is Shiro good for a server application?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

is Shiro good for a server application?

Mario Emmenlauer

Dear All,

is Shiro good to be used for a server application? From the tutorial
and documentation I found that a general concept is the "current user":
   Subject currentUser = SecurityUtils.getSubject();

But in my Java server application, I'd like to work with remote users
from a C++ app (via RPC). The remote users send credentials via SSL RPC,
and receive a session token. The server side authentication is not based
on currentUser, but on the username/password. Am I understanding correctly
that this is not the "typical" use case for Shiro? Is Shiro even a good
match for this use case? How to generate a Subject and session token?

Awesome software, by the way! :-)

Thanks and all the best,

    Mario

Reply | Threaded
Open this post in threaded view
|

Re: is Shiro good for a server application?

Brian Demers
Hey Mario,

The typical use case is a web server (though not limited to this). An RPC app can fit into this category. 

The getSubject() method will return the subject bound to the current thread.  So If your application is not using HTTP, you would just need bind a new subject to your handling thread.

Can you give a few more details on your stack, and we might be able to point you in the right direction.

-Brian


On Thu, Apr 20, 2017 at 4:05 PM, Mario Emmenlauer <[hidden email]> wrote:

Dear All,

is Shiro good to be used for a server application? From the tutorial
and documentation I found that a general concept is the "current user":
   Subject currentUser = SecurityUtils.getSubject();

But in my Java server application, I'd like to work with remote users
from a C++ app (via RPC). The remote users send credentials via SSL RPC,
and receive a session token. The server side authentication is not based
on currentUser, but on the username/password. Am I understanding correctly
that this is not the "typical" use case for Shiro? Is Shiro even a good
match for this use case? How to generate a Subject and session token?

Awesome software, by the way! :-)

Thanks and all the best,

    Mario


Reply | Threaded
Open this post in threaded view
|

Re: is Shiro good for a server application?

Mario Emmenlauer

Dear Brian,

thanks a lot for this quick response, I'll check out the spring-mvc!

Admittedly, I'm a bit oblivious to most of Javas web technologies. I'm
implementing a "plain" Java 8 Server with a multi-threaded Apache Thrift
API. Clients are typically C++ and sometimes Java. My idea is:
 - client calls RPC method for login with Username, Password
 - server returns SessionID to client
 - client may use API with SessionID for X time (even after disconnect),
   so every API method validates SessionID before any action

Currently I do this with a simple thread-save Set<String> on the Server
to store session ID's, and libsodium for the password encryption. But
Shiro seems more suitable, and LDAP and CROWD authentication would be
great to have.

All the best,

   Mario



On 20.04.2017 22:15, Brian Demers wrote:

> Hey Mario,
>
> The typical use case is a web server (though not limited to this). An RPC app
> can fit into this category.
> This example uses Spring
> remoting: https://github.com/apache/shiro/tree/master/samples/spring-mvc
>
> The getSubject() method will return the subject bound to the current thread.  So
> If your application is not using HTTP, you would just need bind a new subject to
> your handling thread.
>
> Can you give a few more details on your stack, and we might be able to point you
> in the right direction.
>
> -Brian
>
>
> On Thu, Apr 20, 2017 at 4:05 PM, Mario Emmenlauer <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>     Dear All,
>
>     is Shiro good to be used for a server application? From the tutorial
>     and documentation I found that a general concept is the "current user":
>        Subject currentUser = SecurityUtils.getSubject();
>
>     But in my Java server application, I'd like to work with remote users
>     from a C++ app (via RPC). The remote users send credentials via SSL RPC,
>     and receive a session token. The server side authentication is not based
>     on currentUser, but on the username/password. Am I understanding correctly
>     that this is not the "typical" use case for Shiro? Is Shiro even a good
>     match for this use case? How to generate a Subject and session token?
>
>     Awesome software, by the way! :-)
>
>     Thanks and all the best,
>
>         Mario



Viele Gruesse,

    Mario Emmenlauer


--
BioDataAnalysis GmbH, Mario Emmenlauer      Tel. Buero: +49-89-74677203
Balanstr. 43                   mailto: memmenlauer * biodataanalysis.de
D-81669 München                          http://www.biodataanalysis.de/
Reply | Threaded
Open this post in threaded view
|

Re: is Shiro good for a server application?

Brian Demers
I think Apache Aurora uses both Shiro and Thrift, you may want to take a look and see what they do in their code base.

On Thu, Apr 20, 2017 at 4:25 PM, Mario Emmenlauer <[hidden email]> wrote:

Dear Brian,

thanks a lot for this quick response, I'll check out the spring-mvc!

Admittedly, I'm a bit oblivious to most of Javas web technologies. I'm
implementing a "plain" Java 8 Server with a multi-threaded Apache Thrift
API. Clients are typically C++ and sometimes Java. My idea is:
 - client calls RPC method for login with Username, Password
 - server returns SessionID to client
 - client may use API with SessionID for X time (even after disconnect),
   so every API method validates SessionID before any action

Currently I do this with a simple thread-save Set<String> on the Server
to store session ID's, and libsodium for the password encryption. But
Shiro seems more suitable, and LDAP and CROWD authentication would be
great to have.

All the best,

   Mario



On 20.04.2017 22:15, Brian Demers wrote:
> Hey Mario,
>
> The typical use case is a web server (though not limited to this). An RPC app
> can fit into this category.
> This example uses Spring
> remoting: https://github.com/apache/shiro/tree/master/samples/spring-mvc
>
> The getSubject() method will return the subject bound to the current thread.  So
> If your application is not using HTTP, you would just need bind a new subject to
> your handling thread.
>
> Can you give a few more details on your stack, and we might be able to point you
> in the right direction.
>
> -Brian
>
>
> On Thu, Apr 20, 2017 at 4:05 PM, Mario Emmenlauer <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>     Dear All,
>
>     is Shiro good to be used for a server application? From the tutorial
>     and documentation I found that a general concept is the "current user":
>        Subject currentUser = SecurityUtils.getSubject();
>
>     But in my Java server application, I'd like to work with remote users
>     from a C++ app (via RPC). The remote users send credentials via SSL RPC,
>     and receive a session token. The server side authentication is not based
>     on currentUser, but on the username/password. Am I understanding correctly
>     that this is not the "typical" use case for Shiro? Is Shiro even a good
>     match for this use case? How to generate a Subject and session token?
>
>     Awesome software, by the way! :-)
>
>     Thanks and all the best,
>
>         Mario



Viele Gruesse,

    Mario Emmenlauer


--
BioDataAnalysis GmbH, Mario Emmenlauer      Tel. Buero: <a href="tel:%2B49-89-74677203" value="+498974677203">+49-89-74677203
Balanstr. 43                   mailto: memmenlauer * biodataanalysis.de
D-81669 München                          http://www.biodataanalysis.de/

Reply | Threaded
Open this post in threaded view
|

Re: is Shiro good for a server application?

Sashika
I guess what is more suitable for you is JASIG CAS. https://wiki.jasig.org/display/CAS/Home
Give it a spin

On Fri, Apr 21, 2017 at 1:58 AM, Brian Demers <[hidden email]> wrote:
I think Apache Aurora uses both Shiro and Thrift, you may want to take a look and see what they do in their code base.

On Thu, Apr 20, 2017 at 4:25 PM, Mario Emmenlauer <[hidden email]> wrote:

Dear Brian,

thanks a lot for this quick response, I'll check out the spring-mvc!

Admittedly, I'm a bit oblivious to most of Javas web technologies. I'm
implementing a "plain" Java 8 Server with a multi-threaded Apache Thrift
API. Clients are typically C++ and sometimes Java. My idea is:
 - client calls RPC method for login with Username, Password
 - server returns SessionID to client
 - client may use API with SessionID for X time (even after disconnect),
   so every API method validates SessionID before any action

Currently I do this with a simple thread-save Set<String> on the Server
to store session ID's, and libsodium for the password encryption. But
Shiro seems more suitable, and LDAP and CROWD authentication would be
great to have.

All the best,

   Mario



On 20.04.2017 22:15, Brian Demers wrote:
> Hey Mario,
>
> The typical use case is a web server (though not limited to this). An RPC app
> can fit into this category.
> This example uses Spring
> remoting: https://github.com/apache/shiro/tree/master/samples/spring-mvc
>
> The getSubject() method will return the subject bound to the current thread.  So
> If your application is not using HTTP, you would just need bind a new subject to
> your handling thread.
>
> Can you give a few more details on your stack, and we might be able to point you
> in the right direction.
>
> -Brian
>
>
> On Thu, Apr 20, 2017 at 4:05 PM, Mario Emmenlauer <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>     Dear All,
>
>     is Shiro good to be used for a server application? From the tutorial
>     and documentation I found that a general concept is the "current user":
>        Subject currentUser = SecurityUtils.getSubject();
>
>     But in my Java server application, I'd like to work with remote users
>     from a C++ app (via RPC). The remote users send credentials via SSL RPC,
>     and receive a session token. The server side authentication is not based
>     on currentUser, but on the username/password. Am I understanding correctly
>     that this is not the "typical" use case for Shiro? Is Shiro even a good
>     match for this use case? How to generate a Subject and session token?
>
>     Awesome software, by the way! :-)
>
>     Thanks and all the best,
>
>         Mario



Viele Gruesse,

    Mario Emmenlauer


--
BioDataAnalysis GmbH, Mario Emmenlauer      Tel. Buero: <a href="tel:%2B49-89-74677203" value="+498974677203" target="_blank">+49-89-74677203
Balanstr. 43                   mailto: memmenlauer * biodataanalysis.de
D-81669 München                          http://www.biodataanalysis.de/