Security

Overview

The application framework will use Apache Shiro for authentication and authorization. The configuration file will allow a user to select and configure a Realm. In addition to Shiro's Realm choices, the Realm choices will include "Native" - a custom Realm implementation that uses the entity engine for persistence.

Authorization will be built into the various foundation artifacts in such a way that access control can be externalized (managed outside the framework) - as proposed in the Security Redesign document.

Design Goals

• Easy integration with existing authentication and authorization infrastructure.
• Leverage external library - use very little custom code.
• Thread-safe.

Basic Architecture

• Library: Apache Shiro, OFBiz extensions
• Java package name: org.apache.ofbiz.foundation.security