We can into an issue with controlling access to the session/authz cache by applications. Here's the scenario:
1) I created an API for application to call SecurityManager, which includes accessing the cache (security API with Shiro as a pluggable) 2) Application should not be able to access the cache directly even if they know the cache name My initial thought is that if I can somehow give SecurityManager a credential/token, authentication can then be done so that only SecurityManager can access security-related caches. Is there a way to do this with the existing framework (v1.1)? Is there a more elegant way of doing it? Technically, we can make an assumption that any application deployed in the environment are trusted application. However, this leaves it to the reviewer to review and make sure application doesn't do what it's supposed to do. Another possibility is to create another application that contains SecurityManager (as application singleton) and expose it as a service that sits in every JVM. I really don't want to have to do this if possible. Thanks, Jack -- View this message in context: http://shiro-user.582556.n2.nabble.com/Assigning-Credential-Token-to-Security-Manager-tp6476745p6476745.html Sent from the Shiro User mailing list archive at Nabble.com.
