Page History

...

There is currently no timeline for a version 23, but this space represents any brainstorming efforts that the community wishes to address that may be major feature enhancements that can't be backwards compatible. Typically discussions from the dev list resulting in some form of consensus will probably make it into this page. Actionable items will go into Jira, potentially referencing this page for clarity.

...

https://lists.apache.org/thread.html/r965efe7a90a68091936322f426a9aebe0a1b27ee449a8f2feac5d433%40%3Cdev.shiro.apache.org%3E

Remove the usage of the word Principal

Unfortunately, the word 'principal' has different meanings depending on your background in security and what security projects or products you might have used. Shiro has participated in this mix by defining Principal to mean any identifying attribute. Instead of perpetuating this potentially-confusing term further (within Shiro at least), we might want to drop the word 'principal' in favor of 'attribute', since Shiro only ever refers to principals as identifying attributes.

...

This would imply things like:

AuthenticationToken<I,C> {

    I getIdentifier();

    C getCredentials();    
}

and

public interface Subject {

    ...

    //instead of getPrincipal():
    // the application's primary identifier (e.g. username or email address or db primary key):
    Serializable getId();

    //instead of getPrincipals():
    AttributeMap getAttributes();

}

Rename AuthenticationInfo to Account

The existing AuthenticationInfo name is less intuitive and is essentially the same thing.

Realm refactoring

Most Realms differ little in their implementations - mostly by the protocols they use. Create a 'DefaultRealm' implementation (or something similar) that allows pluggable AccountResolver and AuthorizationResolver interfaces that abstract away interaction with the data stores and the rest of the internal Realm logic (e.g. authc and authz caching, etc) can be shared by most Realm implementation.

...

Refactor shiro-core

...

and it's modules (consolidate)

Merge some modules, split some? Maybe shiro-core should be split up into separate modules ( e.g. shiro-crypto, shiro-authc, shiro-authz, etc) if possible. This may or may not be possible due to the tight integration of APIs (e.g. Shiro authentication depends on shiro hashing (crypto) etc). A cursory investigation should be made if possible.

Event-driven design

This can be in 1.3+ as these would be all new packages/classes and do not require signature changes to existing code

Utilize events significantly and more effectively. Base on Akka's event model and Guava's EventBus. This enables ideal loose coupling/high cohesion plugins/integration/customization.

Package: org.apache.shiro.event

Potential classes:

public class ShiroEvent extends EventObject {

    private final long timestamp; //millis since Epoch (UTC time zone).

    public ShiroEvent(Object source) {
        super(source);
        this.timestamp = new Date().getTime();
    }

    public long getTimestamp() {
        return timestamp;
    }
}

public interface Publisher {

    void publish(Object event);
}

/** Marker annotation for a method that wishes to receive a particular event instance. */
public @interface Subscribe {
}

/** 
  * Listener implementations just annotate a method as @Subscribe.  
  * The single method argument determines the type of event received.
  */
public class MyListener {

    @Subscribe
    public void doSomething(SomeEvent event) {
        ...
    }
}

public interface SubscriberRegistry {

    void register(Object subscriber);

    void unregister(Object subscriber);
}

An EventBus can be created based on Publisher + SubscriberRegistry:

...

Move events to a standard API

Move EventBus to JDK Flow API.

Implementation can be CDI, Sprint, etc.

Subject PrincipalCollection

Convert this to be a sub-interface of Map with additional per-Realm utility methods.

...

Maybe rename this to 'attributes'? i.e. subject.getAttributes()?

Component Names

Change classes named FooDAO to FooStore instead.

Authorization ANTLR Grammar

Ideally, we can have a single annotation:

@Secured("authz expression here")
public void someMethod(){...}

Where the 'authz expression here' is authorization assertion statement backed by an ANTLR lexer/parser, for example:

@Secured("(role(admin) || role(developer)) || perm(account:12345:open)")

This would translate the expression into the relevant hasRole/isPermitted calls.

AuthorizationRequest/Response

Employing the same grammar as mentioned above, instead of multiple subject.isPermitted/hasRole calls, the same thing could be achieved with an AuthorizationRequest/Response scheme. For example:

AuthorizationRequest request = //create request w/ expression
AuthorizationResponse response = subject.authorize(authorizationRequest);
if (response.isAuthorized()) {
...
} else {
...
}

Reinforce customization via OO Delegation (composition over inheritance)

• Any of the features provided by PathMatchingFilter would be provided for any configured filter via a proxy mechanism. The proxy would likely support the PathMatchingFilter features, setting request attributes as necessary for the wrapped filter to react to. This eliminates the need to subclass PathMatchingFilter to utilize these features.
• The same principal would be probably be applied for realms. A DefaultRealm could be created that delegates to an AuthenticationInfoAccessor and AuthorizationInfoAccessor (or whatever we want to call them) that performs the same behavior as AuthenticatingRealm#doGetAuthenticationInfo and AuthorizingRealm#doGetAuthorizationInfo. The end result is no more subclassing realms for 95% of use cases, and instead providing accessors.

Multi-Stage Authentication via request/response

In applications that need to authenticate via multiple mechanisms (e.g. multi-factor authentication), a Request/Response protocol for login would probably be easier to use to support such workflows. For example:

LoginRequest request = //create login request
LoginResponse response = subject.login(request);
if (!response.isComplete()) {
    LoginRequest secondRequest = response.nextRequest();
    //populate w/ data for 2nd phase
   response = subject.login(secondRequest);
}
if (response.hasException()) {
    throw response.getException();
}
...

Additionally probably change the Authenticator signature to be as follows:

AuthenticationResult authenticate(AuthenticationRequest) throws AuthenticationException;

Captcha Support

Captcha support would assist in human being verification (during login, during form submission, etc).

Configuration per filter instance and no path matching

Web module repackaging.

The Web module is largely Servlet-specific at the moment. As such, its packaging should reflect this, in the same way that all other support modules are named, e.g.
module name: shiro-servlet
package base: org.apache.shiro.servlet.*

OAuth 2.0 Support

(copied from: https://github.com/apache/shiro/pull/46#issuecomment-636014863)

...

Mostly just quick thoughts, I need to dig into this again

Maybe just use MP OIDCConnect and integrate with that?

Deprecated code

Replace deprecated code (or move to an implementation/private package, for anything still needed).

Support javax.annotation.security annotations

Or whatever they are now under Eclipse. These annotations work a little different from the Shiro ones.

(copie from: https://github.com/apache/shiro/pull/185)

NOTE: this is the first pass, and uncovered a few issues with the differences between the JSR-250 and Shiro Annotations.

• RolesAllowed only supports a logical OR, RequiresRoles defaults to a logical AND
• PermitAll allows any subject (guest or not)
• Per spec there is interaction between the JSR-250 annotations that the Shiro Annotations do NOT have.
  • Each Shiro annotation is processed without knowledge of other annotations, the JSR-250 versions are processed together, for example

    @PermitAll
    class ExamplePermitAtClass {

        @DenyAll
        void expectDenied() {}

        void expectAllowed() {}

        @RolesAllowed({"blah2", "foo"})
        void withRoles() {}
    }

To implement this I needed to search out the annotations in Jsr250MethodInterceptor without the use of the AnnotationResolver component, the issue here is we have a separate implementation for Spring.

...

There is some deprecated code that's suppressed. Needs a look

LDAP

One of the issues I've always been struggling with is the use of in LDAP terms 'Common Names'

...

Shiro wouldn't be able to replace a general user details store, but we should think about making it easier to expose it out of the box (without implementing a custom realm and principal type)

JWT

JWTs only make sense if they are used:
1. stateless, i.e. no session
2. not as a cookie replacement
3. not as a authz replacement (it should most of the times only carry small authc data)

...

But for all three realms you want to look up your own database for authorization. You need to implement your own delegator. And I think it is not easy to understand this as a shiro newbie.

Cache attributes

Cache issue between authc and authz.

OSGi

OSGi-centric: but how about a restructuring around OSGi services and DS components providing these services?

Issues about ThreadLocal

https://issues.apache.org/jira/projects/SHIRO/issues/SHIRO-799

...

https://issues.apache.org/jira/projects/SHIRO/issues/SHIRO-796 (move away from ThreadLocals)

JSR-375 Java EE Security API

We could easily implement JSR-375 (the official JavaEE Security API). It is a subset of Shiro's features, but uses Annotations for configuration.

1.x (Javax)

Specification: https://javaee.github.io/security-spec/

API: https://javaee.github.io/security-api/

...

3.x or later (Jakarta)

API & Specification: https://github.com/eclipse-ee4j/security-api

...