shiro-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bdem...@apache.org
Subject svn commit: r1799612 - in /shiro/site/publish: architecture.html authorization-features.html authorization.html integration.html java-authentication-guide.html permissions.html realm.html web.html
Date Thu, 22 Jun 2017 20:13:09 GMT
Author: bdemers
Date: Thu Jun 22 20:13:09 2017
New Revision: 1799612

URL: http://svn.apache.org/viewvc?rev=1799612&view=rev
Log:
updated published site

Modified:
    shiro/site/publish/architecture.html
    shiro/site/publish/authorization-features.html
    shiro/site/publish/authorization.html
    shiro/site/publish/integration.html
    shiro/site/publish/java-authentication-guide.html
    shiro/site/publish/permissions.html
    shiro/site/publish/realm.html
    shiro/site/publish/web.html

Modified: shiro/site/publish/architecture.html
URL: http://svn.apache.org/viewvc/shiro/site/publish/architecture.html?rev=1799612&r1=1799611&r2=1799612&view=diff
==============================================================================
--- shiro/site/publish/architecture.html (original)
+++ shiro/site/publish/architecture.html Thu Jun 22 20:13:09 2017
@@ -295,7 +295,7 @@
 <p>But this is a lot of functionality to try to manage in a single component. And,
making these things flexible and customizable would be very difficult if everything were lumped
into a single implementation class.</p>
 <p>To simplify configuration and enable flexible configuration/pluggability, Shiro&rsquo;s
implementations are all highly modular in design - so modular in fact, that the SecurityManager
implementation (and its class-hierarchy) does not do much at all. Instead, the <code>SecurityManager</code>
implementations mostly act as a lightweight &lsquo;container&rsquo; component, delegating
almost all behavior to nested/wrapped components. This &lsquo;wrapper&rsquo; design
is reflected in the detailed architecture diagram above.</p>
 <p>While the components actually execute the logic, the <code>SecurityManager</code>
implementation knows how and when to coordinate the components for the correct behavior.</p>
-<p>The <code>SecurityManager</code> implementations and are also JavaBeans
compatible, which allows you (or a configuration mechanism) to easily customize the pluggable
components via standard JavaBeans accessor/mutator methods (get*/set*). This means the Shiro&rsquo;s
architectural modularity can translate into very easy configuration for custom behavior.</p>
+<p>The <code>SecurityManager</code> implementations and the components
are also JavaBeans compatible, which allows you (or a configuration mechanism) to easily customize
the pluggable components via standard JavaBeans accessor/mutator methods (get*/set*). This
means the Shiro&rsquo;s architectural modularity can translate into very easy configuration
for custom behavior.</p>
 <div class="alert alert-success">
     <span class="glyphicon glyphicon-ok"></span> <strong>Easy Configuration</strong>
     <hr class="message-inner-separator">

Modified: shiro/site/publish/authorization-features.html
URL: http://svn.apache.org/viewvc/shiro/site/publish/authorization-features.html?rev=1799612&r1=1799611&r2=1799612&view=diff
==============================================================================
--- shiro/site/publish/authorization-features.html (original)
+++ shiro/site/publish/authorization-features.html Thu Jun 22 20:13:09 2017
@@ -246,13 +246,13 @@
   <li>
   <p><strong>Powerful and intuitive permission syntax</strong> - As an
option, Shiro provides an out-of-the-box permission syntax, called Wildcard Permissions, that
help you model the fine grained access policies your application may have. By using Shiro&rsquo;s
Wildcard Permissions you get an easy-to-process and human readable syntax. Moreoever, you
don&rsquo;t have to go through the time-consuming effort and complexity of creating your
own method for representing your access policies.</p></li>
   <li>
-  <p><strong>Multiple enforcement options</strong> &#8211; Authorization
checks in Shiro can be done through in-code checks, JDK 1.5 annotations, AOP, and JSP/GSP
Taglibs. Shiro&rsquo;s goal is to give you the choice to use the option you think are
best based on your preferences and project needs.</p></li>
+  <p><strong>Multiple enforcement options</strong> - Authorization checks
in Shiro can be done through in-code checks, JDK 1.5 annotations, AOP, and JSP/GSP Taglibs.
Shiro&rsquo;s goal is to give you the choice to use the option you think are best based
on your preferences and project needs.</p></li>
   <li>
   <p><strong>Strong caching support</strong> - Any of the modern open-source
and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient
user-experience. For authorization, caching is crucial for performance in larger environments
or with more complex policies using back-end security data sources.</p></li>
   <li>
-  <p><strong>Pluggable data sources</strong> - Shiro uses pluggable data
access objects, referred to as Realms, to connect to security data sources where you keep
your access control information, like a LDAP or a relational database. To help you avoid building
and maintaining integrations yourself, Shiro provides out-of-the-box realms for popular data
sources like LDAP, Active Directory, and JDBC. If needed, you can also create your own realms
to support specific functionality not included in the basic realms.</p></li>
+  <p><strong>Pluggable data sources</strong> - Shiro uses pluggable data
access objects, referred to as Realms, to connect to security data sources where you keep
your access control information, like an LDAP server or a relational database. To help you
avoid building and maintaining integrations yourself, Shiro provides out-of-the-box realms
for popular data sources like LDAP, Active Directory, and JDBC. If needed, you can also create
your own realms to support specific functionality not included in the basic realms.</p></li>
   <li>
-  <p><strong>Supports any data model</strong> - Shiro can support any data
model for access control&ndash; it doesn&rsquo;t force a model on you. Your realm
implementation ultimately decides how your permissions and roles are grouped together and
whether to return a &ldquo;yes&rdquo; or a &ldquo;no&rdquo; answer to Shiro.
This feature allows you to architect your application in the manner you chose and Shiro will
bend to support you.<br/><input type="hidden" id="ghEditPage" value="authorization-features.md"></input></p></li>
+  <p><strong>Supports any data model</strong> - Shiro can support any data
model for access control&#8212;it doesn&rsquo;t force a model on you. Your realm implementation
ultimately decides how your permissions and roles are grouped together and whether to return
a &ldquo;yes&rdquo; or a &ldquo;no&rdquo; answer to Shiro. This feature allows
you to architect your application in the manner you chose and Shiro will bend to support you.<br/><input
type="hidden" id="ghEditPage" value="authorization-features.md"></input></p></li>
 </ul>    
 </div>
 

Modified: shiro/site/publish/authorization.html
URL: http://svn.apache.org/viewvc/shiro/site/publish/authorization.html?rev=1799612&r1=1799611&r2=1799612&view=diff
==============================================================================
--- shiro/site/publish/authorization.html (original)
+++ shiro/site/publish/authorization.html Thu Jun 22 20:13:09 2017
@@ -357,7 +357,7 @@
 <p>This is probably ok for very simple applications (e.g. maybe there is an 'admin'
role and 'everyone else').  But for more complicated or configurable applications, this can
be a major major problem throughout the life of your application and drive a large maintenance
cost for your software.</p></p>
 </div>
 <ul>
-  <li><strong>Excplict Roles</strong>: An explicit role however is essentially
a named collection of actual permission statements. In this form, the application (and Shiro)
knows <em>exactly</em> what it means to have a particular role or not. Because
it is known the <em>exact</em> behavior that can be performed or not, there is
no guessing or implying what a particular role can or can not do.</li>
+  <li><strong>Explicit Roles</strong>: An explicit role however is essentially
a named collection of actual permission statements. In this form, the application (and Shiro)
knows <em>exactly</em> what it means to have a particular role or not. Because
it is known the <em>exact</em> behavior that can be performed or not, there is
no guessing or implying what a particular role can or can not do.</li>
 </ul>
 <p>The Shiro team advocates using permissions and explicit roles instead of the older
implicit approach. You will have much greater control over your application&rsquo;s security
experience.</p>
 <div class="alert alert-success">

Modified: shiro/site/publish/integration.html
URL: http://svn.apache.org/viewvc/shiro/site/publish/integration.html?rev=1799612&r1=1799611&r2=1799612&view=diff
==============================================================================
--- shiro/site/publish/integration.html (original)
+++ shiro/site/publish/integration.html Thu Jun 22 20:13:09 2017
@@ -265,6 +265,10 @@
   <p><strong><a href="https://github.com/ocpsoft/rewrite/tree/master/security-integration-shiro">Rewrite
Servlet</a></strong> from <a href="http://www.ocpsoft.org/rewrite/">ocpsoft</a><br/>A
highly configurable URL-rewriting tool for Java EE 6+ and Servlet 2.5+ applications</p></li>
   <li>
   <p><strong><a href="http://freedomotic-developer-manual.readthedocs.io/en/latest/plugins/security.html">Freedomotic</a></strong>
from <a href="http://www.freedomotic.com">freedomotic</a><br/>An open source,
flexible, secure Internet of Things (IoT) development framework in Java, useful to build and
manage modern smart spaces.</p></li>
+  <li>
+  <p><strong><a href="https://github.com/flowlogix/flowlogix/tree/master/flowlogix-jee">FlowLogix
Java EE Library</a></strong> from <a href="https://twitter.com/lprimak">Lenny
Primak</a><br/>Integrates Java EE applications with Shiro Security, specifically
makes Shiro Annotations work with Java EE.</p></li>
+  <li>
+  <p><strong><a href="https://github.com/bootique/bootique-shiro">Bootique
Shiro</a></strong> from <a href="https://github.com/bootique/bootique">Bootique</a><br/>Bootique
is a minimally opinionated platform for modern runnable Java apps.</p></li>
 </ul>
 <h2><a href="#ports" name="ports">Ports</a></h2>
 <ul>

Modified: shiro/site/publish/java-authentication-guide.html
URL: http://svn.apache.org/viewvc/shiro/site/publish/java-authentication-guide.html?rev=1799612&r1=1799611&r2=1799612&view=diff
==============================================================================
--- shiro/site/publish/java-authentication-guide.html (original)
+++ shiro/site/publish/java-authentication-guide.html Thu Jun 22 20:13:09 2017
@@ -248,7 +248,7 @@
   <li>
   <p><strong>Credentials</strong> - secret data that are used to verify
identities. Passwords, Biometric data, x509 certificates,</p></li>
   <li>
-  <p><strong>Realms</strong> - Security specific DAO, data access object,
software component that talkts to a backend data source. If you have usernames and password
in LDAP, then you would have an LDAP Realm that would communicate with LDAP. The idea is that
you would use a realm per back-end data source and Shiro would know how to coordinate with
these realms together to do what you have to do.</p></li>
+  <p><strong>Realms</strong> - Security specific DAO, data access object,
software component that talks to a backend data source. If you have usernames and password
in LDAP, then you would have an LDAP Realm that would communicate with LDAP. The idea is that
you would use a realm per back-end data source and Shiro would know how to coordinate with
these realms together to do what you have to do.</p></li>
 </ul>
 <a name="JavaAuthenticationGuide-HowtoAuthenticateinJavawithShiro"></a>
 <h2><a href="#how-to-authenticate-in-java-with-shiro" name="how-to-authenticate-in-java-with-shiro">How
to Authenticate in Java with Shiro</a></h2>

Modified: shiro/site/publish/permissions.html
URL: http://svn.apache.org/viewvc/shiro/site/publish/permissions.html?rev=1799612&r1=1799611&r2=1799612&view=diff
==============================================================================
--- shiro/site/publish/permissions.html (original)
+++ shiro/site/publish/permissions.html Thu Jun 22 20:13:09 2017
@@ -253,8 +253,8 @@
 <p>So to enable easy-to-process yet still readable permission statements, Shiro provides
powerful and intuitive permission syntax we refer to as the WildcardPermission.</p>
 <a name="Permissions-SimpleUsage"></a>
 <h3><a href="#simple-usage" name="simple-usage">Simple Usage</a></h3>
-<p>Let&rsquo;s you want to protect access to your company&rsquo;s printers
such that some people can print to particular printers, while others can query what jobs are
currently in the queue.</p>
-<p>An extremely simple approach would be to use grant the user a &ldquo;queryPrinter&rdquo;
permission. Then you could check to see if the user has the queryPrinter permission by calling:</p>
+<p>Let&rsquo;s say you want to protect access to your company&rsquo;s printers
such that some people can print to particular printers, while others can query what jobs are
currently in the queue.</p>
+<p>An extremely simple approach would be to grant the user a &ldquo;queryPrinter&rdquo;
permission. Then you could check to see if the user has the queryPrinter permission by calling:</p>
 <pre><code class="java">subject.isPermitted(&quot;queryPrinter&quot;)
 </code></pre>
 <p>This is (mostly) equivalent to</p>

Modified: shiro/site/publish/realm.html
URL: http://svn.apache.org/viewvc/shiro/site/publish/realm.html?rev=1799612&r1=1799611&r2=1799612&view=diff
==============================================================================
--- shiro/site/publish/realm.html (original)
+++ shiro/site/publish/realm.html Thu Jun 22 20:13:09 2017
@@ -252,7 +252,12 @@
     </ul>
   </li>
   <li>
-  <p><a href="#Realm-RealmAuthorization">Realm Authorization</a></p></li>
+    <p><a href="#Realm-RealmAuthorization">Realm Authorization</a></p>
+    <ul>
+      <li><a href="#Realm-RoleBasedAuthorization">Role based Authorization</a></li>
+      <li><a href="#Realm-PermissionBasedAuthorization">Permission based Authorization</a></li>
+    </ul>
+  </li>
 </ul>
 <p>A <code>Realm</code> is a component that can access application-specific
security data such as users, roles, and permissions. The <code>Realm</code> translates
this application-specific data into a format that Shiro understands so Shiro can in turn provide
a single easy-to-understand <a href="subject.html" title="Subject">Subject</a>
programming API no matter how many data sources exist or how application-specific your data
might be.</p>
 <p>Realms usually have a 1-to-1 correlation with a data source such as a relational
database, LDAP directory, file system, or other similar resource. As such, implementations
of the <code>Realm</code> interface use data source-specific APIs to discover
authorization data (roles, permissions, etc), such as JDBC, File IO, Hibernate or JPA, or
any other Data Access API.</p>
@@ -410,7 +415,30 @@ myRealm.credentialsMatcher = $credential
 <p>Of course at least one configured <code>Realm</code> needs to be able
to support AuthenticationTokens if you want to authenticate Subjects.</p>
 <a name="Realm-RealmAuthorization"></a>
 <h2><a href="#realm-authorization" name="realm-authorization">Realm Authorization</a></h2>
-<p>TBD</p>
+<p><code>SecurityManager</code> delegates the task of <code>Permission</code>
or <code>Role</code> checking to <a href="static/current/apidocs/org/apache/shiro/authz/Authorizer.html">Authorizer</a>,
defaulted to <a href="static/current/apidocs/org/apache/shiro/authz/ModularRealmAuthorizer.html">ModularRealmAuthorizer</a>.
</p>
+<a name="Realm-RoleBasedAuthorization"></a>
+<h5><a href="#role-based-authorization" name="role-based-authorization">Role
based Authorization</a></h5>
+<p>When one of the overloaded method hasRoles or checkRoles method is called on Subject</p>
+<ol>
+  <li><code>Subject</code> delegates to <code>SecurityManger</code>
for identifying if the given Role is assigned</li>
+  <li><code>SecurityManger</code> then delegates to <code>Authorizer</code></li>
+  <li><a href="static/current/apidocs/org/apache/shiro/authz/Authorizer.html">Authorizer</a>
then referrers to all the Authorizing Realms one by one until it found given role assigned
to the subject. Deny access by returning false if no none of the Realm grants Subject given
Role</li>
+  <li>Authorizing Realm <a href="static/current/apidocs/org/apache/shiro/authz/AuthorizationInfo.html">AuthorizationInfo</a>
getRoles() method to get all Roles assigned to Subject</li>
+  <li>Grant access if it found the given Role in list of roles returned from AuthorizationInfo.getRoles
call.</li>
+</ol>
+<a name="Realm-PermissionBasedAuthorization"></a>
+<h5><a href="#permission-based-authorization" name="permission-based-authorization">Permission
based Authorization</a></h5>
+<p>When one of the overloaded method <code>isPermitted()</code> or <code>checkPermission()</code>
method are called on Subject:</p>
+<ol>
+  <li><code>Subject</code> delegates the task to grant or deny Permission
to SecurityManger</li>
+  <li><code>SecurityManger</code> then delegates to Authorizer</li>
+  <li>Authorizer then referrers to all of the Authorizer Realms one by one until it
Permission is granted<br/>If Permission is not granted by any of the Authorizing Realm,
Subject is denied Permission</li>
+  <li>Authorizing Realm does the following in order to check if a Subject is permitted:
+    <p>a. First it gets identify all Permissions assigned to Subject directly by calling
getObjectPermissions() and getStringPermissions methods on <a href="static/current/apidocs/org/apache/shiro/authz/AuthorizationInfo.html">AuthorizationInfo</a>
and aggregating the results.</p>
+    <p>b. If a <a href="static/current/apidocs/org/apache/shiro/authz/permission/RolePermissionResolver.html">RolePermissionResolver</a>
is registered, it is used to retrieve Permissions based on all of the roles assigned to Subject
by calling the <code>RolePermissionResolver.resolvePermissionsInRole()</code></p>
+    <p>c. For aggregated Permissions from a. and b. the implies() method is called
to check if any of these permission are implied the checked permission. See <a href="permissions.html#Permissions-WildcardPermissions">WildcardPermission</a></p>
+  </li>
+</ol>
 <h2><a name="Lendahandwithdocumentation"></a>Lend a hand with documentation
</h2>
 <p>While we hope this documentation helps you with the work you're doing with Apache
Shiro, the community is improving and expanding the documentation all the time.  If you'd
like to help the Shiro project, please consider corrected, expanding, or adding documentation
where you see a need. Every little bit of help you provide expands the community and in turn
improves Shiro. </p>
 <p>The easiest way to contribute your documentation is to submit a pull-request by
clicking on the <code>Edit</code> link below, send it to the <a class="external-link"
href="http://shiro-user.582556.n2.nabble.com/" rel="nofollow">User Forum</a> or the
<a href="mailing-lists.html" title="Mailing Lists">User Mailing List</a>.</p>

Modified: shiro/site/publish/web.html
URL: http://svn.apache.org/viewvc/shiro/site/publish/web.html?rev=1799612&r1=1799611&r2=1799612&view=diff
==============================================================================
--- shiro/site/publish/web.html (original)
+++ shiro/site/publish/web.html Thu Jun 22 20:13:09 2017
@@ -958,7 +958,7 @@ securityManager.rememberMeManager = $rem
 <p>For example:</p>
 <pre><code class="html">&lt;shiro:hasAnyRoles name=&quot;developer, project
manager, administrator&quot;&gt;
     You are either a developer, project manager, or administrator.
-&lt;/shiro:lacksRole&gt;
+&lt;/shiro:hasAnyRoles&gt;
 </code></pre>
 <p>The <code>hasAnyRole</code> tag does not currently have a logically
opposite tag.</p>
 <a name="Web-haspermissiontag"></a>
@@ -978,7 +978,7 @@ securityManager.rememberMeManager = $rem
 <p>For example:</p>
 <pre><code class="html">&lt;shiro:lacksPermission name=&quot;user:delete&quot;&gt;
     Sorry, you are not allowed to delete user accounts.
-&lt;/shiro:hasPermission&gt;
+&lt;/shiro:lacksPermission&gt;
 </code></pre>
 <p>The <code>lacksPermission</code> tag is the logical opposite of the
<a href="#Web-haspermissiontag">hasPermission</a> tag.</p>
 <h2><a name="Lendahandwithdocumentation"></a>Lend a hand with documentation
</h2>



Mime
View raw message