Added: shiro/site/publish/version-2-brainstorming.html URL: http://svn.apache.org/viewvc/shiro/site/publish/version-2-brainstorming.html?rev=1481423&view=auto ============================================================================== --- shiro/site/publish/version-2-brainstorming.html (added) +++ shiro/site/publish/version-2-brainstorming.html Sat May 11 21:33:47 2013 @@ -0,0 +1,300 @@ + + + + + + + + + + + Apache Shiro | Java Security Framework + + + + + + + + + + + + + + + +
+ +
+ + + +
+ +
+
+ +

There is currently no timeline for a version 2, but this space represents any brainstorming efforts that the community wishes to address that may be major feature enhancements that can't be backwards compatible. Typically discussions from the dev list resulting in some form of consensus will probably make it into this page. Actionable items will go into Jira, potentially referencing this page for clarity.

+ + + + +

Rename AuthenticationInfo to Account

+ +

The existing AuthenticationInfo name is less intuitive and is essentially the same thing.

+ +

Realm refactoring

+ +

Most Realms differ little in their implementations - mostly by the protocols they use. Create a 'DefaultRealm' implementation (or something similar) that allows pluggable AccountResolver and AuthorizationResolver interfaces that abstract away interaction with the data stores and the rest of the internal Realm logic (e.g. authc and authz caching, etc) can be shared by most Realm implementation.

+ +

Split shiro-core into modules

+ +

Maybe shiro-core should be split up into separate modules (e.g. shiro-crypto, shiro-authc, shiro-authz, etc) if possible. This may or may not be possible due to the tight integration of APIs (e.g. Shiro authentication depends on shiro hashing (crypto) etc). A cursory investigation should be made if possible.

+ +

Event-driven design

+

This can be in 1.3+ as these would be all new packages/classes and do not require signature changes to existing code

+ +

Utilize events significantly and more effectively. Base on Akka's event model and Guava's EventBus. This enables ideal loose coupling/high cohesion plugins/integration/customization.

+ +

Package: org.apache.shiro.event

+ +

Potential classes:

+ +
+
+public class ShiroEvent extends EventObject {
+
+    private final long timestamp; //millis since Epoch (UTC time zone).
+
+    public ShiroEvent(Object source) {
+        super(source);
+        this.timestamp = new Date().getTime();
+    }
+
+    public long getTimestamp() {
+        return timestamp;
+    }
+}
+
+
+ +
+
+public interface Publisher {
+
+    void publish(Object event);
+}
+
+
+ +
+
+
+/** Marker annotation for a method that wishes to receive a particular event instance. */
+public @interface Subscribe {
+}
+
+
+ +
+
+
+/** 
+  * Listener implementations just annotate a method as @Subscribe.  
+  * The single method argument determines the type of event received.
+  */
+public class MyListener {
+
+    @Subscribe
+    public void doSomething(SomeEvent event) {
+        ...
+    }
+}
+
+
+
+ +
+
+public interface SubscriberRegistry {
+
+    void register(Object subscriber);
+
+    void unregister(Object subscriber);
+}
+
+
+ +

An EventBus can be created based on Publisher + SubscriberRegistry:

+ +
+
+public class SynchronousEventBus implements Publisher, SubscriberRegistry {
+    ...
+}
+
+
+ +

Subject PrincipalCollection

+ +

Convert this to be a sub-interface of Map with additional per-Realm utility methods.

+ +

See the PrincipalMap concept for ideas (experimental, not referenced in Shiro 1.x at the moment).

+ +

Maybe rename this to 'attributes'? i.e. subject.getAttributes()?

+ +

Component Names

+ +

Change classes named FooDAO to FooStore instead.

+ +

Authorization ANTLR Grammar

+ +

Ideally, we can have a single annotation:

+ +
+
+@Secured("authz expression here")
+public void someMethod(){...}
+
+
+ +

Where the 'authz expression here' is authorization assertion statement backed by an ANTLR lexer/parser, for example:

+ +
+
+@Secured("(role(admin) || role(developer)) || perm(account:12345:open)")
+
+
+ +

This would translate the expression into the relevant hasRole/isPermitted calls.

+ +

AuthorizationRequest/Response

+ +

Employing the same grammar as mentioned above, instead of multiple subject.isPermitted/hasRole calls, the same thing could be achieved with an AuthorizationRequest/Response scheme. For example:

+ +
+
+AuthorizationRequest request = //create request w/ expression
+AuthorizationResponse response = subject.authorize(authorizationRequest);
+if (response.isAuthorized()) {
+...
+} else {
+...
+}
+
+
+ +

Reinforce customization via OO Delegation (composition over inheritance)

+ + + + +

Multi-Stage Authentication via request/response

+ +

In applications that need to authenticate via multiple mechanisms (e.g. multi-factor authentication), a Request/Response protocol for login would probably be easier to use to support such workflows. For example:

+ +
+
+LoginRequest request = //create login request
+LoginResponse response = subject.login(request);
+if (!response.isComplete()) {
+    LoginRequest secondRequest = response.nextRequest();
+    //populate w/ data for 2nd phase
+   response = subject.login(secondRequest);
+}
+if (response.hasException()) {
+    throw response.getException();
+}
+...
+
+
+ +

Additionally probably change the Authenticator signature to be as follows:

+ +
+
+AuthenticationResult authenticate(AuthenticationRequest) throws AuthenticationException;
+
+
+ +

Captcha Support

+ +

Captcha support would assist in human being verification (during login, during form submission, etc).

+ +

Configuration per filter instance and no path matching

+


+SHIRO-256 is opened for this and Tynamo.org already has an implementation for it. This would both simplify the filter logic and result in better performance.

+ +

Web module repackaging.

+ +

The Web module is largely Servlet-specific at the moment. As such, its packaging should reflect this, in the same way that all other support modules are named, e.g.
+module name: shiro-servlet
+package base: org.apache.shiro.servlet.*

+ +
+ +
+ + + + + \ No newline at end of file Added: shiro/site/publish/web-features.html URL: http://svn.apache.org/viewvc/shiro/site/publish/web-features.html?rev=1481423&view=auto ============================================================================== --- shiro/site/publish/web-features.html (added) +++ shiro/site/publish/web-features.html Sat May 11 21:33:47 2013 @@ -0,0 +1,136 @@ + + + + + + + + + + + Apache Shiro | Java Security Framework + + + + + + + + + + + + + + + +
+ +
+ + + +
+ +

Apache Shiro Web Features

+ +
+Share +| + + + + +
+ + + +


+Shiro is designed to greatly simplifies how you secure web applications base on simple URL pattern matching and filter chain definitions. In addition to Shiro's API, Shiro's web support includes a rich JSP tag library to control page output.

+ +

Below is a highlight of the Shiro web features.

+ +

Features

+ + + + + + + + + + + + + + +

Get Started in 10 Minutes with Shiro

+

Try out Shiro for yourself with our 10 Minute Tutorial. And if you have any questions about Shiro, please check out our community forum or user mailing list for answers from the community.

+ +
+ +
+ + + + + \ No newline at end of file