Page History

Table of Contents

There is currently no timeline for a version 2, but this space represents any brainstorming efforts that the community wishes to address that may be major feature enhancements that can't be backwards compatible. Typically discussions from the dev list resulting in some form of consensus will probably make it into this page. Actionable items will go into Jira, potentially referencing this page for clarity.

(I know this isn't a feature but its equally is not more important) Deeper and more accessible documentation and how-tos.
management system for long lived hashes
token/ticket system
more generalized way to handle unauthorized exceptions
lower level crypto toolkit to facilitate customizations
unauthorizedUrl per path filter

A thread has been started on the mailing list to discuss with the users:

https://lists.apache.org/thread.html/r965efe7a90a68091936322f426a9aebe0a1b27ee449a8f2feac5d433%40%3Cdev.shiro.apache.org%3E

Remove the usage of the word Principal

...

Reinforce customization via OO Delegation (composition over inheritance)

Any of the features provided by PathMatchingFilter would be provided for any configured filter via a proxy mechanism. The proxy would likely support the PathMatchingFilter features, setting request attributes as necessary for the wrapped filter to react to. This eliminates the need to subclass PathMatchingFilter to utilize these features.
The same principal would be probably be applied for realms. A DefaultRealm could be created that delegates to an AuthenticationInfoAccessor and AuthorizationInfoAccessor (or whatever we want to call them) that performs the same behavior as AuthenticatingRealm#doGetAuthenticationInfo and AuthorizingRealm#doGetAuthorizationInfo. The end result is no more subclassing realms for 95% of use cases, and instead providing accessors.

Multi-Stage Authentication via request/response

...

The Web module is largely Servlet-specific at the moment. As such, its packaging should reflect this, in the same way that all other support modules are named, e.g.
module name: shiro-servlet
package base: org.apache.shiro.servlet.*

OAuth 2.0 Support

(copied from: https://github.com/apache/shiro/pull/46#issuecomment-636014863)

IMHO, OAuth2 (and OIDC) is a must-have for 2.0. I think the openid4j project is dead though.
But... it's a good start of where the bits need to be plugged in.

I've been thinking about options in the back of my head for a while now. And I need to start writing them down (both code and on the dev list). I'll add a note here for now, because i'm thinking about it.

There are a couple of main use cases we need to target (and even more nice-to-haves)

* Resource Server support - Shiro has Bearer Token support for this, which is half the battle, we could add "opaque" access token validation as a Realm.
  I worry about generic JWT access token validation as each vendor recommends different validation (as JWTs are NOT part of the OAuth spec), but other libraries have support, so...

* OAuth 2.0 Auth Code Flow - there will be a heavy dependency on the servlet (or similar) specs for this

* OIDC support (similar to previous)

All of these options depend on an HTTP client component which Shiro doesn't have. It's easy enough to add, but we may need to expose some of the underlying bits of said client, to allow for a whole host of client-to-server communication. (timeouts, HTTP headers for firewall negation, proxies, etc).

Mostly just quick thoughts, I need to dig into this again

Deprecated code

Replace deprecated code (or move to an implementation/private package, for anything still needed).

Support javax.annotation.security annotations

Or whatever they are now under Eclipse. These annotations work a little different from the Shiro ones.

(copie from: https://github.com/apache/shiro/pull/185)

NOTE: this is the first pass, and uncovered a few issues with the differences between the JSR-250 and Shiro Annotations.

RolesAllowed only supports a logical OR, RequiresRoles defaults to a logical AND
PermitAll allows any subject (guest or not)
Per spec there is interaction between the JSR-250 annotations that the Shiro Annotations do NOT have.
- Each Shiro annotation is processed without knowledge of other annotations, the JSR-250 versions are processed together, for example

    @PermitAll
    class ExamplePermitAtClass {

        @DenyAll
        void expectDenied() {}

        void expectAllowed() {}

        @RolesAllowed({"blah2", "foo"})
        void withRoles() {}
    }

To implement this I needed to search out the annotations in Jsr250MethodInterceptor without the use of the AnnotationResolver component, the issue here is we have a separate implementation for Spring.

We could extend the AnnotationResolver interface and add methods that return annotations for a Class, or a method. (the current method does both).

LDAP

One of the issues I've always been struggling with is the use of in LDAP terms 'Common Names'

Use LDAP to authenticate and authorize a user, but I can't get a common name to use in UI's or data recording.

Shiro wouldn't be able to replace a general user details store, but we should think about making it easier to expose it out of the box (without implementing a custom realm and principal type)

JWT

JWTs only make sense if they are used:
1. stateless, i.e. no session
2. not as a cookie replacement
3. not as a authz replacement (it should most of the times only carry small authc data)

That said, if a user comes with a bearer token, shiro bears two challenges:
1.) The jwt can easily be validated in the realm, just implement doGetAuthenticationInfo and check issuer, date and signature. That's easy.
2.) If you need to extract authz data, well that's a different problem. if you hit that method, you do not have the key in hand - just look at the method signature:
protected AuthorizationInfo doGetAuthorizationInfo(final PrincipalCollection principals)

So you need to store it in a small cache, which does not feel right. Or just look up everything from a 3rd datasource, like your DB. But then, you can just skip this Realm for the Authc part and have a more general authc strategy.

That said, for multiple realms, just imagine this:
1. Authc via JWT
2. Authc via LDAP
3. Authc via static config file

But for all three realms you want to look up your own database for authorization. You need to implement your own delegator. And I think it is not easy to understand this as a shiro newbie.