Security
Note |
---|
This is a draft document - it can be changed at any time by anyone. |
Overview
The application framework will use Apache Shiro for authentication and authorization. The configuration file will allow a user to select and configure a Realm. In addition to Shiro's Realm choices, the Realm choices will include "Native" - a custom Realm implementation that uses the entity engine for persistence.
Authorization will be built into the various foundation artifacts in such a way that access control can be externalized (managed outside the framework) - as proposed in the Security Redesign document.
Design Goals
- Easy integration with existing authentication and authorization infrastructure.
- Leverage external library - use very little custom code.
- Thread-safe.
Basic Architecture
- Library: Apache Shiro, OFBiz extensions
- Java package name: org.apache.ofbiz.foundation.security