I'm a complete newbie to Internet security concepts, and I had a preconceived notion that providing an application is incredibly difficult.
Looking at the video on Apache siro, I get the feeling that the security complexity was abstracted into a simple, simple, unified API.
I am trying to write a security level that will be responsible for authorization and SSO for my basic SOAP-based web services.
All permissions will be obtained from LDAP (OpenDS), which will be supported on my side (that is, they are not external), since they reflect the set of functionality available on my system.
I have a requirement that clients can manage their user in Active Directory (external) and after logging in to AD (probably their Windows login) they must be automatically authenticated in order to be able to use my services.
Then I will check if the user has received the correct authorization to use a particular service.
This effectively means that authentication is done externally, but authorization is done internally, as far as my borders are concerned. But my level of security should understand that the user is authenticated and knows who the user is.
Is this achievable in Shiro? Any pointers would be very helpful.
source
share