I'm trying to mentally map the security concepts of Java EE 6 groups , users, and roles to Apache Shiro with the concepts of roles , users, and permissions , and I understand that they are incompatible.
Reading with the Java EE 6 security tutorial seems like the model is too restrictive: groups are configured for each server, not each application, which really leaves us with only two flexible concepts to express the authorization mechanism: users and roles that exist in a simple 1-to-N. In contrast to the Ciro model, roles , users and permissions are much more dynamic, since it allows you to hard-code permissions in annotated code and change the mapping of roles to permissionsat run time, when things change or new roles appear. I donโt see how you can do the same with container-managed authorization according to the Java EE 6 model.
Do I understand correctly? The reason, which implies that it is actually impossible to go very far with authorization controlled by the container.
They are incompatible, and I think the Java EE security developers were wrong, because the terminology seems to be disabled for ROLES.
, ROLE ( ) , /. , ( ), , , , / .
, Java EE. . Les Hazelwood, , RBAC, , , .