|TODO: this content has not yet been reviewed/updated for v2.0|
This guide describes the authentication and authorization features available to secure your Apache Isis application.
Apache Isis has built-in support for authentication and authorization:
By "authentication" we mean logging into the application using some credentials, typically a username and password. Authentication also means looking up the set of roles to which a user belongs.
By "authorization" we mean permissions: granting roles to have access to features (object member) of the app.
Apache Isis has two levels of permissions. Read permission means that the user can view the object member; it will be rendered in the UI. An action with only read permission will be shown disabled ("greyed out". Write permission means that the object member can be changed. For actions this means that they can be invoked.
The framework provides an API for both authentication and authorization, and provides an implementation that integrates with Apache Shiro. Shiro in turn uses the concept of a realm as a source for both authentication and optionally authorization.
Shiro ships with a simple text-based realm — the
IniRealm — which reads users (and password), user roles and role permissions from the
The HelloWorld and SimpleApp starter apps are both configured to use this realm.
Shiro also ships with an implementation of an LDAP-based realm; LDAP is often used to manage user/passwords and corresponding user groups.
Apache Isis in turn extends this with its
IsisLdapRealm, which provides more flexibility for both group/role and role/permissions management.
In addition, the SecMan extension provides an implementation of the Shiro
This extension also represents users, roles and permissions as domain objects, allowing them to be administered through Apache Isis itself.
Moreover, it can also optionally delegate password management to a subsidiary (delegate) realm (usually LDAP as discussed above).
In addition to Apache Isis' Shiro-based implementation of its authentication and authorization APIs, Isis also provides a "bypass" implementation, useful for quick-n-dirty prototyping when you want to in effect disable (bypass) security completely.
What about auditing?
A further aspect of security is auditing: recording what data was modified by which user.
Apache Isis provides the