CODEWITHSUNDEEP
springsecurityspring-securityws-securityshiro
Matthew Cachia
Matthew Cachia

Reputation: 4702

Where does Apache Shiro belongs in a tech stack?

Apologies if this has been somehow already answered somewhere - I can't seem to find an appropriate response to my question. Here goes ...

I am currently working on an app accessible via REST. My current teck stack is as follows:

All of this (including Shiro) is autowored using Spring's IoC.

Shiro is currently wired in the presentation layer, making sure all of the calls are protected. The questions I have are: is this the right approach? Does it make sense to apply it to the service layer and, even more so, to the persistence layer?

Many thanks.

Upvotes: 1

Views: 109

Answers (1)

Wouter
Wouter

Reputation: 4016

The great thing about shiro, is that it can be used at any level. The only thing that really is needed is the idea of a logged in user. In a web framework, this would normally use standard the standard servlet HttpSession to bind it, but that is not necessary.

In our application, we use it at the presentation level to check whether the user has the appropriate rights to view front end pages.

At the business logic level, we call stuff like SecurityUtils.getSubject().isPermitted("somepermissionstring") in custom logic to make sure the user can't call a method when a button is accidentally made visible for that user.

In the frontend code we use the same idea as the business logic. It works like a charm for us.

So to answer your questions (IMHO):

  • is this the right approach? -> Yes
  • Does it make sense to apply it to the service layer -> Yes, if you need very strict security checks!
  • and, even more so, to the persistence layer? -> Maybe. You have to ask yourself if the security on the service layer might not be could enough, for example if you expose the persistence layer to some code that doesn't go through the service layer. We do not secure the persistence layer as we only access it via our service layer.

Upvotes: 1

Related Questions