 2: separate session store concept is available, for scaling
keep annotation-based authorization
design better integration between core (currently session-less) and console (where session is defined instead), especially with the perspective of having more clients (CLI and end-user)
View page
•
Add comment
•
Like
Stop watching space
•
Manage notifications
This message was sent by Atlassian Confluence 5.8.4
