I'm working on a implementation of a webapp in Java, where there will be limitations on some roles shall only be able to read data and some to update. All roles shall not have access to all pages.
I've looked at Apache Shiro together with JSP/Javascrip/CSS.
Are there any other alternatives for this?
Or is this the best choice?
//Henrik
Consider Spring Security, formerly known as Acegi.
http://projects.spring.io/spring-security/
Seems it's a bit more mainstream:
http://www.indeed.com/jobtrends?q=Apache++Shiro%2C+Spring+Security&l=
Related
I have been working on an infrastructure project that has a myriad of pages that used in numerous flow based scenarios. I eager to use a standard framework for facilitating this flows. I have a glance on spring web flow and I realize it is difficult to deal with all of the XML stuff like flow files. Could you please tell me is there an annotation base version instead of these XML files? Or Is there any other frameworks that use annotation based approach for this purpose. Moreover, I saw Seam framework, but like Spring Web Flow it has an XML based feature. Additionally, I read some articles about Netui Page Flows. Even though it has annotation based flows, as you know it is a very old framework and discontinued now.
I use this links:
spring web flow support in intellij idea 12
Spring Web Flow Ref Book
spring web flow
As I need this xml based file for create a web flow for my JSP pages into my enterprise application, after month looking for best solutions and frameworks, finally I find Spring Statemachine for my porpuse. I put that here for someone in future that looks for object-oreinted state machine that can be used in her/his page flow.
Thank you Spring :)
I was wondering if anybody could explain(or point me to proper documentation) and Spring Security in Hybris. I have used Spring Security before in Java based applications and I have always enjoyed the flexibility of custom groups with specific functions. I was unable to find any documentation on how to do that in Hybris. Ideally, I would be able to add security to CMS site without creating a separate storefront. How does Hybris allow to extend Spring Security? Thanks!
Generally, there is spring security config at this location. **web/webroot/WEB-INF/config/spring-security-config.xml . Here you can play with the configuration. wiki page
Hybris supports different user groups and rules about them, which can be seen here .
It really depends on your goal but some things can be done with Hybris restrictions engine.
It is always recommended create your own extension (extending the default one) and not using the platform extension, if i understood your idea correctly. There you can find the spring-security-config and modify it.
Imagine a website permissions similar to Reddit. A specific user-account has access to "SUPER-MOD" for "/r/subreddit-A" and "MOD" on "/r/Subreddit-B" and finally "BANNED" on "/r/Subreddit-C"
The way our spring security config is currently setup is we have the concept(s) of SUPER-MOD, MOD, USER, etc... but not SUPER-MOD(domain-A).
Clearly, writing my own code for this is not rocket science, but I was wondering if there was a common or standard interface for these types of permissions.
P.S. We're using Spring MVC / Tomcat. Articles & tutorials welcome.
The way that I have usually dealt with roles is typically using the Expression-Based Access Control with Spring. Since you seem to have most of the roles and permissions defined it should be a piece of cake getting them out of the security context.
Just make sure you have <global-method-security pre-post-annotations="enabled"/> because lack of that will obviously make the annotations useless.
Anyway hope that helps.
I need to design a user role management module for online examine tool application, There are several users in the system (Admin, Moderator, Contributor, Examiner). These users have different privileges for the system.
I need to use the Spring framework and spring security for the user access system. How do I use the spring security for this module. Can anyone direct me to a good tutorial and your ideas allways welcome.
Based on your description, I think that you might be looking at a custom implementation of UserDetailsService.
It's worth checking out Stephan Gerth's ZK sample project, that integrates Spring, Hibernate, customized Spring security, ZK Ajax, etc. Here you have the announcement post, that has links to source and documentation. I suggest reading the chapter 13.2. Spring-Security (and related), that should help you navigate the source code.
Try this one Spring Authorization and Authentication.A very simple tutorial for beginners.
Typically in any web application, the major security concern is securing the resources from the malicious users who are trying to access un-authorized resources. They can change a value in the request parameter and try to access something that doesn't belong to that particular user.
For Example:
http://blah.com/id=foo
a user can change this to http://blah.com/id=bar and try to access the bar resource to access it.
With restful services this may lead to greater security concerns as the restful URL's are rather self explanatory.
eg:
http://hotels.com/hotels/1
a user can easily guess and change the id to 2 to see the details of it..
One design is to check at every request manually to see the access rights for the resources and deny it if needed.
but this is a cumbersome and not maintainable.
So the question is "Is there any tool/framework that can help achieve this in a easy manner? I know spring security supports static rules not dynamic.
Over the last couple of years, the de-factory standard for this has become Spring Security. This sits in frotn of any old java webapp (not just Spring webapps) and provides an interception authentication and authorization layer of your choice.
It's very powerful, although also rather complicated (over-complicated, IMO).
I would highly recommend looking into Seam Security. It can even be tied into a rules system.
edit: I believe you would need the Seam Core package for this to work. However, I have never tried using it without Seam, so I can't be positive about its dependencies.