General case : a simple application that provides its services through EJB (3.1) - most of them are stand-alone beans sessions (nothing interesting here) and SWING-based clients that call these services through remote interfaces and do what they should do .
Security . I want to authenticate / authorize this call loop and, of course, protect my services. The obvious answer would be to use JAAS on the server and any custom wiring setting on the core server. This is another option.
Apache Shiro : so many people talk about Apache Shiro, and indeed, it has a very simple API and mechanism that could potentially be independent of the application server.
Technical Issues:
Session . In my case, I do not have an HTTP session. And from what I understood, Syro, at least, needs some SESSION identifier that I need to go through. Any good way to enter user credentials into my RMI / IIOP calls to the server without polluting my business API?
Server side implementation . For several resources that I went through, I think I can implement the Shiro DefaultSecurityManager by referencing it from the Singleton Ejb 3.1 bean. Any other ideas? Then I can easily create an interceptor and add it to my remote calls - therefore, when a new call passes through my remote EJB method - Shiro Intereceptor to verify my user or verify certain rights.
Any comments / tips / examples?
Many thanks
source
share