Group items tagged

Permissions are provided in two ways: A Collection of Strings, where each String can usually be converted into Permission objects by a Realm's PermissionResolver A Collection of Permission objects

most Realms store both sets of data for a Subject

a Realm implementation to utilize an implementation of the Account interface instead, which is a convenience interface that combines both AuthenticationInfo and AuthorizationInfo

by the container in order to realize common use cases

An interface becomes a vehicle for encapsulation or abstraction,

“Interfaces are used to encode similarities which the classes of various types share, but do not necessarily constitute a class relationship. For instance, a human and a parrot can both whistle; however, it would not make sense to represent Humans and Parrots as subclasses of a Whistler class. Rather they would most likely be subclasses of an Animal class (likely with intermediate classes), but both would implement the Whistler interface.” [http://en.wikipedia.org/wiki/Java_interface]

Extensive use of interfaces derives from a

Premature Extensibility Is the Root of Some Evil

The number of artifacts will double and you will have to introduce a configuration facility

If you introduce interfaces intentionally - and not as a general rule, you will considerably reduce the number of files. Your code becomes easier to understand and so maintain

"Contract First", "Coding To Interfaces" or "Decoupling"

coincident lifetimes, and it is very common for the whole to manage the lifecycle of its parts

JPA 2.0, still contains only a subset of the features supported by many database vendors

features not supported in JP QL.

performance required by an application is to replace the JP QL query with a hand-optimized SQL version. This may be a simple restructuring of the query that the persistence provider was generating, or it may be a vendor-specific version that leverages query hints and features specific to a particular database.

recommend avoiding SQL initially if possible and then introducing it only when necessary

benefits of SQL query support is that it uses the same Query interface used for JP QL queries. With some small exceptions that will be described later, all the Query interface operations discussed in previous chapters apply equally to both JP QL and SQL queries.

keep application code consistent because it needs to concern itself only with the EntityManager and Query interfaces.

An unfortunate result of adding the TypedQuery interface in JPA 2.0 is that the createNativeQuery() method was already defined in JPA 1.0 to accept a SQL string and a result class and return an untyped Query interface

consequence is that when the createNativeQuery() method is called with a result class argument one might mistakenly think it will produce a TypedQuery, like createQuery() and createNamedQuery() do when a result class is passed in.

@NamedNativeQuery

resultClass=Employee.class

The fact that the named query was defined using SQL instead of JP QL is not important to the caller

SQL Result Set Mapping

JPA provides SQL result set mappings to handle these scenarios

A SQL result set mapping is defined using the @SqlResultSetMapping annotation. It may be placed on an entity class and consists of a name (unique within the persistence unit) and one or more entity and column mappings.

entities=@EntityResult(entityClass=Employee.class)

@SqlResultSetMapping

Multiple Result Mappings

A query may return more than one entity at a time

The SQL result set mapping to return both the Employee and Address entities out of this query

emp_id, name, salary, manager_id, dept_id

address_id, id, street, city, state, zip

order in which the entities are listed is not important

ntities={@EntityResult(entityClass=Employee.class), @EntityResult(entityClass=Address.class)}

role name to resolve

Collection of Permissions

represents data submitted for any given login attempt

implementations represent already-verified and stored account data

Since Shiro sometimes logs authentication operations, please

as these might be viewable to someone reading your logs

If caching is enabled and if any authorization data for an account is changed at runtime, such as adding or removing roles and/or permissions, the subclass implementation should clear the cached AuthorizationInfo for that account via the

getAuthorizationInfo

AuthorizingRealm

AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals)

Returns an account's authorization-specific information for the specified principals, or null if no account could be found

This implementation obtains the actual AuthorizationInfo object

and then caches it for efficient reuse if caching is enabled

clearCachedAuthorizationInfo(PrincipalCollection principals)

Clears out the AuthorizationInfo cache entry for the specified account.

Control is a stereotyped class or object that is used to model flow of control or some coordination in behavior

usually describe some "business logic"

«Entity»

Entity is a stereotyped class or object that represents some information or data, usually but not necessarily persistent.

Features of a class are

Static features are underlined

«Boundary»

«Boundary»

«Control»

«Entity»

«Control»

Interface

An interface is a classifier that declares of a set of coherent public features and obligations

specifies a contract.

Data Type

A data type is a classifier - similar to a class - whose instances are

typical use of data types would be to represent value types

«dataType»

Enumeration

An enumeration is a data type whose values are enumerated in the model as user-defined enumeration literals.

«enumeration».

Multiplicity

Multiplicity allows to specify cardinality (allowed number of instances) of described element

Visibility

UML has the following types of visibility: public package protected private

Package visibility is represented by '~' literal.

Protected visibility is represented by '#' literal.

Private visibility is represented by '-' literal.

AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals)

Returns an account's authorization-specific information for the specified principals, or null if no account could be found

automatically perform access control checks for the corresponding Subject

JdbcRealm

A Realm is a security component that can access application-specific security entities such as users, roles, and permissions to determine authentication and authorization operations

security-specific DAOs

If for some reason you don't want your Realm implementation to perform authentication duties, you should override the supports(org.apache.shiro.authc.AuthenticationToken) method to always return false

does not require you to implement or extend any User, Group or Role interfaces or classes

Shiro tries to maintain a non-intrusive development philosophy

elements of the user interface are displayed to the user based on the user's privilege level

assign permissions to individual objects within the application’s business domain

Permissions

Permissions assigned to user for a given resource in the tree are inherited by other resources

Permissions are inherited

persist user, group and role information in database. JPA implementation is his dream

Security Module Drafts

Identity

interface Identity

login()

logout()

getUser()

Events LoggedInEvent LoginFailedEvent AlreadyLoggedInEvent PreLoggedOutEvent PostLoggedOutEvent PreAuthenticateEvent PostAuthenticateEvent

Object level permission

Grant or revoke permissions

Group management

User/Identity management

identity.hasRole

identity.hasPermission

User, Group and Role

hooks for common IDM or Security operations

Audit and logging for permission and IDM related changes

Event API.

Impersonalization

Impersonalization

control which elements of the user interface are displayed to the user based on their assigned permissions

ask for permission

more advanced security resolution mechanisms

Rules based engine

external services - XACML