In the non-web scenario, the cache spans over and accessible from both client
and server side (client can potentially act as server for a different
client). However, that's not the issue. The issue is that service-side
application should not be able to access the security-related cache directly
without going through SecurityManager (SecurityManager authenticates against
Coherence at start up).
What I'm trying to do is preventing malicious application that is deployed
in trusted environment, simply because the code isn't reviewed properly. To
access the security-related cache (for authc/authz, an application must call
Shiro API. This means that the server side application does not have access
to the cache.
For example, there is nothing stopping me from writing this for Coherence
Cache in an application.
NamedCache shiroActiveSessionCache =
CacheFactory.getCache("shiro-activeSessionCache");
Set keys = shiroActiveSessionCache.keySet();
[... loop through and do something to session objects]
This should not be allowed, unless it is done through Shiro SecurityManager.
So if I can assign a credential to SecurityManager, I can enable security on
the cache so that non-Shiro calls can be made to security-related cache. The
permission will of course be validated by Coherence Security Framework
rather than Shiro.
Thanks,
Jack
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Assigning-Credential-Token-to-Security-Manager-tp6476745p6481420.html
Sent from the Shiro User mailing list archive at Nabble.com.
