I think you "just" changed the loop:
The current ModularRealmAuthorizer checks:
boolean permission[]
For every permission
for every realm
permission[i] = isPermitted
But your loop does:
boolean permission[]
For every realm
for every permission
permission[i] = isPermitted
i
, there is just one call per realm. On the other hand, if
>> there are few realms, as you said, the risk is to execute checks also if the
>> result is already determined.
>>
>> Then, assuming to have one realm, do you think our solution could be right?
&
https://issues.apache.org/jira/browse/SHIRO-752
Am Mi., 1. Apr. 2020 um 12:37 Uhr schrieb Modanese, Riccardo
:
>
> I’m not too familiar with Shiro code but I tried to implement the changes in
> a draft [1].
> I’m not too confident about the changes I did in the visibility of few
> methods and al
I want to throw in JSON web tokens (JWT).
It is a mess to work with them right now.
JWT can also be very complicated. They can only hold Authentication data,
or they can hold roles, or even permission (if it is not getting too long).
I settled to create another realm. If the JWT contains EVERYTHI
ction should hold a set of
> attributes?
>
> ```
> Subject.getAttribute("givenName") == "Brian
> ```
>
> (something similar could be used when building a set of roles:
>
> ```
> principalCollection.get("groups")
> ```
>
> Thoughts?
&g
Agreed, no oauth server - I was just talking about validating bearer tokens
anyway. Didn't mention this, though. Sorry.
Am Mo., 6. Apr. 2020 um 16:40 Uhr schrieb Brian Demers <
brian.dem...@gmail.com>:
> Personally I don't think Shiro should implement an Authorization Server,
> I think there is r
It is a known issue that these classes do not extend AbstractLdapRealm.
However, you could extend the DefaultLdapRealm and implement
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
principals);
the way you need it.
On Thu, 9 Apr 2020, 22:43 mrprib, wrote:
> Is it possi
I never had issues with it, but there is no module descriptor yet. Thus, it
depends on what you mean by "support java9".
On Mon, 4 May 2020, 04:40 sreenivas harshith,
wrote:
> Hi all,
>
> Does shiro support java 9 and above ?
>
> Regards,
> Sreenivas.
>
>
>
> On Sun, May 3, 2020 at 4:27 PM +0
+0530, "Francois Papon" <
>> francois.pa...@openobject.fr> wrote:
>>
>> I am using Shiro with a Jdk11 and I never had issues.
>>>
>>> We also have a Jenkins job for the build with JDK11 but the target build
>>> for the source code stil
Yes exactly. You should replace "no authentication" with "hidden
authentication".
For example:
You can use a second realm for this which knows the public part of the
certificate. The client could be configured to automatically pass the
corresponding private certificate.
Am Fr., 15. Mai 2020 um 20:
Correct.
To complete the picture:
https://shiro.apache.org/terminology.html
Also, the PrincipalCollection knows which realms the user is known in. This
is why most methods return such a collection, not a single Principal.
Most apps only have one realm, but they could have multiple realms. E.g.
It depends.
I use jwt tokens. No chance here to invalidate them, but they get
invalidate pretty quickly anyway.
But you can use any *distributed* session storage you like: a DBMS, a
memory grid like hazelcast, or create your own local storage and sync them
via jGroups, or even EJBs. It doesn't ma
Loading from an external classpath environment variable might be the
problem and not supported anymore. Have you tried putting the shiro jars
into the .war (which is inside the ear file) instead?
I have little knowledge about weblogic, but I know from other application
servers they will encapsulat
The Shiro team is pleased to announce the release of Apache Shiro version 1.7.1.
This security release contains 1 fix since the 1.7.0 release and is
available for Download now [1].
Bug
[SHIRO-797] - Shiro 1.7.0 is lower than using springboot version
2.0.7 dependency error
CVE-2020-17523:
Hello Schlool,
in that case you would still be able to write your own Authenticator.
Just define as much Realms as you wish and then write your own
Authenticator which selects the Realm based on the name.
As a template you could use the ModularRealmAuthenticator[1].
Instead of iterating through t
Hi Schlool,
authenticating (enabling log-in) and authorizing (getting
roles/permissions) are two different things.
This means, you implemented an AuthenticatingRealm, which will enable
your users to log-in.
Now you need to implement an AuthorizingRealm, which queries the
source for their roles, gr
Hi Alina,
thanks for your report. Can you modify your test environment in such a
way that you can find the exact version where it happens for the first
time?
1.2.3 to 1.7.0 is quite a big leap.
Some random things which we modified and categorize as a breaking change:
Default ciphers were changed
Hi Alex!
We do not have a release date. We are still in the brainstorming process.
A lot of ideas do not yet have any PRs.
We might need to do some additional relocation of packages for 2.0 + JPMS.
We haven't looked too much into this, but I think we could provide
"Automatic-Module-Name" entries
Hi everyone,
we had a discussion in slack, that later versions of shiro might want
to concentrate on CDI-ish/jndi based usages. Not that this would be a
target for 2.0, but SHIRO-206 [1] wants to add JSF support.
Unless someone wants to maintain it actively in the project, I would
vote to remove
che/shiro-labs` git repo to test out
> ideas for things that are NOT ready for the main tree. (Maven does
> something similar with https://github.com/apache/maven-studies/)
>
> On Sun, Aug 1, 2021 at 4:00 PM Benjamin Marwell wrote:
>
> > Hi everyone,
> >
> > we had
Hi Robert,
Why do you think you need the plain text password?
Shiro matches the password supplied by subsequent authentication
attempts by going through the Sha256Hash algorithm again and comparing
the hashed outputs.
This way, you can safely[1] store the hash and salt without giving
away a user'
., 6. Nov. 2021 um 10:39 Uhr schrieb Roberto Bottoni
:
>
> Hi Ben,
>
> yes!.. the case is : ...or did you lose a password and need to recover
> it?
> How can i do that ?
>
> Roberto
>
>
>
>
> Il 05-11-2021 21:41 Benjamin Marwell ha scritto:
> > Hi Robert
Hi Dinakar!
So far we only changed the artifacts
(https://issues.apache.org/jira/browse/SHIRO-750) but kept the
javax-namespace. The jakarta-namespace will be introduced with a later
jakarta version (I think EE 9, if I am not mistaken).
When this happens, the best solution is to use an applicatio
-1, sadly, because:
[SHIRO-838] - Create SHA512-Hashes
They are not attached.
However, those hashes are required by the ASF (sha256 and sha512 to be
exact).
We currently have none of those attached.
François and I found out we were using an outdated version of the Apache
parent pom.
So we nee
ere are no strong requirements with a particular
> hash, but it's required to have any mechanism to verify source artifacts.
> So, as it's an easy fix, I agree that it would be better to cancel this vote
> to include sha512 hash on source artifacts.
>
> Regards
> JB
>
Signature okay, hashes okay, Release notes are okay, the classes I
looked at are okay as well.
+1
Am Mi., 16. März 2022 um 13:55 Uhr schrieb Francois Papon
:
>
> This is a call to vote in favor of releasing Apache Shiro version 1.9.0.
>
> We solved 20 issues for 1.9.0:
>
> https://issues.apache.o
Hi!
I think you need to init an environment and make it available
throughout all of the requests.
Look at this section:
https://shiro.apache.org/web.html#shiro_1_2_and_later
Especially the part "what it does": "(... including the
SecurityManager) and makes it accessible in the ServletContext.
You
pHandler gzip = new GzipHandler();
>>> gzip.setIncludedMimeTypes("text/html", "text/plain", "application/json");
>>>
>>> RequestHandler requestHandler = new RequestHandler(this.gson, this.tractDB);
>>>
>>> context.insertHand
Hi Telmo!
Sorry for the late reply.
> How can I, after creating a Shiro Subject, add roles to it?
and
> it would be better to use something like an AuthorizingRealm
You are right: It is usually the realms which add roles to a subject.
And actually, the roles are not bound to on login-time. Ins
Hi Alex!
You are right. We skipped it for this release because it was not finished.
We hope to be able to deliver it in the next release.
We'll keep you posted via new blog posts.
- Ben
On Mon, 24 Oct 2022, 12:53 Alex Orlov via user,
wrote:
> Hello!
>
> According to https://shiro.apache.org/b
The Shiro team is pleased to announce the release of Apache Shiro
version 1.10.1.
This security release contains 5 fixes since the 1.10.0 release and is
available for Download now [1].
Bug
[SHIRO-892] - No Guice binding for newly introduced ShiroFilterConfiguration
[SHIRO-893] - NPE caused by la
Hi,
my +1 for this proposal. Breaking changes (new Java baseline) requires
a new version.
Romain pointed out that MRJars, as Les suggested, have undefined
behaviour in web apps. We also found only few use cases in most apps.
Let's keep them in mind for when we *really* need them, shall we?
For Sh
+1
Am Fr., 20. Jan. 2023 um 13:14 Uhr schrieb Steve Lopez
:
>
> +1
>
> On Fri, Jan 20, 2023 at 5:35 AM fpapon wrote:
>>
>> Hi,
>>
>> After several discussion on the mailing, I would like to start a vote to
>> set the minimal version of the JDK to the version 11 starting to Shiro 2.x.
>>
>> Vote o
+1 (binding)
> On Tue, Jul 11, 2023 at 3:57 PM fpapon wrote:
> >
> > This is a call to vote in favor of releasing Apache Shiro version 1.12.0.
> >
> > We solved 1 Issue:
> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310950&version=12353403
> >
> > Maven Staging repo:
> >
Hi Jakub,
they should not be accessible from anywhere. It possibly slipped
through reviews.
The new hash dependencies are thought to be runtime dependencies. You
should never ever need them in your classpath while compiling, only
while testing and running the actual application.
Does that help?
+1
On Tue, 7 Nov 2023, 23:56 , wrote:
> This is a call to vote in favor of releasing Apache Shiro version
> 2.0.0-alpha-4
>
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1057
>
> https://repository.apache.org/content/repositories/orgapacheshiro-1057
+1
Still asking for help with the docs, though.
Am Fr., 9. Feb. 2024 um 15:39 Uhr schrieb Brian Demers :
>
> +1
>
> On Thu, Feb 8, 2024 at 1:59 AM Francois Papon
> wrote:
>>
>> +1
>>
>> On 07/02/2024 01:55, le...@flowlogix.com wrote:
>>
>> Proposal: Release Shiro 2.x Beta
>> Since docs are wel
Here's my late +1
Thanks Hervé for checking reproducible builds!
Am Fr., 23. Feb. 2024 um 09:35 Uhr schrieb Francois Papon
:
>
> +1 (binding)
>
> Thanks Lenny for this major release!
>
> Regards,
>
> François
>
> On 20/02/2024 23:35, le...@flowlogix.com wrote:
>
> This is a call to vote in favor
Hello Andreas!
Since current Linux and Unix distributions have environment variables
secured from other users nowadays, one way would be to inject them at
runtime via ${ENV_VARIABLE_NAME}.
A few examples are in our documentation:
https://shiro.apache.org/configuration.html
Let us know if that wo
Reproducibility checked on Linux using JDK 17.
+1 (binding)
Am Do., 7. Nov. 2024 um 02:38 Uhr schrieb :
>
> This is a call to vote in favor of releasing Apache Shiro version 2.0.2
>
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1062
> https://repository
+1
Ben
Am Sa., 5. Apr. 2025 um 23:38 Uhr schrieb :
>
> This is a call to vote in favor of releasing Apache Shiro version 2.0.3
>
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1063
> https://repository.apache.org/content/repositories/orgapacheshiro-1063/
Hi, I am not able to test this properly in the next two weeks. :(
I wonder: If a servlet starts threads, should the thread not be able
to see the SecurityManager?
Can you give us some more insights?
- Ben
Am Sa., 12. Apr. 2025 um 23:17 Uhr schrieb :
>
> Hi,
>
> During testing of Shiro 2.0.3, I
+1
Thanks Lenny!
On Wed, 2 Jul 2025, 02:14 , wrote:
> This is a call to vote in favor of releasing Apache Shiro version 2.0.5
>
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1066
>
> https://repository.apache.org/content/repositories/orgapacheshiro-
43 matches
Mail list logo
