About JSecurity's bytecode engineering

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

About JSecurity's bytecode engineering

mksong
Hello, All

I am carring out an experiment on JSecurity's bytecode engineering.

I tested JSecurity to see if the framework would generate any

bytecode related to security or add anything to the existing ones.

With the attached log file, I am not sure if JSecurity does bytecode engineering or not.
(Here are the log file at loading time and the slide file explaing what I did:
http://people.cs.vt.edu/~mksong/jsecurity/)

Is it true?
Reply | Threaded
Open this post in threaded view
|

Re: About JSecurity's bytecode engineering

Les Hazlewood-2
Hiya,

The project (now named Shiro) does not perform bytecode manipulation of any sort.

Regards,

Les

On Sat, Jun 27, 2009 at 11:26 PM, mksong <[hidden email]> wrote:

Hello, All

I am carring out an experiment on JSecurity's bytecode engineering.

I tested JSecurity to see if the framework would generate any

bytecode related to security or add anything to the existing ones.

With the attached log file, I am not sure if JSecurity does bytecode
engineering or not.
(Here are the log file at loading time and the slide file explaing what I
did:
http://people.cs.vt.edu/~mksong/jsecurity/
http://people.cs.vt.edu/~mksong/jsecurity/ )

Is it true?

--
View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
Sent from the Shiro User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: About JSecurity's bytecode engineering

mksong
Thanks for your reply.

For example, Hibernate does not perform any bytecode
manipulation on its own, but it uses a proxying library that
creates proxies at the bytecode level.

If you do not manipulate bytecode,
how do you enforce security policies then?

Regards,
Myoungkyu


Les Hazlewood-2 wrote
Hiya,

The project (now named Shiro) does not perform bytecode manipulation of any
sort.

Regards,

Les

On Sat, Jun 27, 2009 at 11:26 PM, mksong <hiizzgi@gmail.com> wrote:

>
> Hello, All
>
> I am carring out an experiment on JSecurity's bytecode engineering.
>
> I tested JSecurity to see if the framework would generate any
>
> bytecode related to security or add anything to the existing ones.
>
> With the attached log file, I am not sure if JSecurity does bytecode
> engineering or not.
> (Here are the log file at loading time and the slide file explaing what I
> did:
> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>)
>
> Is it true?
>
> --
> View this message in context:
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: About JSecurity's bytecode engineering

Manoj Khangaonkar
Hi Myoungkyu,

Just curious, what kind of security policies are you interested in ?
Can you give an example.

Authorization policies ( role based or other ) that shiro supports
does not necessarily require any byte code manipulation.

thanks

Manoj

On 6/28/09, mksong <[hidden email]> wrote:

>
> Thanks for your reply.
>
> For example, Hibernate does not perform any bytecode
> manipulation on its own, but it uses a proxying library that
> creates proxies at the bytecode level.
>
> If you do not manipulate bytecode,
> how do you enforce security policies then?
>
> Regards,
> Myoungkyu
>
>
>
> Les Hazlewood-2 wrote:
>>
>> Hiya,
>>
>> The project (now named Shiro) does not perform bytecode manipulation of
>> any
>> sort.
>>
>> Regards,
>>
>> Les
>>
>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <[hidden email]> wrote:
>>
>>>
>>> Hello, All
>>>
>>> I am carring out an experiment on JSecurity's bytecode engineering.
>>>
>>> I tested JSecurity to see if the framework would generate any
>>>
>>> bytecode related to security or add anything to the existing ones.
>>>
>>> With the attached log file, I am not sure if JSecurity does bytecode
>>> engineering or not.
>>> (Here are the log file at loading time and the slide file explaing what I
>>> did:
>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>)
>>>
>>> Is it true?
>>>
>>> --
>>> View this message in context:
>>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>
>>>
>>
>>
>
> --
> View this message in context:
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: About JSecurity's bytecode engineering

mksong
Hello, Manoj

I am searching a framework which changes the bytecode directly,
without modifying source code. As you knew, this is bytecode
engineering or enhancement. Based on this idea, I thought JSecurity
modified bytecode in order to support a security functionality
relieving a programmer from the burden of having to implement
important security concerns by hand.

So, is the method of supporting the security functionality a type
of API at JSecurity (or Apache Ki)?

Because the distribution S/W of JSecurity-0.9.0 included asm and cglib
libraries, I thought JSecurity was related to Java bytecode manipulation.

Myoungkyu


Manoj Khangaonkar wrote
Hi Myoungkyu,

Just curious, what kind of security policies are you interested in ?
Can you give an example.

Authorization policies ( role based or other ) that shiro supports
does not necessarily require any byte code manipulation.

thanks

Manoj

On 6/28/09, mksong <hiizzgi@gmail.com> wrote:
>
> Thanks for your reply.
>
> For example, Hibernate does not perform any bytecode
> manipulation on its own, but it uses a proxying library that
> creates proxies at the bytecode level.
>
> If you do not manipulate bytecode,
> how do you enforce security policies then?
>
> Regards,
> Myoungkyu
>
>
>
> Les Hazlewood-2 wrote:
>>
>> Hiya,
>>
>> The project (now named Shiro) does not perform bytecode manipulation of
>> any
>> sort.
>>
>> Regards,
>>
>> Les
>>
>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <hiizzgi@gmail.com> wrote:
>>
>>>
>>> Hello, All
>>>
>>> I am carring out an experiment on JSecurity's bytecode engineering.
>>>
>>> I tested JSecurity to see if the framework would generate any
>>>
>>> bytecode related to security or add anything to the existing ones.
>>>
>>> With the attached log file, I am not sure if JSecurity does bytecode
>>> engineering or not.
>>> (Here are the log file at loading time and the slide file explaing what I
>>> did:
>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>)
>>>
>>> Is it true?
>>>
>>> --
>>> View this message in context:
>>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>
>>>
>>
>>
>
> --
> View this message in context:
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: About JSecurity's bytecode engineering

Ryan McKinley
no -- Apache Shiro (jsecurity / ki) does not do bytecode manipulation.

With Shiro, you need to use java apis to manage authentication/
authorization.


On Jun 28, 2009, at 8:54 PM, mksong wrote:

>
> Hello, Manoj
>
> I am searching a framework which changes the bytecode directly,
> without modifying source code. As you knew, this is bytecode
> engineering or enhancement. Based on this idea, I thought JSecurity
> modified bytecode in order to support a security functionality
> relieving a programmer from the burden of having to implement
> important security concerns by hand.
>
> So, is the method of supporting the security functionality a type
> of API at JSecurity (or Apache Ki)?
>
> Myoungkyu
>
>
>
> Manoj Khangaonkar wrote:
>>
>> Hi Myoungkyu,
>>
>> Just curious, what kind of security policies are you interested in ?
>> Can you give an example.
>>
>> Authorization policies ( role based or other ) that shiro supports
>> does not necessarily require any byte code manipulation.
>>
>> thanks
>>
>> Manoj
>>
>> On 6/28/09, mksong <[hidden email]> wrote:
>>>
>>> Thanks for your reply.
>>>
>>> For example, Hibernate does not perform any bytecode
>>> manipulation on its own, but it uses a proxying library that
>>> creates proxies at the bytecode level.
>>>
>>> If you do not manipulate bytecode,
>>> how do you enforce security policies then?
>>>
>>> Regards,
>>> Myoungkyu
>>>
>>>
>>>
>>> Les Hazlewood-2 wrote:
>>>>
>>>> Hiya,
>>>>
>>>> The project (now named Shiro) does not perform bytecode  
>>>> manipulation of
>>>> any
>>>> sort.
>>>>
>>>> Regards,
>>>>
>>>> Les
>>>>
>>>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <[hidden email]> wrote:
>>>>
>>>>>
>>>>> Hello, All
>>>>>
>>>>> I am carring out an experiment on JSecurity's bytecode  
>>>>> engineering.
>>>>>
>>>>> I tested JSecurity to see if the framework would generate any
>>>>>
>>>>> bytecode related to security or add anything to the existing ones.
>>>>>
>>>>> With the attached log file, I am not sure if JSecurity does  
>>>>> bytecode
>>>>> engineering or not.
>>>>> (Here are the log file at loading time and the slide file  
>>>>> explaing what
>>>>> I
>>>>> did:
>>>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/ 
>>>>> >
>>>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/ 
>>>>> >)
>>>>>
>>>>> Is it true?
>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
>>>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> --
>>> View this message in context:
>>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>
>>>
>>
>>
>
> --
> View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171906.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: About JSecurity's bytecode engineering

Les Hazlewood-2
In reply to this post by Manoj Khangaonkar
The closest thing Shiro might get to bytecode enhancement might be due to an AOP framework that you use that modifies bytecode - but this is a choice you make and is not a requirement of the framework.

For example, Shiro has code annotations @RequiresRole, @RequiresAuthentication, etc, with which you can annotate code.  If the AOP framework configured to support Shiro uses bytecode manipulation, then obviously bytecode changes could enforce the annotations.

But this is a factor of the AOP mechanisms you use and is not controlled by Shiro directly.  AspectJ for example can perform build time or runtime bytecode manipulation to support Shiro annotations, but AOPAlliance might use JDK-provided Proxying mechanisms at runtime and no bytecode manipulation.

Ultimately though you need to specify somehow how the security framework is supposed to execute - either via a Servlet Filter or code @Annotations or text-based configuration, or some other mechanism.  The developer needs to direct the way the security framework behaves.

So if you desire bytecode enhancement, then yes, you can have it as long as you use something like, say, AspectJ to perform the bytecode manipulation which would disover and enforce the Shiro annotations.  This is done by writing Advice that calls the Subject API to perform security checks, and that Advice is 'weaved' by AspectJ.  Shiro does not currently have any AspectJ-specific Advice written - you'd have to do it yourself, but you could look at the classes in org.apache.shiro.aop.* for ideas.

Regards,

Les

On Sun, Jun 28, 2009 at 8:50 PM, mksong <[hidden email]> wrote:

Hello, Manoj

I am searching a framework which changes the bytecode directly,
without modifying source code. As you knew, this is bytecode
engineering or enhancement. Based on this idea, I thought JSecurity
modified bytecode in order to support a security functionality
relieving a programmer from the burden of having to implement
important security concerns by hand.

So, is the method of supporting the security functionality a type
of API at JSecurity (or Apache Ki)?

Myoungkyu




Manoj Khangaonkar wrote:
>
> Hi Myoungkyu,
>
> Just curious, what kind of security policies are you interested in ?
> Can you give an example.
>
> Authorization policies ( role based or other ) that shiro supports
> does not necessarily require any byte code manipulation.
>
> thanks
>
> Manoj
>
> On 6/28/09, mksong <[hidden email]> wrote:
>>
>> Thanks for your reply.
>>
>> For example, Hibernate does not perform any bytecode
>> manipulation on its own, but it uses a proxying library that
>> creates proxies at the bytecode level.
>>
>> If you do not manipulate bytecode,
>> how do you enforce security policies then?
>>
>> Regards,
>> Myoungkyu
>>
>>
>>
>> Les Hazlewood-2 wrote:
>>>
>>> Hiya,
>>>
>>> The project (now named Shiro) does not perform bytecode manipulation of
>>> any
>>> sort.
>>>
>>> Regards,
>>>
>>> Les
>>>
>>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <[hidden email]> wrote:
>>>
>>>>
>>>> Hello, All
>>>>
>>>> I am carring out an experiment on JSecurity's bytecode engineering.
>>>>
>>>> I tested JSecurity to see if the framework would generate any
>>>>
>>>> bytecode related to security or add anything to the existing ones.
>>>>
>>>> With the attached log file, I am not sure if JSecurity does bytecode
>>>> engineering or not.
>>>> (Here are the log file at loading time and the slide file explaing what
>>>> I
>>>> did:
>>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>)
>>>>
>>>> Is it true?
>>>>
>>>> --
>>>> View this message in context:
>>>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
>>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>>
>>>>
>>>
>>>
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>
>
>

--
View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171896.html
Sent from the Shiro User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: About JSecurity's bytecode engineering

mksong
Hello, Les

I think it looks like you’re saying that JSecurity can do
bytecode engineering by means of AspectJ.
Is it right? If it is true, that is what I try to search.
If you could send me a small example using annotation for
adding the security functionality, I’d very appreciate it.

Thank you so much for your reply.
Myoungkyu



Les Hazlewood-2 wrote
The closest thing Shiro might get to bytecode enhancement might be due to an
AOP framework that you use that modifies bytecode - but this is a choice you
make and is not a requirement of the framework.

For example, Shiro has code annotations @RequiresRole,
@RequiresAuthentication, etc, with which you can annotate code.  If the AOP
framework configured to support Shiro uses bytecode manipulation, then
obviously bytecode changes could enforce the annotations.

But this is a factor of the AOP mechanisms you use and is not controlled by
Shiro directly.  AspectJ for example can perform build time or runtime
bytecode manipulation to support Shiro annotations, but AOPAlliance might
use JDK-provided Proxying mechanisms at runtime and no bytecode
manipulation.

Ultimately though you need to specify somehow how the security framework is
supposed to execute - either via a Servlet Filter or code @Annotations or
text-based configuration, or some other mechanism.  The developer needs to
direct the way the security framework behaves.

So if you desire bytecode enhancement, then yes, you can have it as long as
you use something like, say, AspectJ to perform the bytecode manipulation
which would disover and enforce the Shiro annotations.  This is done by
writing Advice that calls the Subject API to perform security checks, and
that Advice is 'weaved' by AspectJ.  Shiro does not currently have any
AspectJ-specific Advice written - you'd have to do it yourself, but you
could look at the classes in org.apache.shiro.aop.* for ideas.

Regards,

Les

On Sun, Jun 28, 2009 at 8:50 PM, mksong <hiizzgi@gmail.com> wrote:

>
> Hello, Manoj
>
> I am searching a framework which changes the bytecode directly,
> without modifying source code. As you knew, this is bytecode
> engineering or enhancement. Based on this idea, I thought JSecurity
> modified bytecode in order to support a security functionality
> relieving a programmer from the burden of having to implement
> important security concerns by hand.
>
> So, is the method of supporting the security functionality a type
> of API at JSecurity (or Apache Ki)?
>
> Myoungkyu
>
>
>
>
> Manoj Khangaonkar wrote:
> >
> > Hi Myoungkyu,
> >
> > Just curious, what kind of security policies are you interested in ?
> > Can you give an example.
> >
> > Authorization policies ( role based or other ) that shiro supports
> > does not necessarily require any byte code manipulation.
> >
> > thanks
> >
> > Manoj
> >
> > On 6/28/09, mksong <hiizzgi@gmail.com> wrote:
> >>
> >> Thanks for your reply.
> >>
> >> For example, Hibernate does not perform any bytecode
> >> manipulation on its own, but it uses a proxying library that
> >> creates proxies at the bytecode level.
> >>
> >> If you do not manipulate bytecode,
> >> how do you enforce security policies then?
> >>
> >> Regards,
> >> Myoungkyu
> >>
> >>
> >>
> >> Les Hazlewood-2 wrote:
> >>>
> >>> Hiya,
> >>>
> >>> The project (now named Shiro) does not perform bytecode manipulation of
> >>> any
> >>> sort.
> >>>
> >>> Regards,
> >>>
> >>> Les
> >>>
> >>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <hiizzgi@gmail.com> wrote:
> >>>
> >>>>
> >>>> Hello, All
> >>>>
> >>>> I am carring out an experiment on JSecurity's bytecode engineering.
> >>>>
> >>>> I tested JSecurity to see if the framework would generate any
> >>>>
> >>>> bytecode related to security or add anything to the existing ones.
> >>>>
> >>>> With the attached log file, I am not sure if JSecurity does bytecode
> >>>> engineering or not.
> >>>> (Here are the log file at loading time and the slide file explaing
> what
> >>>> I
> >>>> did:
> >>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
> >>>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
> <http://people.cs.vt.edu/%7Emksong/jsecurity/>)
> >>>>
> >>>> Is it true?
> >>>>
> >>>> --
> >>>> View this message in context:
> >>>>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
> >>>> Sent from the Shiro User mailing list archive at Nabble.com.
> >>>>
> >>>>
> >>>
> >>>
> >>
> >> --
> >> View this message in context:
> >>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
> >> Sent from the Shiro User mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171896.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: About JSecurity's bytecode engineering

Les Hazlewood-2
Hi Myoungkyu,

We don't have any AspectJ-specific code in place to support our code annotations.  You would have to write that yourself.

The best advice I have is to look at the AOP base support classes:

http://svn.apache.org/viewvc/incubator/shiro/trunk/core/src/main/java/org/apache/shiro/aop/

and the Spring AOPAlliance implementations:

http://svn.apache.org/viewvc/incubator/shiro/trunk/support/spring/src/main/java/org/apache/shiro/spring/security/interceptor/

and see if they give you any ideas as you try to write AspectJ-specific versions.

Regards,

Les

On Mon, Jun 29, 2009 at 11:27 AM, mksong <[hidden email]> wrote:

Hello, Les

I think it looks like you’re saying that JSecurity can do
bytecode engineering by means of AspectJ.
Is it right? If it is true, that is what I try to search.
If you could send me a small example using annotation for
adding the security functionality, I’d very appreciate it.

Thank you so much for your reply.
Myoungkyu




Les Hazlewood-2 wrote:
>
> The closest thing Shiro might get to bytecode enhancement might be due to
> an
> AOP framework that you use that modifies bytecode - but this is a choice
> you
> make and is not a requirement of the framework.
>
> For example, Shiro has code annotations @RequiresRole,
> @RequiresAuthentication, etc, with which you can annotate code.  If the
> AOP
> framework configured to support Shiro uses bytecode manipulation, then
> obviously bytecode changes could enforce the annotations.
>
> But this is a factor of the AOP mechanisms you use and is not controlled
> by
> Shiro directly.  AspectJ for example can perform build time or runtime
> bytecode manipulation to support Shiro annotations, but AOPAlliance might
> use JDK-provided Proxying mechanisms at runtime and no bytecode
> manipulation.
>
> Ultimately though you need to specify somehow how the security framework
> is
> supposed to execute - either via a Servlet Filter or code @Annotations or
> text-based configuration, or some other mechanism.  The developer needs to
> direct the way the security framework behaves.
>
> So if you desire bytecode enhancement, then yes, you can have it as long
> as
> you use something like, say, AspectJ to perform the bytecode manipulation
> which would disover and enforce the Shiro annotations.  This is done by
> writing Advice that calls the Subject API to perform security checks, and
> that Advice is 'weaved' by AspectJ.  Shiro does not currently have any
> AspectJ-specific Advice written - you'd have to do it yourself, but you
> could look at the classes in org.apache.shiro.aop.* for ideas.
>
> Regards,
>
> Les
>
> On Sun, Jun 28, 2009 at 8:50 PM, mksong <[hidden email]> wrote:
>
>>
>> Hello, Manoj
>>
>> I am searching a framework which changes the bytecode directly,
>> without modifying source code. As you knew, this is bytecode
>> engineering or enhancement. Based on this idea, I thought JSecurity
>> modified bytecode in order to support a security functionality
>> relieving a programmer from the burden of having to implement
>> important security concerns by hand.
>>
>> So, is the method of supporting the security functionality a type
>> of API at JSecurity (or Apache Ki)?
>>
>> Myoungkyu
>>
>>
>>
>>
>> Manoj Khangaonkar wrote:
>> >
>> > Hi Myoungkyu,
>> >
>> > Just curious, what kind of security policies are you interested in ?
>> > Can you give an example.
>> >
>> > Authorization policies ( role based or other ) that shiro supports
>> > does not necessarily require any byte code manipulation.
>> >
>> > thanks
>> >
>> > Manoj
>> >
>> > On 6/28/09, mksong <[hidden email]> wrote:
>> >>
>> >> Thanks for your reply.
>> >>
>> >> For example, Hibernate does not perform any bytecode
>> >> manipulation on its own, but it uses a proxying library that
>> >> creates proxies at the bytecode level.
>> >>
>> >> If you do not manipulate bytecode,
>> >> how do you enforce security policies then?
>> >>
>> >> Regards,
>> >> Myoungkyu
>> >>
>> >>
>> >>
>> >> Les Hazlewood-2 wrote:
>> >>>
>> >>> Hiya,
>> >>>
>> >>> The project (now named Shiro) does not perform bytecode manipulation
>> of
>> >>> any
>> >>> sort.
>> >>>
>> >>> Regards,
>> >>>
>> >>> Les
>> >>>
>> >>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <[hidden email]> wrote:
>> >>>
>> >>>>
>> >>>> Hello, All
>> >>>>
>> >>>> I am carring out an experiment on JSecurity's bytecode engineering.
>> >>>>
>> >>>> I tested JSecurity to see if the framework would generate any
>> >>>>
>> >>>> bytecode related to security or add anything to the existing ones.
>> >>>>
>> >>>> With the attached log file, I am not sure if JSecurity does bytecode
>> >>>> engineering or not.
>> >>>> (Here are the log file at loading time and the slide file explaing
>> what
>> >>>> I
>> >>>> did:
>> >>>>
>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> >>>>
>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> <http://people.cs.vt.edu/%7Emksong/jsecurity/>)
>> >>>>
>> >>>> Is it true?
>> >>>>
>> >>>> --
>> >>>> View this message in context:
>> >>>>
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
>> >>>> Sent from the Shiro User mailing list archive at Nabble.com.
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>
>> >> --
>> >> View this message in context:
>> >>
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
>> >> Sent from the Shiro User mailing list archive at Nabble.com.
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171896.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>
>
>

--
View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3175117.html
Sent from the Shiro User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: About JSecurity's bytecode engineering

mksong
I thought JSecurity can support the application using @RequiresRole and @RequiresAuthentication annotations.

Myoungkyu


Les Hazlewood-2 wrote
Hi Myoungkyu,

We don't have any AspectJ-specific code in place to support our code
annotations.  You would have to write that yourself.

The best advice I have is to look at the AOP base support classes:

http://svn.apache.org/viewvc/incubator/shiro/trunk/core/src/main/java/org/apache/shiro/aop/

and the Spring AOPAlliance implementations:

http://svn.apache.org/viewvc/incubator/shiro/trunk/support/spring/src/main/java/org/apache/shiro/spring/security/interceptor/

and see if they give you any ideas as you try to write AspectJ-specific
versions.

Regards,

Les

On Mon, Jun 29, 2009 at 11:27 AM, mksong <hiizzgi@gmail.com> wrote:

>
> Hello, Les
>
> I think it looks like you’re saying that JSecurity can do
> bytecode engineering by means of AspectJ.
> Is it right? If it is true, that is what I try to search.
> If you could send me a small example using annotation for
> adding the security functionality, I’d very appreciate it.
>
> Thank you so much for your reply.
> Myoungkyu
>
>
>
>
> Les Hazlewood-2 wrote:
> >
> > The closest thing Shiro might get to bytecode enhancement might be due to
> > an
> > AOP framework that you use that modifies bytecode - but this is a choice
> > you
> > make and is not a requirement of the framework.
> >
> > For example, Shiro has code annotations @RequiresRole,
> > @RequiresAuthentication, etc, with which you can annotate code.  If the
> > AOP
> > framework configured to support Shiro uses bytecode manipulation, then
> > obviously bytecode changes could enforce the annotations.
> >
> > But this is a factor of the AOP mechanisms you use and is not controlled
> > by
> > Shiro directly.  AspectJ for example can perform build time or runtime
> > bytecode manipulation to support Shiro annotations, but AOPAlliance might
> > use JDK-provided Proxying mechanisms at runtime and no bytecode
> > manipulation.
> >
> > Ultimately though you need to specify somehow how the security framework
> > is
> > supposed to execute - either via a Servlet Filter or code @Annotations or
> > text-based configuration, or some other mechanism.  The developer needs
> to
> > direct the way the security framework behaves.
> >
> > So if you desire bytecode enhancement, then yes, you can have it as long
> > as
> > you use something like, say, AspectJ to perform the bytecode manipulation
> > which would disover and enforce the Shiro annotations.  This is done by
> > writing Advice that calls the Subject API to perform security checks, and
> > that Advice is 'weaved' by AspectJ.  Shiro does not currently have any
> > AspectJ-specific Advice written - you'd have to do it yourself, but you
> > could look at the classes in org.apache.shiro.aop.* for ideas.
> >
> > Regards,
> >
> > Les
> >
> > On Sun, Jun 28, 2009 at 8:50 PM, mksong <hiizzgi@gmail.com> wrote:
> >
> >>
> >> Hello, Manoj
> >>
> >> I am searching a framework which changes the bytecode directly,
> >> without modifying source code. As you knew, this is bytecode
> >> engineering or enhancement. Based on this idea, I thought JSecurity
> >> modified bytecode in order to support a security functionality
> >> relieving a programmer from the burden of having to implement
> >> important security concerns by hand.
> >>
> >> So, is the method of supporting the security functionality a type
> >> of API at JSecurity (or Apache Ki)?
> >>
> >> Myoungkyu
> >>
> >>
> >>
> >>
> >> Manoj Khangaonkar wrote:
> >> >
> >> > Hi Myoungkyu,
> >> >
> >> > Just curious, what kind of security policies are you interested in ?
> >> > Can you give an example.
> >> >
> >> > Authorization policies ( role based or other ) that shiro supports
> >> > does not necessarily require any byte code manipulation.
> >> >
> >> > thanks
> >> >
> >> > Manoj
> >> >
> >> > On 6/28/09, mksong <hiizzgi@gmail.com> wrote:
> >> >>
> >> >> Thanks for your reply.
> >> >>
> >> >> For example, Hibernate does not perform any bytecode
> >> >> manipulation on its own, but it uses a proxying library that
> >> >> creates proxies at the bytecode level.
> >> >>
> >> >> If you do not manipulate bytecode,
> >> >> how do you enforce security policies then?
> >> >>
> >> >> Regards,
> >> >> Myoungkyu
> >> >>
> >> >>
> >> >>
> >> >> Les Hazlewood-2 wrote:
> >> >>>
> >> >>> Hiya,
> >> >>>
> >> >>> The project (now named Shiro) does not perform bytecode manipulation
> >> of
> >> >>> any
> >> >>> sort.
> >> >>>
> >> >>> Regards,
> >> >>>
> >> >>> Les
> >> >>>
> >> >>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <hiizzgi@gmail.com> wrote:
> >> >>>
> >> >>>>
> >> >>>> Hello, All
> >> >>>>
> >> >>>> I am carring out an experiment on JSecurity's bytecode engineering.
> >> >>>>
> >> >>>> I tested JSecurity to see if the framework would generate any
> >> >>>>
> >> >>>> bytecode related to security or add anything to the existing ones.
> >> >>>>
> >> >>>> With the attached log file, I am not sure if JSecurity does
> bytecode
> >> >>>> engineering or not.
> >> >>>> (Here are the log file at loading time and the slide file explaing
> >> what
> >> >>>> I
> >> >>>> did:
> >> >>>>
> >> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
> >> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
> >> >>>>
> >> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
> >> <http://people.cs.vt.edu/%7Emksong/jsecurity/>)
> >> >>>>
> >> >>>> Is it true?
> >> >>>>
> >> >>>> --
> >> >>>> View this message in context:
> >> >>>>
> >>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
> >> >>>> Sent from the Shiro User mailing list archive at Nabble.com.
> >> >>>>
> >> >>>>
> >> >>>
> >> >>>
> >> >>
> >> >> --
> >> >> View this message in context:
> >> >>
> >>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
> >> >> Sent from the Shiro User mailing list archive at Nabble.com.
> >> >>
> >> >>
> >> >
> >> >
> >>
> >> --
> >> View this message in context:
> >>
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171896.html
> >> Sent from the Shiro User mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3175117.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: About JSecurity's bytecode engineering

Les Hazlewood-2
It can, but you need an AOP framework to enable them.  We have default support for Spring/AOP Alliance environments.  We don't have support at this time for AspectJ environments.

On Mon, Jun 29, 2009 at 1:28 PM, mksong <[hidden email]> wrote:

I thought JSecurity can support the application using @RequiresRole and
@RequiresAuthentication annotations.

Myoungkyu



Les Hazlewood-2 wrote:
>
> Hi Myoungkyu,
>
> We don't have any AspectJ-specific code in place to support our code
> annotations.  You would have to write that yourself.
>
> The best advice I have is to look at the AOP base support classes:
>
> http://svn.apache.org/viewvc/incubator/shiro/trunk/core/src/main/java/org/apache/shiro/aop/
>
> and the Spring AOPAlliance implementations:
>
> http://svn.apache.org/viewvc/incubator/shiro/trunk/support/spring/src/main/java/org/apache/shiro/spring/security/interceptor/
>
> and see if they give you any ideas as you try to write AspectJ-specific
> versions.
>
> Regards,
>
> Les
>
> On Mon, Jun 29, 2009 at 11:27 AM, mksong <[hidden email]> wrote:
>
>>
>> Hello, Les
>>
>> I think it looks like you’re saying that JSecurity can do
>> bytecode engineering by means of AspectJ.
>> Is it right? If it is true, that is what I try to search.
>> If you could send me a small example using annotation for
>> adding the security functionality, I’d very appreciate it.
>>
>> Thank you so much for your reply.
>> Myoungkyu
>>
>>
>>
>>
>> Les Hazlewood-2 wrote:
>> >
>> > The closest thing Shiro might get to bytecode enhancement might be due
>> to
>> > an
>> > AOP framework that you use that modifies bytecode - but this is a
>> choice
>> > you
>> > make and is not a requirement of the framework.
>> >
>> > For example, Shiro has code annotations @RequiresRole,
>> > @RequiresAuthentication, etc, with which you can annotate code.  If the
>> > AOP
>> > framework configured to support Shiro uses bytecode manipulation, then
>> > obviously bytecode changes could enforce the annotations.
>> >
>> > But this is a factor of the AOP mechanisms you use and is not
>> controlled
>> > by
>> > Shiro directly.  AspectJ for example can perform build time or runtime
>> > bytecode manipulation to support Shiro annotations, but AOPAlliance
>> might
>> > use JDK-provided Proxying mechanisms at runtime and no bytecode
>> > manipulation.
>> >
>> > Ultimately though you need to specify somehow how the security
>> framework
>> > is
>> > supposed to execute - either via a Servlet Filter or code @Annotations
>> or
>> > text-based configuration, or some other mechanism.  The developer needs
>> to
>> > direct the way the security framework behaves.
>> >
>> > So if you desire bytecode enhancement, then yes, you can have it as
>> long
>> > as
>> > you use something like, say, AspectJ to perform the bytecode
>> manipulation
>> > which would disover and enforce the Shiro annotations.  This is done by
>> > writing Advice that calls the Subject API to perform security checks,
>> and
>> > that Advice is 'weaved' by AspectJ.  Shiro does not currently have any
>> > AspectJ-specific Advice written - you'd have to do it yourself, but you
>> > could look at the classes in org.apache.shiro.aop.* for ideas.
>> >
>> > Regards,
>> >
>> > Les
>> >
>> > On Sun, Jun 28, 2009 at 8:50 PM, mksong <[hidden email]> wrote:
>> >
>> >>
>> >> Hello, Manoj
>> >>
>> >> I am searching a framework which changes the bytecode directly,
>> >> without modifying source code. As you knew, this is bytecode
>> >> engineering or enhancement. Based on this idea, I thought JSecurity
>> >> modified bytecode in order to support a security functionality
>> >> relieving a programmer from the burden of having to implement
>> >> important security concerns by hand.
>> >>
>> >> So, is the method of supporting the security functionality a type
>> >> of API at JSecurity (or Apache Ki)?
>> >>
>> >> Myoungkyu
>> >>
>> >>
>> >>
>> >>
>> >> Manoj Khangaonkar wrote:
>> >> >
>> >> > Hi Myoungkyu,
>> >> >
>> >> > Just curious, what kind of security policies are you interested in ?
>> >> > Can you give an example.
>> >> >
>> >> > Authorization policies ( role based or other ) that shiro supports
>> >> > does not necessarily require any byte code manipulation.
>> >> >
>> >> > thanks
>> >> >
>> >> > Manoj
>> >> >
>> >> > On 6/28/09, mksong <[hidden email]> wrote:
>> >> >>
>> >> >> Thanks for your reply.
>> >> >>
>> >> >> For example, Hibernate does not perform any bytecode
>> >> >> manipulation on its own, but it uses a proxying library that
>> >> >> creates proxies at the bytecode level.
>> >> >>
>> >> >> If you do not manipulate bytecode,
>> >> >> how do you enforce security policies then?
>> >> >>
>> >> >> Regards,
>> >> >> Myoungkyu
>> >> >>
>> >> >>
>> >> >>
>> >> >> Les Hazlewood-2 wrote:
>> >> >>>
>> >> >>> Hiya,
>> >> >>>
>> >> >>> The project (now named Shiro) does not perform bytecode
>> manipulation
>> >> of
>> >> >>> any
>> >> >>> sort.
>> >> >>>
>> >> >>> Regards,
>> >> >>>
>> >> >>> Les
>> >> >>>
>> >> >>> On Sat, Jun 27, 2009 at 11:26 PM, mksong <[hidden email]>
>> wrote:
>> >> >>>
>> >> >>>>
>> >> >>>> Hello, All
>> >> >>>>
>> >> >>>> I am carring out an experiment on JSecurity's bytecode
>> engineering.
>> >> >>>>
>> >> >>>> I tested JSecurity to see if the framework would generate any
>> >> >>>>
>> >> >>>> bytecode related to security or add anything to the existing
>> ones.
>> >> >>>>
>> >> >>>> With the attached log file, I am not sure if JSecurity does
>> bytecode
>> >> >>>> engineering or not.
>> >> >>>> (Here are the log file at loading time and the slide file
>> explaing
>> >> what
>> >> >>>> I
>> >> >>>> did:
>> >> >>>>
>> >>
>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> >> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> >> >>>>
>> >>
>> http://people.cs.vt.edu/~mksong/jsecurity/<http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> <http://people.cs.vt.edu/%7Emksong/jsecurity/>
>> >> <http://people.cs.vt.edu/%7Emksong/jsecurity/>)
>> >> >>>>
>> >> >>>> Is it true?
>> >> >>>>
>> >> >>>> --
>> >> >>>> View this message in context:
>> >> >>>>
>> >>
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3168851.html
>> >> >>>> Sent from the Shiro User mailing list archive at Nabble.com.
>> >> >>>>
>> >> >>>>
>> >> >>>
>> >> >>>
>> >> >>
>> >> >> --
>> >> >> View this message in context:
>> >> >>
>> >>
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3170891.html
>> >> >> Sent from the Shiro User mailing list archive at Nabble.com.
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >> --
>> >> View this message in context:
>> >>
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3171896.html
>> >> Sent from the Shiro User mailing list archive at Nabble.com.
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3175117.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>
>
>

--
View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3175832.html
Sent from the Shiro User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: About JSecurity's bytecode engineering

David J. M. Karlsen
On Mon, 29 Jun 2009, Les Hazlewood wrote:

> It can, but you need an AOP framework to enable them.  We have default
> support for Spring/AOP Alliance environments.  We don't have support at this
> time for AspectJ environments.

The best would probably be to write aspectJ ones, as spring can utilize
this directly as well (e.g. configure the aspect in a spring context file
if needed) - and let spring do the ltw. (which uses aspectJ underneath).
Node though, that spring can only weave spring managed beans.

This way only one implementation is needed.
Reply | Threaded
Open this post in threaded view
|

Re: About JSecurity's bytecode engineering

mksong
Thanks, David

Do you think this example has something to do with bytecode engineering by the Spring framework using JSecurity?

$ find . -exec grep "@RequiresRole" '{}' \; -print
    @RequiresRoles("role1")
    @RequiresRoles("role2")
./samples/spring/src/org/jsecurity/samples/spring/SampleManager.java

Myoungkyu




David J. M. Karlsen wrote
On Mon, 29 Jun 2009, Les Hazlewood wrote:

> It can, but you need an AOP framework to enable them.  We have default
> support for Spring/AOP Alliance environments.  We don't have support at this
> time for AspectJ environments.

The best would probably be to write aspectJ ones, as spring can utilize
this directly as well (e.g. configure the aspect in a spring context file
if needed) - and let spring do the ltw. (which uses aspectJ underneath).
Node though, that spring can only weave spring managed beans.

This way only one implementation is needed.
Reply | Threaded
Open this post in threaded view
|

Grails + ZK + JSecurity

John Cladmore
In reply to this post by David J. M. Karlsen
Hi all,

Anyone here using jsec in a Grails + Zk-plugin application?

My problem is that the jsec plugin for grails provides several class for
user, role, permission, and their relationships. i have sucessfully
tested authentication and verifying the user's role. However, I want to
know how i can check for permission in code. I know I have to call
isPermitted() on the current subject, but I don't know how that string
parameter should be formatted.

I think the plugin is setup for grails view technology with
controller/action. Whereas, I just want to simply check for permission
in the wildcard way as documented for jsec WildcardPermission class.

I won't mind the way the jsec plugins for grials has permission setup,
if I can only figure out how to check it in code.

Here is what I have done so far using fixtures:
// create a permission
"aPerm"(JsecPermission){
type = "org.jsecurity.grails.JsecBasicPermission"
possibleActions = "*"
}

menuPerm0(JsecRolePermissionRel){
role = adminRole // JsecRole instance reference, users and roles already
created
permission = ref("aPerm") // the permission above
target = "User" // name of menu I want permission for, remember, this is
not grails controller
actions = "view"
}

Now, in code, I get the current subject and call isPermitted(). I have
tired "User", "User:*", and "User:view". but nothing successful yet.

Thanks for your help or pointers to info.


.v
Reply | Threaded
Open this post in threaded view
|

Re: About JSecurity's bytecode engineering

Les Hazlewood-2
In reply to this post by mksong
Your results show the use of Annotations in a sample application which uses Spring-created JDK runtime proxies and does not perform bytecode manipulation.

I don't think of JDK runtime proxies much as 'bytecode engineering'.  I tend to think of bytecode engineering as some mechanism (for example, AspectJ) that manipulates bytecode directly, either during build or runtime.

The Spring-based sample application where you found those annotations does not use AspectJ or bytecode manipulation of any sort.  It instead uses the built-in JDK runtime proxying mechanism via Spring's default AOP (AOP Alliance) support.

Regards,

Les

On Tue, Jun 30, 2009 at 12:21 PM, mksong <[hidden email]> wrote:

Thanks, David

Do you think this example has something to do with bytecode engineering by
the Spring framework using JSecurity?

$ find . -exec grep "@RequiresRole" '{}' \; -print
   @RequiresRoles("role1")
   @RequiresRoles("role2")
./samples/spring/src/org/jsecurity/samples/spring/SampleManager.java

Myoungkyu





David J. M. Karlsen wrote:
>
> On Mon, 29 Jun 2009, Les Hazlewood wrote:
>
>> It can, but you need an AOP framework to enable them.  We have default
>> support for Spring/AOP Alliance environments.  We don't have support at
>> this
>> time for AspectJ environments.
>
> The best would probably be to write aspectJ ones, as spring can utilize
> this directly as well (e.g. configure the aspect in a spring context file
> if needed) - and let spring do the ltw. (which uses aspectJ underneath).
> Node though, that spring can only weave spring managed beans.
>
> This way only one implementation is needed.
>
>

--
View this message in context: http://n2.nabble.com/About-JSecurity%27s-bytecode-engineering-tp3168851p3183602.html
Sent from the Shiro User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: Grails + ZK + JSecurity

Les Hazlewood-2
In reply to this post by John Cladmore
Hi John,

I'm not sure that a lot of users on this list are very knowledgeable of how the Grails plugin operates (it would be nice if I was wrong though ;)).  Have you tried the grails-user mailing list?  That is typically where people ask the JSecurity(now Shiro) Grails plugin questions.

However, I'll do my best with regards to your question here.

Shiro can check permissions in two formats - either implementations of the Permission interface, or a simple String formatted according to the WildcardPermission javadoc.

It appears that the Grails plugin stores instances of the Permission interface in the database.  That means you can do things like:

if ( SecurityUtils.subject.isPermitted(aPermissionInstance) )  {
    //do something
}

But I don't know how to instantiate 'aPermissionInstance' based on what the Grails plugin would expect.  Would it be new JsecBasicPermission("something"); ?  or another subclass?  I'm not sure.

You can check a String permission as well, but all Strings need to be converted to a Permission instance in order to perform permission implication logic (See Permission.implies(permission) JavaDoc).  Shiro does this via a PermissionResolver.

So, you can do this:

if ( SecurityUtils.subject.isPermitted("printer:print") ) {
    //print
}

But to make this work, you would need to register a PermissionResolver that accepts a string and instantiates a Permission instance based on that String.  That permission would then be checked against the persistent Permission instances managed by the Grails plugin/Hibernate.  For example:

Permission toCheck = permissionResolver.resolvePermission(permString);
if ( Permission perm : hibernatedPermissions ) {
    if ( perm.implies(toCheck) ) {
        return true; //they are permitted to do what is described by 'toCheck'
    }
}
return false; //not permitted

I don't know how to register a custom PermissionResolver with the Grails plugin to make this work, or if this is even necessary in the first place. 

Hopefully another Grails user could shed light on the issue, or Peter Ledbrook, the original author of the plugin could help.  He's been very busy the last few months writing a book or two, so I don't know how accessible he is though.

Regards,

Les 

On Tue, Jun 30, 2009 at 12:55 PM, John Cladmore <[hidden email]> wrote:
Hi all,

Anyone here using jsec in a Grails + Zk-plugin application?

My problem is that the jsec plugin for grails provides several class for user, role, permission, and their relationships. i have sucessfully tested authentication and verifying the user's role. However, I want to know how i can check for permission in code. I know I have to call isPermitted() on the current subject, but I don't know how that string parameter should be formatted.

I think the plugin is setup for grails view technology with controller/action. Whereas, I just want to simply check for permission in the wildcard way as documented for jsec WildcardPermission class.

I won't mind the way the jsec plugins for grials has permission setup, if I can only figure out how to check it in code.

Here is what I have done so far using fixtures:
// create a permission
"aPerm"(JsecPermission){
type = "org.jsecurity.grails.JsecBasicPermission"
possibleActions = "*"
}

menuPerm0(JsecRolePermissionRel){
role = adminRole // JsecRole instance reference, users and roles already created
permission = ref("aPerm") // the permission above
target = "User" // name of menu I want permission for, remember, this is not grails controller
actions = "view"
}

Now, in code, I get the current subject and call isPermitted(). I have tired "User", "User:*", and "User:view". but nothing successful yet.

Thanks for your help or pointers to info.


.v