[
https://issues.apache.org/jira/browse/SHIRO-160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12867785#action_12867785
]
david e. berry commented on SHIRO-160:
--------------------------------------
I am using BlazeDS as my AMF provider. I had no plans to right my own
implementation and still have no plans.
I actually got a little carried away with shiro one day and decided to see if I
could use shiro to lock down all traffic to the site, even traffic like AMF
whose security interface I still wanted to use.
I could have left the amf end-point unsecured by shiro and just used the
FlexLoginCommand that I wrote which implements the Blaze
flex.messaging.security.LoginCommand interface, which in turn calls shiro, but
I guess I am a control freak and wanted to get shiro to monitor everything.
This is how the FlexPermissionsAuthorizationFilter and
FlexRolesAuthorizationFilter came to be. They are AMF aware filters that can be
used around flex security.
This is not much different to shiro allowing http login requests to pass
through and block everything else. I use deserialization to determine if a
login is occurring. A login consists of a PING and a LOGIN. These two Command
Messages get a free ride, everything else is blocked until the user is logged
in.
WIth these files you can just use flex security with FlexLoginCommand calling
Shiro without the deserialization and let flex secure the enpoint, or you can
use both Shiro and Flex to watch the endpoint, with double deserialization.
Future use of this is to have a security scheme where a role or permission must
exist that matches the name of the service being called. The filters would need
no other configuration but to know that they are a rest resource filter or amf
service filter. Dynamic service to role checking would be possible, and if you
have a class loader that loads services dynamically, then you really have
something flexible.
Sorry for the long winded comment.
> Flex integration with Shiro
> ---------------------------
>
> Key: SHIRO-160
> URL: https://issues.apache.org/jira/browse/SHIRO-160
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Authorization (access control)
> Affects Versions: Incubation
> Reporter: david e. berry
>
> Commiters,
> I have created the following classes that I used to integrate Shiro with Flex
> AMF. I would like to contribute them to the shiro. Please let me know if
> there is interest and the procedure for doing so. I have included the class
> names with a brief description of what they do. They are currently outside of
> the Shiro code base that I checked out, but I could combine them if
> interested.
> Best Regards,
> Dave
> /* Authentication and Authorization need to let AMF Ping, Login, Logout
> messages pass through
> without processing. They call FlexMessageHelper to introspect the binary
> message to see if it is allowed to pass.
> If not, normal Authentication, and Authorization takes place.
> */
> public class FlexAuthenticationFilter extends AuthenticationFilter;
> public class FlexPermissionsAuthorizationFilter extends
> PermissionsAuthorizationFilter;
> public class FlexRolesAuthorizationFilter extends RolesAuthorizationFilter;
> /*Helper methods for introspecting the contents of the amf message. It is
> conceivable that a security handler
> might need to introspect the contents of a request. It would be nice if Shiro
> wrapped the request automatically so that anyone can read the contents without
> causing an end of stream error for a filter down the line.
> Message helper deserializes the AMF message and checks to see if it is a
> PING, LOGON, or LOGOUT request.
> */
> public class FlexHttpServletRequestWrapper extends HttpServletRequestWrapper;
> public class FlexMessageHelper;
> /* Custom Flex Login command that calls Subject.login returns a Principal
> back to Flex.
> */
> public class FlexLoginCommand implements LoginCommand;
> public class FlexPrincipal implements Principal;
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
