content/security/2.0.0-M3/about.html - causeway-site - Git at Google

 <!DOCTYPE html>
 <html lang="en">
   <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width,initial-scale=1">
     <title>Security :: Apache Isis</title>
     <link rel="canonical" href="https://isis.apache.org/security/2.0.0-M3/about.html">
     <meta name="generator" content="Antora 2.2.0">
     <link rel="stylesheet" href="../../_/css/site.css">
     <link rel="stylesheet" href="../../_/css/site-custom.css">
     <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,700,700i|Raleway:300,400,500,700,800|Montserrat:300,400,700" rel="stylesheet">
 <link rel="home" href="https://isis.apache.org" title="Apache Isis">
   <link rel="next" href="#security:ROOT:api.adoc" title="API">
   <link rel="prev" href="shiro-realm-ldap/about.html" title="LDAP Realm for Shiro">
   </head>
   <body class="article">
 <header class="header">
   <nav class="navbar">
     <div class="navbar-brand">
       <a class="navbar-item" href="https://isis.apache.org">
           <span class="icon">
             <img src="../../_/img/isis-logo-48x48.png"></img>
           </span>
         <span>Apache Isis</span>
       </a>
       <button class="navbar-burger" data-target="topbar-nav">
         <span></span>
         <span></span>
         <span></span>
       </button>
     </div>
     <div id="topbar-nav" class="navbar-menu">
       <a class="navbar-end">
         <div class="navbar-item has-dropdown is-hoverable">
           <a class="navbar-link" href="#">Quick Start</a>
           <div class="navbar-dropdown">
             <span class="navbar-item navbar-heading">Starter Apps</span>
             <a class="navbar-item" href="../../docs/latest/starters/helloworld.html">Hello World</a>
             <a class="navbar-item" href="../../docs/latest/starters/simpleapp.html">Simple App</a>
             <hr class="navbar-divider"/>
             <span class="navbar-item navbar-heading">Demos &amp; Tutorials</span>
             <a class="navbar-item" href="../../docs/latest/demo/about.html">Demo App</a>
             <a class="navbar-item" href="https://danhaywood.gitlab.io/isis-petclinic-tutorial-docs/petclinic/1.16.2/intro.html">Petclinic (tutorial)</a>
             <hr class="navbar-divider"/>
             <span class="navbar-item navbar-heading">Resources</span>
             <a class="navbar-item" href="../../docs/latest/resources/cheatsheet.html">Cheatsheet</a>
             <a class="navbar-item" href="../../docs/latest/resources/icons.html">Icons</a>
           </div>
         </div>
         <div class="navbar-item has-dropdown is-hoverable">
           <a class="navbar-link" href="#">Guides</a>
           <div class="navbar-dropdown">
             <span class="navbar-item navbar-heading">Development</span>
             <a class="navbar-item" href="../../setupguide/latest/about.html">Setup Guide</a>
             <hr class="navbar-divider"/>
             <span class="navbar-item navbar-heading">Core</span>
             <a class="navbar-item" href="../../userguide/latest/about.html">User Guide</a>
             <a class="navbar-item" href="../../refguide/latest/about.html">Reference Guide</a>
             <a class="navbar-item" href="../../testing/latest/about.html">Testing Guide</a>
           </div>
         </div>
         <div class="navbar-item has-dropdown is-hoverable">
           <a class="navbar-link" href="#">Libraries</a>
           <div class="navbar-dropdown">
             <span class="navbar-item navbar-heading">For Use in Apps</span>
             <a class="navbar-item" href="../../subdomains/latest/about.html">Subdomain Libraries</a>
             <a class="navbar-item" href="../../valuetypes/latest/about.html">Value Types</a>
             <hr class="navbar-divider"/>
             <span class="navbar-item navbar-heading">Integrate between Apps</span>
             <a class="navbar-item" href="../../mappings/latest/about.html">Bounded Context Mapping Libraries</a>
             <hr class="navbar-divider"/>
             <span class="navbar-item navbar-heading">Other</span>
             <a class="navbar-item" href="../../incubator/latest/about.html">Incubator</a>
             <a class="navbar-item" href="../../legacy/latest/about.html">Legacy</a>
           </div>
         </div>
         <div class="navbar-item has-dropdown is-hoverable">
           <a class="navbar-link" href="#">Components</a>
           <div class="navbar-dropdown">
             <span class="navbar-item navbar-heading">Viewers</span>
             <a class="navbar-item" href="../../vw/latest/about.html">Wicket UI</a>
             <a class="navbar-item" href="../../vro/latest/about.html">Restful Objects (REST)</a>
             <hr class="navbar-divider"/>
             <span class="navbar-item navbar-heading">Security</span>
             <a class="navbar-item" href="../../security/latest/about.html">Security Guide</a>
             <hr class="navbar-divider"/>
             <span class="navbar-item navbar-heading">Persistence</span>
             <a class="navbar-item" href="../../pjdo/latest/about.html">DataNucleus (JDO)</a>
             <hr class="navbar-divider"/>
             <span class="navbar-item navbar-heading">Extensions</span>
             <a class="navbar-item" href="../../extensions/latest/about.html">Extensions Catalog</a>
           </div>
         </div>
         <div class="navbar-item has-dropdown is-hoverable">
           <a class="navbar-link" href="#">Support</a>
           <div class="navbar-dropdown">
             <span class="navbar-item navbar-heading">Contact</span>
             <a class="navbar-item" href="../../docs/latest/support/slack-channel.html">Slack</a>
             <a class="navbar-item" href="../../docs/latest/support/mailing-list.html">Mailing Lists</a>
             <a class="navbar-item" href="https://issues.apache.org/jira/browse/ISIS">JIRA</a>
             <a class="navbar-item" href="https://stackoverflow.com/questions/tagged/isis">Stack Overflow</a>
             <hr class="navbar-divider"/>
             <span class="navbar-item navbar-heading">Releases</span>
             <a class="navbar-item" href="../../docs/latest/downloads/how-to.html">Downloads</a>
             <a class="navbar-item" href="../../relnotes/latest/about.html">Release Notes</a>
             <a class="navbar-item" href="../../docs/latest/archive/1-x.html">Archive (1.x)</a>
             <hr class="navbar-divider"/>
             <span class="navbar-item navbar-heading">Framework</span>
             <a class="navbar-item" href="../../conguide/latest/about.html">Contributors' Guide</a>
             <a class="navbar-item" href="../../comguide/latest/about.html">Committers' Guide</a>
             <a class="navbar-item" href="../../core/latest/about.html">Core Design</a>
           </div>
         </div>
         <div class="navbar-item has-dropdown is-hoverable">
           <a class="navbar-link" href="#">ASF</a>
           <div class="navbar-dropdown">
             <a class="navbar-item" href="http://www.apache.org/">Apache Homepage</a>
             <a class="navbar-item" href="https://www.apache.org/events/current-event">Events</a>
             <a class="navbar-item" href="https://www.apache.org/licenses/">Licenses</a>
             <a class="navbar-item" href="https://www.apache.org/security/">Security</a>
             <a class="navbar-item" href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
             <a class="navbar-item" href="https://www.apache.org/foundation/thanks.html">Thanks</a>
             <hr class="navbar-divider"/>
             <a class="navbar-item" href="https://whimsy.apache.org/board/minutes/Isis.html">PMC board minutes</a>
           </div>
         </div>
         <a class="navbar-item" href="../../docs/latest/about.html">
           <span class="icon">
             <img src="../../_/img/home.png"></img>
           </span>
         </a>
       </div>
     </div>
   </nav>
 </header>
 <div class="body ">
 <div class="nav-container" data-component="security" data-version="2.0.0-M3">
   <aside class="nav">
     <div class="panels">
 <div class="nav-panel-pagination">
   <a class="page-previous" rel="prev" href="shiro-realm-ldap/about.html" title="LDAP Realm for Shiro"><span></span></a>
   <a class="page-next" rel="next"
      href="#security:ROOT:api.adoc" title="API"><span></span></a>
 <!--
 page.parent doesn't seem to be set...
   <a class="page-parent disabled" rel="prev" href="" title="LDAP Realm for Shiro"><span></span></a>
 -->
 </div>
 <div class="nav-panel-menu is-active" data-panel="menu">
   <nav class="nav-menu">
     <h3 class="title"><a href="about.html">Security Guide</a></h3>
 <ul class="nav-list">
   <li class="nav-item" data-depth="0">
 <ul class="nav-list">
   <li class="nav-item" data-depth="1">
     <a class="nav-link" href="domain-services-api-for-applications.html">Domain Services API</a>
   </li>
 </ul>
   </li>
   <li class="nav-item" data-depth="0">
 <ul class="nav-list">
   <li class="nav-item" data-depth="1">
     <a class="nav-link" href="core/about.html">API</a>
   </li>
   <li class="nav-item" data-depth="1">
     <a class="nav-link" href="bypass/about.html">Bypass Implementation</a>
   </li>
   <li class="nav-item" data-depth="1">
     <a class="nav-link" href="shiro/about.html">Shiro Implementation</a>
   </li>
   <li class="nav-item" data-depth="1">
     <a class="nav-link" href="keycloak/about.html">Keycloak Implementation</a>
   </li>
   <li class="nav-item" data-depth="1">
     <a class="nav-link" href="usage-by-isis-viewers.html">Usage by Isis Viewers</a>
   </li>
   <li class="nav-item" data-depth="1">
     <button class="nav-item-toggle"></button>
     <span class="nav-text">Extensions</span>
 <ul class="nav-list">
   <li class="nav-item" data-depth="2">
     <a class="nav-link" href="audit-trail/about.html">Audit Trail</a>
   </li>
   <li class="nav-item" data-depth="2">
     <a class="nav-link" href="shiro-realm-ldap/about.html">LDAP Realm for Shiro</a>
   </li>
   <li class="nav-item is-current-page" data-depth="2">
     <button class="nav-item-toggle"></button>
     <a class="nav-link" href="about.html">Secman</a>
 <ul class="nav-list">
   <li class="nav-item" data-depth="3">
     <a class="nav-link" href="#security:ROOT:api.adoc">API</a>
   </li>
   <li class="nav-item" data-depth="3">
     <a class="nav-link" href="#security:ROOT:model.adoc">Model</a>
   </li>
   <li class="nav-item" data-depth="3">
     <a class="nav-link" href="#security:ROOT:jbcrypt-encryption.adoc">JBCrypt Encryption</a>
   </li>
   <li class="nav-item" data-depth="3">
     <a class="nav-link" href="#security:ROOT:jdo-persistence.adoc">JDO Persistence</a>
   </li>
   <li class="nav-item" data-depth="3">
     <a class="nav-link" href="#security:ROOT:shiro-realm.adoc">Realm (for Shiro)</a>
   </li>
 </ul>
   </li>
   <li class="nav-item" data-depth="2">
     <a class="nav-link" href="session-log/about.html">Session Log</a>
   </li>
 </ul>
   </li>
 </ul>
   </li>
 </ul>
   </nav>
 </div>
 <div class="nav-panel-explore" data-panel="explore">
   <div class="context">
     <span class="title">Security Guide</span>
     <span class="version">2.0.0-M3</span>
   </div>
   <ul class="components">
     <li class="component">
       <span class="title"> </span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../docs/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">BC Mappings Catalog</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../mappings/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Committers' Guide</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../comguide/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Contributors' Guide</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../conguide/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Design Docs</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../core/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Extensions Catalog</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../extensions/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Incubator Catalog</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../incubator/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">JDO/DataNucleus</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../pjdo/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Legacy Catalog</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../legacy/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Reference Guide</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../refguide/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Release Notes</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../relnotes/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Restful Objects Viewer</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../vro/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component is-current">
       <span class="title">Security Guide</span>
       <ul class="versions">
         <li class="version is-current is-latest">
           <a href="about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Setup Guide</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../setupguide/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Subdomains Catalog</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../subdomains/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Testing Guide</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../testing/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">User Guide</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../userguide/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Value Types Catalog</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../valuetypes/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
     <li class="component">
       <span class="title">Wicket Viewer</span>
       <ul class="versions">
         <li class="version is-latest">
           <a href="../../vw/2.0.0-M3/about.html">2.0.0-M3</a>
         </li>
       </ul>
     </li>
   </ul>
 </div>
     </div>
   </aside>
 </div>
 <main role="main">
 <div class="toolbar" role="navigation">
 <button class="nav-toggle"></button>
   <a href="../../docs/2.0.0-M3/about.html" class="home-link"></a>
 <nav class="breadcrumbs" aria-label="breadcrumbs">
   <ul>
     <li><a href="about.html">Security Guide</a></li>
     <li>Extensions</li>
     <li><a href="about.html">Secman</a></li>
   </ul>
 </nav>
   <div class="edit-this-page"><a href="https://github.com/apache/isis/edit/2.0.0-M3/security/adoc/modules/ROOT/pages/about.adoc">Edit</a></div>
 </div>
 <article class="doc">
     <a name="section-top"></a>
 <h1 class="page">Security</h1>
 <div id="preamble">
 <div class="sectionbody">
 <div class="admonitionblock warning">
 <table>
 <tr>
 <td class="icon">
 <i class="fa icon-warning" title="Warning"></i>
 </td>
 <td class="content">
 TODO: this content has not yet been reviewed/updated for v2.0
 </td>
 </tr>
 </table>
 </div>
 <div class="paragraph">
 <p>This guide describes the authentication and authorization features available to secure your Apache Isis application.</p>
 </div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="terminology"><a class="anchor" href="#terminology"></a>Terminology</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>Apache Isis has built-in support for authentication and authorization:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>By "authentication" we mean logging into the application using some credentials, typically a username and password.
 Authentication also means looking up the set of roles to which a user belongs.</p>
 </li>
 <li>
 <p>By "authorization" we mean permissions: granting roles to have access to features (object member) of the app.</p>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <p>Apache Isis has two levels of permissions.
 <em>Read</em> permission means that the user can view the object member; it will be rendered in the UI.  An action with only read permission will be shown disabled ("greyed out".
 <em>Write</em> permission means that the object member can be changed.  For actions this means that they can be invoked.</p>
 </div>
 <div class="paragraph">
 <p>The framework provides an API for both authentication and authorization, and provides an implementation that integrates with <a href="http://shiro.apache.org">Apache Shiro</a>.
 Shiro in turn uses the concept of a <em>realm</em> as a source for both authentication and optionally authorization.</p>
 </div>
 <div class="paragraph">
 <p>Shiro ships with a simple text-based realm&#8201;&#8212;&#8201;the <code>IniRealm</code>&#8201;&#8212;&#8201;which reads users (and password), user roles and role permissions from the <code>WEB-INF/shiro.ini</code> file.
 The <a href="../../docs/2.0.0-M3/starters/helloworld.html" class="page">HelloWorld</a> and <a href="../../docs/2.0.0-M3/starters/simpleapp.html" class="page">SimpleApp</a> starter apps are both configured to use this realm.</p>
 </div>
 <div class="paragraph">
 <p>Shiro also ships with an implementation of an LDAP-based realm; LDAP is often used to manage user/passwords and corresponding user groups.
 Apache Isis in turn extends this with its <code>IsisLdapRealm</code>, which provides more flexibility for both group/role and role/permissions management.</p>
 </div>
 <div class="paragraph">
 <p>In addition, the <a href="about.html" class="page">SecMan extension</a> provides an implementation of the Shiro <code>Realm</code> API.
 This extension also represents users, roles and permissions as domain objects, allowing them to be administered through Apache Isis itself.
 Moreover, it can also optionally delegate password management to a subsidiary (delegate) realm (usually LDAP as discussed above).</p>
 </div>
 <div class="paragraph">
 <p>In addition to Apache Isis' Shiro-based implementation of its authentication and authorization APIs, Isis also provides a "bypass" implementation, useful for quick-n-dirty prototyping when you want to in effect disable (bypass) security completely.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <i class="fa icon-note" title="Note"></i>
 </td>
 <td class="content">
 <div class="title">What about auditing?</div>
 <div class="paragraph">
 <p>A further aspect of security is auditing: recording what data was modified by which user.</p>
 </div>
 <div class="paragraph">
 <p>Apache Isis provides the <a href="../../refguide/2.0.0-M3/applib-svc/InteractionContext.html" class="page"><code>InteractionContext</code></a>
 can be used to track the actions being invoked, and the <a href="../../refguide/2.0.0-M3/applib-svc/AuditerService.html" class="page"><code>AuditerService</code></a>
 captures what data was modified as a result (auditing).
 When <code>Interaction</code>s are persisted (eg by way of the <a href="../../mappings/2.0.0-M3/outbox-publisher/about.html" class="page">Outbox Publisher</a> mapping module) then this provides excellent
 traceability.
 The <a href="audit-trail/about.html" class="page">Auditer</a> module provides an implementation of the <code>AuditerService</code>.</p>
 </div>
 <div class="paragraph">
 <p>For <a href="../../refguide/2.0.0-M3/applib-svc/CommandService.html" class="page"><code>CommandService</code></a> can be also be used to capture actions, for example using the <a href="../../extensions/2.0.0-M3/command-log/about.html" class="page">Command Log</a> extension.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </div>
 </div>
 </article>
 <aside class="article-aside toc" role="navigation">
     <p class="toc-title">On this page</p>
     <div id="article-toc"></div>
 </aside>
 </main>
 </div>
 <footer class="footer">
     <div class="content">
         <div class="copyright">
             <p>
                 Copyright © 2010~2020 The Apache Software Foundation, licensed under the Apache License, v2.0.
                 <br/>
                 Apache, the Apache feather logo, Apache Isis, and the Apache Isis project logo are all trademarks of The Apache Software Foundation.
             </p>
         </div>
         <div class="revision">
             <p>Revision: SNAPSHOT</p>
         </div>
     </div>
 </footer>
 <script src="../../_/js/site.js"></script>
 <script async src="../../_/js/vendor/highlight.js"></script>
 <script src="../../_/js/vendor/jquery-3.4.1.min.js"></script>
 <script src="../../_/js/vendor/jquery-ui-1.12.1.custom.widget-only.min.js"></script>
 <script src="../../_/js/vendor/jquery.tocify.min.js"></script>

 <script>
     $(function() {
         $("#article-toc").tocify( {
             showEffect: "slideDown",
             hashGenerator: "pretty",
             hideEffect: "slideUp",
             selectors: "h2, h3",
             scrollTo: 120,
             smoothScroll: true,
             theme: "jqueryui",
             highlightOnScroll: true
         } );
     });
 </script>
   </body>
 </html>
	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width,initial-scale=1">
	<title>Security :: Apache Isis</title>
	<link rel="canonical" href="https://isis.apache.org/security/2.0.0-M3/about.html">
	<meta name="generator" content="Antora 2.2.0">
	<link rel="stylesheet" href="../../_/css/site.css">
	<link rel="stylesheet" href="../../_/css/site-custom.css">
	<link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,700,700i\|Raleway:300,400,500,700,800\|Montserrat:300,400,700" rel="stylesheet">
	<link rel="home" href="https://isis.apache.org" title="Apache Isis">
	<link rel="next" href="#security:ROOT:api.adoc" title="API">
	<link rel="prev" href="shiro-realm-ldap/about.html" title="LDAP Realm for Shiro">
	</head>
	<body class="article">
	<header class="header">
	<nav class="navbar">
	<div class="navbar-brand">
	<a class="navbar-item" href="https://isis.apache.org">
	<span class="icon">
	<img src="../../_/img/isis-logo-48x48.png"></img>
	</span>
	<span>Apache Isis</span>
	</a>
	<button class="navbar-burger" data-target="topbar-nav">
	<span></span>
	<span></span>
	<span></span>
	</button>
	</div>
	<div id="topbar-nav" class="navbar-menu">
	<a class="navbar-end">
	<div class="navbar-item has-dropdown is-hoverable">
	<a class="navbar-link" href="#">Quick Start</a>
	<div class="navbar-dropdown">
	<span class="navbar-item navbar-heading">Starter Apps</span>
	<a class="navbar-item" href="../../docs/latest/starters/helloworld.html">Hello World</a>
	<a class="navbar-item" href="../../docs/latest/starters/simpleapp.html">Simple App</a>
	<hr class="navbar-divider"/>
	<span class="navbar-item navbar-heading">Demos & Tutorials</span>
	<a class="navbar-item" href="../../docs/latest/demo/about.html">Demo App</a>
	<a class="navbar-item" href="https://danhaywood.gitlab.io/isis-petclinic-tutorial-docs/petclinic/1.16.2/intro.html">Petclinic (tutorial)</a>
	<hr class="navbar-divider"/>
	<span class="navbar-item navbar-heading">Resources</span>
	<a class="navbar-item" href="../../docs/latest/resources/cheatsheet.html">Cheatsheet</a>
	<a class="navbar-item" href="../../docs/latest/resources/icons.html">Icons</a>
	</div>
	</div>
	<div class="navbar-item has-dropdown is-hoverable">
	<a class="navbar-link" href="#">Guides</a>
	<div class="navbar-dropdown">
	<span class="navbar-item navbar-heading">Development</span>
	<a class="navbar-item" href="../../setupguide/latest/about.html">Setup Guide</a>
	<hr class="navbar-divider"/>
	<span class="navbar-item navbar-heading">Core</span>
	<a class="navbar-item" href="../../userguide/latest/about.html">User Guide</a>
	<a class="navbar-item" href="../../refguide/latest/about.html">Reference Guide</a>
	<a class="navbar-item" href="../../testing/latest/about.html">Testing Guide</a>
	</div>
	</div>
	<div class="navbar-item has-dropdown is-hoverable">
	<a class="navbar-link" href="#">Libraries</a>
	<div class="navbar-dropdown">
	<span class="navbar-item navbar-heading">For Use in Apps</span>
	<a class="navbar-item" href="../../subdomains/latest/about.html">Subdomain Libraries</a>
	<a class="navbar-item" href="../../valuetypes/latest/about.html">Value Types</a>
	<hr class="navbar-divider"/>
	<span class="navbar-item navbar-heading">Integrate between Apps</span>
	<a class="navbar-item" href="../../mappings/latest/about.html">Bounded Context Mapping Libraries</a>
	<hr class="navbar-divider"/>
	<span class="navbar-item navbar-heading">Other</span>
	<a class="navbar-item" href="../../incubator/latest/about.html">Incubator</a>
	<a class="navbar-item" href="../../legacy/latest/about.html">Legacy</a>
	</div>
	</div>
	<div class="navbar-item has-dropdown is-hoverable">
	<a class="navbar-link" href="#">Components</a>
	<div class="navbar-dropdown">
	<span class="navbar-item navbar-heading">Viewers</span>
	<a class="navbar-item" href="../../vw/latest/about.html">Wicket UI</a>
	<a class="navbar-item" href="../../vro/latest/about.html">Restful Objects (REST)</a>
	<hr class="navbar-divider"/>
	<span class="navbar-item navbar-heading">Security</span>
	<a class="navbar-item" href="../../security/latest/about.html">Security Guide</a>
	<hr class="navbar-divider"/>
	<span class="navbar-item navbar-heading">Persistence</span>
	<a class="navbar-item" href="../../pjdo/latest/about.html">DataNucleus (JDO)</a>
	<hr class="navbar-divider"/>
	<span class="navbar-item navbar-heading">Extensions</span>
	<a class="navbar-item" href="../../extensions/latest/about.html">Extensions Catalog</a>
	</div>
	</div>
	<div class="navbar-item has-dropdown is-hoverable">
	<a class="navbar-link" href="#">Support</a>
	<div class="navbar-dropdown">
	<span class="navbar-item navbar-heading">Contact</span>
	<a class="navbar-item" href="../../docs/latest/support/slack-channel.html">Slack</a>
	<a class="navbar-item" href="../../docs/latest/support/mailing-list.html">Mailing Lists</a>
	<a class="navbar-item" href="https://issues.apache.org/jira/browse/ISIS">JIRA</a>
	<a class="navbar-item" href="https://stackoverflow.com/questions/tagged/isis">Stack Overflow</a>
	<hr class="navbar-divider"/>
	<span class="navbar-item navbar-heading">Releases</span>
	<a class="navbar-item" href="../../docs/latest/downloads/how-to.html">Downloads</a>
	<a class="navbar-item" href="../../relnotes/latest/about.html">Release Notes</a>
	<a class="navbar-item" href="../../docs/latest/archive/1-x.html">Archive (1.x)</a>
	<hr class="navbar-divider"/>
	<span class="navbar-item navbar-heading">Framework</span>
	<a class="navbar-item" href="../../conguide/latest/about.html">Contributors' Guide</a>
	<a class="navbar-item" href="../../comguide/latest/about.html">Committers' Guide</a>
	<a class="navbar-item" href="../../core/latest/about.html">Core Design</a>
	</div>
	</div>
	<div class="navbar-item has-dropdown is-hoverable">
	<a class="navbar-link" href="#">ASF</a>
	<div class="navbar-dropdown">
	<a class="navbar-item" href="http://www.apache.org/">Apache Homepage</a>
	<a class="navbar-item" href="https://www.apache.org/events/current-event">Events</a>
	<a class="navbar-item" href="https://www.apache.org/licenses/">Licenses</a>
	<a class="navbar-item" href="https://www.apache.org/security/">Security</a>
	<a class="navbar-item" href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
	<a class="navbar-item" href="https://www.apache.org/foundation/thanks.html">Thanks</a>
	<hr class="navbar-divider"/>
	<a class="navbar-item" href="https://whimsy.apache.org/board/minutes/Isis.html">PMC board minutes</a>
	</div>
	</div>
	<a class="navbar-item" href="../../docs/latest/about.html">
	<span class="icon">
	<img src="../../_/img/home.png"></img>
	</span>
	</a>
	</div>
	</div>
	</nav>
	</header>
	<div class="body ">
	<div class="nav-container" data-component="security" data-version="2.0.0-M3">
	<aside class="nav">
	<div class="panels">
	<div class="nav-panel-pagination">
	<a class="page-previous" rel="prev" href="shiro-realm-ldap/about.html" title="LDAP Realm for Shiro"><span></span></a>
	<a class="page-next" rel="next"
	href="#security:ROOT:api.adoc" title="API"><span></span></a>
	<!--
	page.parent doesn't seem to be set...
	<a class="page-parent disabled" rel="prev" href="" title="LDAP Realm for Shiro"><span></span></a>
	-->
	</div>
	<div class="nav-panel-menu is-active" data-panel="menu">
	<nav class="nav-menu">
	<h3 class="title"><a href="about.html">Security Guide</a></h3>
	<ul class="nav-list">
	<li class="nav-item" data-depth="0">
	<ul class="nav-list">
	<li class="nav-item" data-depth="1">
	<a class="nav-link" href="domain-services-api-for-applications.html">Domain Services API</a>
	</li>
	</ul>
	</li>
	<li class="nav-item" data-depth="0">
	<ul class="nav-list">
	<li class="nav-item" data-depth="1">
	<a class="nav-link" href="core/about.html">API</a>
	</li>
	<li class="nav-item" data-depth="1">
	<a class="nav-link" href="bypass/about.html">Bypass Implementation</a>
	</li>
	<li class="nav-item" data-depth="1">
	<a class="nav-link" href="shiro/about.html">Shiro Implementation</a>
	</li>
	<li class="nav-item" data-depth="1">
	<a class="nav-link" href="keycloak/about.html">Keycloak Implementation</a>
	</li>
	<li class="nav-item" data-depth="1">
	<a class="nav-link" href="usage-by-isis-viewers.html">Usage by Isis Viewers</a>
	</li>
	<li class="nav-item" data-depth="1">
	<button class="nav-item-toggle"></button>
	<span class="nav-text">Extensions</span>
	<ul class="nav-list">
	<li class="nav-item" data-depth="2">
	<a class="nav-link" href="audit-trail/about.html">Audit Trail</a>
	</li>
	<li class="nav-item" data-depth="2">
	<a class="nav-link" href="shiro-realm-ldap/about.html">LDAP Realm for Shiro</a>
	</li>
	<li class="nav-item is-current-page" data-depth="2">
	<button class="nav-item-toggle"></button>
	<a class="nav-link" href="about.html">Secman</a>
	<ul class="nav-list">
	<li class="nav-item" data-depth="3">
	<a class="nav-link" href="#security:ROOT:api.adoc">API</a>
	</li>
	<li class="nav-item" data-depth="3">
	<a class="nav-link" href="#security:ROOT:model.adoc">Model</a>
	</li>
	<li class="nav-item" data-depth="3">
	<a class="nav-link" href="#security:ROOT:jbcrypt-encryption.adoc">JBCrypt Encryption</a>
	</li>
	<li class="nav-item" data-depth="3">
	<a class="nav-link" href="#security:ROOT:jdo-persistence.adoc">JDO Persistence</a>
	</li>
	<li class="nav-item" data-depth="3">
	<a class="nav-link" href="#security:ROOT:shiro-realm.adoc">Realm (for Shiro)</a>
	</li>
	</ul>
	</li>
	<li class="nav-item" data-depth="2">
	<a class="nav-link" href="session-log/about.html">Session Log</a>
	</li>
	</ul>
	</li>
	</ul>
	</li>
	</ul>
	</nav>
	</div>
	<div class="nav-panel-explore" data-panel="explore">
	<div class="context">
	<span class="title">Security Guide</span>
	<span class="version">2.0.0-M3</span>
	</div>
	<ul class="components">
	<li class="component">
	<span class="title"> </span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../docs/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">BC Mappings Catalog</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../mappings/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Committers' Guide</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../comguide/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Contributors' Guide</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../conguide/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Design Docs</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../core/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Extensions Catalog</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../extensions/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Incubator Catalog</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../incubator/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">JDO/DataNucleus</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../pjdo/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Legacy Catalog</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../legacy/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Reference Guide</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../refguide/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Release Notes</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../relnotes/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Restful Objects Viewer</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../vro/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component is-current">
	<span class="title">Security Guide</span>
	<ul class="versions">
	<li class="version is-current is-latest">
	<a href="about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Setup Guide</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../setupguide/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Subdomains Catalog</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../subdomains/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Testing Guide</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../testing/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">User Guide</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../userguide/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Value Types Catalog</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../valuetypes/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	<li class="component">
	<span class="title">Wicket Viewer</span>
	<ul class="versions">
	<li class="version is-latest">
	<a href="../../vw/2.0.0-M3/about.html">2.0.0-M3</a>
	</li>
	</ul>
	</li>
	</ul>
	</div>
	</div>
	</aside>
	</div>
	<main role="main">
	<div class="toolbar" role="navigation">
	<button class="nav-toggle"></button>
	<a href="../../docs/2.0.0-M3/about.html" class="home-link"></a>
	<nav class="breadcrumbs" aria-label="breadcrumbs">
	<ul>
	<li><a href="about.html">Security Guide</a></li>
	<li>Extensions</li>
	<li><a href="about.html">Secman</a></li>
	</ul>
	</nav>
	<div class="edit-this-page"><a href="https://github.com/apache/isis/edit/2.0.0-M3/security/adoc/modules/ROOT/pages/about.adoc">Edit</a></div>
	</div>
	<article class="doc">
	<a name="section-top"></a>
	<h1 class="page">Security</h1>
	<div id="preamble">
	<div class="sectionbody">
	<div class="admonitionblock warning">
	<table>
	<tr>
	<td class="icon">
	<i class="fa icon-warning" title="Warning"></i>
	</td>
	<td class="content">
	TODO: this content has not yet been reviewed/updated for v2.0
	</td>
	</tr>
	</table>
	</div>
	<div class="paragraph">
	<p>This guide describes the authentication and authorization features available to secure your Apache Isis application.</p>
	</div>
	</div>
	</div>
	<div class="sect1">
	<h2 id="terminology"><a class="anchor" href="#terminology"></a>Terminology</h2>
	<div class="sectionbody">
	<div class="paragraph">
	<p>Apache Isis has built-in support for authentication and authorization:</p>
	</div>
	<div class="ulist">
	<ul>
	<li>
	<p>By "authentication" we mean logging into the application using some credentials, typically a username and password.
	Authentication also means looking up the set of roles to which a user belongs.</p>
	</li>
	<li>
	<p>By "authorization" we mean permissions: granting roles to have access to features (object member) of the app.</p>
	</li>
	</ul>
	</div>
	<div class="paragraph">
	<p>Apache Isis has two levels of permissions.
	<em>Read</em> permission means that the user can view the object member; it will be rendered in the UI. An action with only read permission will be shown disabled ("greyed out".
	<em>Write</em> permission means that the object member can be changed. For actions this means that they can be invoked.</p>
	</div>
	<div class="paragraph">
	<p>The framework provides an API for both authentication and authorization, and provides an implementation that integrates with <a href="http://shiro.apache.org">Apache Shiro</a>.
	Shiro in turn uses the concept of a <em>realm</em> as a source for both authentication and optionally authorization.</p>
	</div>
	<div class="paragraph">
	<p>Shiro ships with a simple text-based realm — the <code>IniRealm</code> — which reads users (and password), user roles and role permissions from the <code>WEB-INF/shiro.ini</code> file.
	The <a href="../../docs/2.0.0-M3/starters/helloworld.html" class="page">HelloWorld</a> and <a href="../../docs/2.0.0-M3/starters/simpleapp.html" class="page">SimpleApp</a> starter apps are both configured to use this realm.</p>
	</div>
	<div class="paragraph">
	<p>Shiro also ships with an implementation of an LDAP-based realm; LDAP is often used to manage user/passwords and corresponding user groups.
	Apache Isis in turn extends this with its <code>IsisLdapRealm</code>, which provides more flexibility for both group/role and role/permissions management.</p>
	</div>
	<div class="paragraph">
	<p>In addition, the <a href="about.html" class="page">SecMan extension</a> provides an implementation of the Shiro <code>Realm</code> API.
	This extension also represents users, roles and permissions as domain objects, allowing them to be administered through Apache Isis itself.
	Moreover, it can also optionally delegate password management to a subsidiary (delegate) realm (usually LDAP as discussed above).</p>
	</div>
	<div class="paragraph">
	<p>In addition to Apache Isis' Shiro-based implementation of its authentication and authorization APIs, Isis also provides a "bypass" implementation, useful for quick-n-dirty prototyping when you want to in effect disable (bypass) security completely.</p>
	</div>
	<div class="admonitionblock note">
	<table>
	<tr>
	<td class="icon">
	<i class="fa icon-note" title="Note"></i>
	</td>
	<td class="content">
	<div class="title">What about auditing?</div>
	<div class="paragraph">
	<p>A further aspect of security is auditing: recording what data was modified by which user.</p>
	</div>
	<div class="paragraph">
	<p>Apache Isis provides the <a href="../../refguide/2.0.0-M3/applib-svc/InteractionContext.html" class="page"><code>InteractionContext</code></a>
	can be used to track the actions being invoked, and the <a href="../../refguide/2.0.0-M3/applib-svc/AuditerService.html" class="page"><code>AuditerService</code></a>
	captures what data was modified as a result (auditing).
	When <code>Interaction</code>s are persisted (eg by way of the <a href="../../mappings/2.0.0-M3/outbox-publisher/about.html" class="page">Outbox Publisher</a> mapping module) then this provides excellent
	traceability.
	The <a href="audit-trail/about.html" class="page">Auditer</a> module provides an implementation of the <code>AuditerService</code>.</p>
	</div>
	<div class="paragraph">
	<p>For <a href="../../refguide/2.0.0-M3/applib-svc/CommandService.html" class="page"><code>CommandService</code></a> can be also be used to capture actions, for example using the <a href="../../extensions/2.0.0-M3/command-log/about.html" class="page">Command Log</a> extension.</p>
	</div>
	</td>
	</tr>
	</table>
	</div>
	</div>
	</div>
	</article>
	<aside class="article-aside toc" role="navigation">
	<p class="toc-title">On this page</p>
	<div id="article-toc"></div>
	</aside>
	</main>
	</div>
	<footer class="footer">
	<div class="content">
	<div class="copyright">
	<p>
	Copyright © 2010~2020 The Apache Software Foundation, licensed under the Apache License, v2.0.
	<br/>
	Apache, the Apache feather logo, Apache Isis, and the Apache Isis project logo are all trademarks of The Apache Software Foundation.
	</p>
	</div>
	<div class="revision">
	<p>Revision: SNAPSHOT</p>
	</div>
	</div>
	</footer>
	<script src="../../_/js/site.js"></script>
	<script async src="../../_/js/vendor/highlight.js"></script>
	<script src="../../_/js/vendor/jquery-3.4.1.min.js"></script>
	<script src="../../_/js/vendor/jquery-ui-1.12.1.custom.widget-only.min.js"></script>
	<script src="../../_/js/vendor/jquery.tocify.min.js"></script>

	<script>
	$(function() {
	$("#article-toc").tocify( {
	showEffect: "slideDown",
	hashGenerator: "pretty",
	hideEffect: "slideUp",
	selectors: "h2, h3",
	scrollTo: 120,
	smoothScroll: true,
	theme: "jqueryui",
	highlightOnScroll: true
	} );
	});
	</script>
	</body>
	</html>