In Flex, RemoteObject is async, which is problematic for performing fine-grained permission checks.
The AIR app my company is currently developing currently calls a custom Java web service to do LDAP authentication. We have not tackled authorization yet. I recently heard about Shiro, and would like to use it as our security solution. In our AIR app, when the user authenticates via Shiro (via some web service, I guess), I would like to get a "snapshot" of the user's roles and the role's permissions at that moment in time, and keep those in a client-side ActionScript object. I can then use the local snapshot to enable/disable menu items and other commands, and to show or hide various UI elements based upon user's permissions at the time of the snapshot. I would prefer to do this synchronously, because the async programming model is too complex for displaying the UI. We also have our own web services that our AIR app communicates with asynchronously to perform various operations that require permissions. As of now, we are using simple HTTP requests. I am pretty new to Shiro, and still learning the concepts, but I think we pass some sort of Shiro token (auth token?) in the HTTP request headers. Of course, the user's effective permissions may have changed since they logged in via the AIR app, so even though the UI indicated they could perform an operation, it is possible that the user no longer has that permission, so I guess we could use Shiro on the web tier to do a final permission check before performing the action. Sorry this long-winded, and being for such a newbie, but am I on the right track? If someone could point me to documentation or examples of something similar in any client-side technology, that would be very helpful. -- View this message in context: http://n2.nabble.com/How-Shiro-handles-different-Authentication-Protocols-tp4431033p4730056.html Sent from the Shiro User mailing list archive at Nabble.com.
