I am trying to implement a modular application for authentication / authorization. I was wondering if Shiro was the right choice. I want to get a system that I can connect to, and maybe at a later time exchange some authentication endpoints as well as authorization endpoints. I want to be able to use shiro for authentication (for example, I would use the facebook plugin for shiro or the ldap plugin for shiro, and I can easily connect it to my authentication / authorization application). I may also want authorization to be implemented using a different framework than Syro.
I was wondering if there would be an individual session with him, and are these objects and spheres capable of doing such things as I described? Currently, I see Shiro as a very dynamic structure that allows you to do such things, but I can be wrong because I have never used it before. User authentication modules (imo) can be connected to new areas, but I'm not sure if this will work with authorization?
I also donβt understand how to use strong roles and permission system when I want to set restrictions for a web application, for example, I want to give restrictions on a given URL / group of URLs. I think the only way to implement this is to create a custom mapper that will display the specified role in permissions. For example, in some database I will have all the URLs, and in a separate table I will have a list of roles. Then I will add a group of URLs to each role. I donβt see how I can use a wide permission system to implement URL restrictions.
Please tell me if shiro is a good choice, or maybe I need to go to a different infrastructure (maybe spring security?)
source share