I am trying to change Dropwizard to support Shiro.
I have read documentation and am little puzzled. I would like to utilize Shiro in conjunction with form login authentication and Apache Shiro Annotations. I think that I need to use Jersey Filters to support Shiro.
Is this the correct way to support Shiro annotations at Jersey instead of classic Shiro Filter approach?
Since Jersey Filters have decent access to resources with annotations, it seems perfect for me to use annotations.
I rather not use the AOP approach, and It could be really great to have on the fly integration with JAX-RS as a separated module.
Someone has already created a solution for what you are asking.
Shiro with Jersey.
https://github.com/javajack/shiro-jersey
Shiro For Dropwizard
https://github.com/javajack/shiro-jdbi-realm
Dropwizard Shiro Budle Example
https://github.com/javajack/dw-shiro-bundle
Related
I want to create a REST web service using Jersey. I also want to use Spring in the project. Now, my questions is the following:
I don't see any reason for integrating these 2 together in my application. So, I should be able to use Spring for bean management and Jersey for creating the web service. Am I correct, or Spring and Jersey somehow have to be integrated.
I see that there is a jersey-spring maven project, and so, I assume that this is for the purpose of integrating jersey and spring together. My question here is do I get any benefit of using this integrated form rather than simply use Jersey and Spring separately each for its own functionality?
Thanks,
Cyrus
You can absolutely combine the two projects. However, I would encourage you to look at Spring-MVC for doing REST as it is very powerful and easy to use. If memory serves, the jersey-spring project was helpful in integration of JAXB and other touch points. Again, this is all built into Spring. And if you use Spring-Boot it is amazingly simple to get running.
The jersey-spring project provides integration between Jersey and Spring. It allows you to wire in any beans in your Spring context into Jersey and vice-versa.
For instance, if you are using spring-security, it will provide your spring-security principal when wiring the Jersey specific SecurityContext into any of your REST resources.
If you want to access Spring beans from your Jersey REST endpoints (or use Spring Beans as implementations for your JAX-RS interfaces) you need to integrate Spring and Jersey, otherwise it won't work. If you don't have any connections between Spring beans and your REST endpoints, then it is not necessary.
I think your first statement is correct. I have used Jersey and Sprint as separate entities.
Jersey is really awesome to create a web server.
Spring is useful for dependency injection (beans) and other cools stuff.
About your second statement, I do not know anything jersey-spring maven project.
My suggestion/opinion is to do as your first comment. Use them in a separate way. You will have the best of both worlds. Using jersey-spring maven project might be a complication and maybe it is not what you want. Libraries usually are intend to be independent.
I am searching for a security framework that allows role based security for OSGi services as well as CXF webservices.
Some time ago I already used spring security but as we now switched to blueprint it is not an option anymore as far as I understood. To configure the access rules I would like to mainly use the standard #RolesAllowed annotation. So what are my best starting points? I also thought about implementing this myself as a blueprint extension but I would prefer an existing solution.
I would suggest you go with Apache Shiro instead, http://shiro.apache.org/ .
It provides easy API's for authentication, authorization, cryptography, and session management. It can also be easily deployed inside a OSGI container. Some pros of Apache Shiro are listed here Apache Shiro vs Java EE native APIs
In the mean time I created a blueprint extension for authorization based on JAAS and Java EE annoations (#RolesAllowed, #PermitAll, #DenyAll). You can add the extension to any blueprint file. It will then scan all beans for these annoations and intercept calls if they are found. It uses an existing JAAS context to get the roles of the user.
So prerequisite for this is doing a JAAS login. I have also created a CXF JAASAuthentication feature that logs in a user based on basic auth or ws security username principal. The module works together with the Apache Karaf JAAS support. So all karaf users and roles apply.
I will create a tutorial to show how to use all of this once the aries blueprint release that includes the authorization module is out. In the mean time I would be happy if you try it out and report any problems you have.
Btw. another approach for karaf is the role based access control for OSGi services that is built into karaf 3+. It does not work with annotations but is also easy to use. See
http://coderthoughts.blogspot.de/2013/10/role-based-access-control-for-karaf.html
I would like to change Spring Framework to Google Guice, because it's lighter and has almost everything I need. Is it possible to use Spring Security with Google Guice instead of Spring Framework?
No. Spring Security makes extensive use of the core Spring Framework.
(I guess, in theory you could use Spring + Spring Security for the security filters, and Google Guice for the servlet wiring ... but I expect there would be a few traps and pitfalls on that road.)
I know the Commons Validator framework is the de facto standard for Struts projects to validate input values both on the server side and the client side.
Is the same true for Spring MVC projects?
The reason I get the impression that it may not is that most Struts books and forums talk a lot about the Commons Validator framework, but only a few Spring books and forums do.
What's the best practice for validating input in Spring MVC projects?
Cheers!
Commons Validator is more or less obsolete now, following the introduction of the JSR-303 Validation API, which Spring 3 fully supports. It's an annotation-driven declarative framework.
See the relevant parts (here and here) of the Spring docs to see how Spring uses it.
These examples of server-side validation using JSR-330 rich client-side validation with Spring MVC should give you some easy-to-follow examples to get you started.
I am currently developing my project using Spring, Sutruts2 & Hibernate. Now i want to apply acegi security for authentication & authrization purpose.
But, i m totally new with acegi, so i want to use acegisecurity framework with spring configuration.
If anyone have link for an simple example of acegi with spring, struts2 & hibernate then please provide me it.
Thanx in advance.....
Are you using acegi or spring security? Acegi has been repackaged (and simplified with respect to configuration) to become spring security, as described on the homepage
Acegi Security is now Spring Security, the official security project of the Spring Portfolio. If you are planning a new project, we'd recommend you consider using Spring Security. Acegi Security 1.0.7 will be the last non-critical release of the 1.0.x series.
See also Ben Alex's blog
Update: A spring security tutorial is available here
There is a tutorial sample available as part of the acegi distribution.