Evaluating Migrating from Nimble Security plugin to Spring Security plugin

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Evaluating Migrating from Nimble Security plugin to Spring Security plugin

virtualdogbert
My company is using the Nimble plugin for security and for the time being it works well enough, but since it's not being maintained and hasn't been for quite a while, I've been tasked with evaluating the migration to Spring Security, staying put and enhancing or going to vanilla Shiro.  Now my timeline for the migration is about a month but that is going to include adding new security based features.  I've done some initial investigation and I have some concerns that I will list out bellow.  If you have any suggestions, clarifications, can fill in any gaps in my knowledge, point me to a resource that I haven't found yet, or just quell some of my concerns, I welcome the comments.

Concerns:
If I migrate to spring security I'm pretty sure I can't migrate passwords, so I think I'm going to have to reset them and have all the users reset there passwords.  

Another Concern is migrating permissions, if I go the spring security route I'm sure Its not going to be the same.  Any insight on the possible migration of permissions.

If I go the vanilla Shiro route  it looks like I would just lose some of the ui and have to do a bunch of config changes.  If I decided to stay in the Shiro realm it might make sense to just upgrade the shiro version under nimble?

If I stick with nimble(which we have a slightly modified version running), from the one post I've found and from a test run I did, it doesn't look like it works with Grails 2.0. This might be a topic for a whole other post, but what might be involved in migrating that, to work with 2.0. When I did my test run upgrade to Grails 2.0 It didn't even see the nimble plugin.

Anything I missed that I should be concerned about going in any direction.
Reply | Threaded
Open this post in threaded view
|

Re: Evaluating Migrating from Nimble Security plugin to Spring Security plugin

virtualdogbert
To answer part of my own question with further investigation of both nimble and spring security I can configure the password shceme to match and not have to worry about migration.
SN
Reply | Threaded
Open this post in threaded view
|

Re: Evaluating Migrating from Nimble Security plugin to Spring Security plugin

SN
In reply to this post by virtualdogbert


We have upgraded nimble to upgrade the underlying shiro, https://github.com/snimavat/nimble 


   
Sudhir 
 


From: virtualdogbert <[hidden email]>
To: [hidden email]
Sent: Wednesday, 25 January 2012 8:30 PM
Subject: [grails-user] Evaluating Migrating from Nimble Security plugin to Spring Security plugin

My company is using the Nimble plugin for security and for the time being it
works well enough, but since it's not being maintained and hasn't been for
quite a while, I've been tasked with evaluating the migration to Spring
Security, staying put and enhancing or going to vanilla Shiro.  Now my
timeline for the migration is about a month but that is going to include
adding new security based features.  I've done some initial investigation
and I have some concerns that I will list out bellow.  If you have any
suggestions, clarifications, can fill in any gaps in my knowledge, point me
to a resource that I haven't found yet, or just quell some of my concerns, I
welcome the comments.

Concerns:
If I migrate to spring security I'm pretty sure I can't migrate passwords,
so I think I'm going to have to reset them and have all the users reset
there passwords. 

Another Concern is migrating permissions, if I go the spring security route
I'm sure Its not going to be the same.  Any insight on the possible
migration of permissions.

If I go the vanilla Shiro route  it looks like I would just lose some of the
ui and have to do a bunch of config changes.  If I decided to stay in the
Shiro realm it might make sense to just upgrade the shiro version under
nimble?

If I stick with nimble(which we have a slightly modified version running),
from the one post I've found and from a test run I did, it doesn't look like
it works with Grails 2.0. This might be a topic for a whole other post, but
what might be involved in migrating that, to work with 2.0. When I did my
test run upgrade to Grails 2.0 It didn't even see the nimble plugin.

Anything I missed that I should be concerned about going in any direction.

--
View this message in context: http://grails.1312388.n4.nabble.com/Evaluating-Migrating-from-Nimble-Security-plugin-to-Spring-Security-plugin-tp4327470p4327470.html
Sent from the Grails - user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email




Reply | Threaded
Open this post in threaded view
|

Re: Evaluating Migrating from Nimble Security plugin to Spring Security plugin

Les Hazlewood
Is the Nimble plugin something the Grails community wants
professionally developed and supported?  If there is enough interest,
Katasoft (the primary commercial supporter of Apache Shiro) might be
interested in taking this on...

--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

On Thu, Jan 26, 2012 at 12:38 AM, [hidden email]
<[hidden email]> wrote:

>
>
> We have upgraded nimble to upgrade the underlying shiro,
> https://github.com/snimavat/nimble
>
>
>
> Sudhir
>
>
> ________________________________
> From: virtualdogbert <[hidden email]>
> To: [hidden email]
> Sent: Wednesday, 25 January 2012 8:30 PM
> Subject: [grails-user] Evaluating Migrating from Nimble Security plugin to
> Spring Security plugin
>
> My company is using the Nimble plugin for security and for the time being it
> works well enough, but since it's not being maintained and hasn't been for
> quite a while, I've been tasked with evaluating the migration to Spring
> Security, staying put and enhancing or going to vanilla Shiro.  Now my
> timeline for the migration is about a month but that is going to include
> adding new security based features.  I've done some initial investigation
> and I have some concerns that I will list out bellow.  If you have any
> suggestions, clarifications, can fill in any gaps in my knowledge, point me
> to a resource that I haven't found yet, or just quell some of my concerns, I
> welcome the comments.
>
> Concerns:
> If I migrate to spring security I'm pretty sure I can't migrate passwords,
> so I think I'm going to have to reset them and have all the users reset
> there passwords.
>
> Another Concern is migrating permissions, if I go the spring security route
> I'm sure Its not going to be the same.  Any insight on the possible
> migration of permissions.
>
> If I go the vanilla Shiro route  it looks like I would just lose some of the
> ui and have to do a bunch of config changes.  If I decided to stay in the
> Shiro realm it might make sense to just upgrade the shiro version under
> nimble?
>
> If I stick with nimble(which we have a slightly modified version running),
> from the one post I've found and from a test run I did, it doesn't look like
> it works with Grails 2.0. This might be a topic for a whole other post, but
> what might be involved in migrating that, to work with 2.0. When I did my
> test run upgrade to Grails 2.0 It didn't even see the nimble plugin.
>
> Anything I missed that I should be concerned about going in any direction.
>
> --
> View this message in context:
> http://grails.1312388.n4.nabble.com/Evaluating-Migrating-from-Nimble-Security-plugin-to-Spring-Security-plugin-tp4327470p4327470.html
> Sent from the Grails - user mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>     http://xircles.codehaus.org/manage_email

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: Evaluating Migrating from Nimble Security plugin to Spring Security plugin

burtbeckwith
Nimble is rather opinionated and aims to be more than just a Shiro UI, but I'd think that a solid UI for Shiro based on the work done for Nimble would be useful.

Burt

On Thursday, January 26, 2012 02:32:20 PM Les Hazlewood wrote:

> Is the Nimble plugin something the Grails community wants
> professionally developed and supported?  If there is enough interest,
> Katasoft (the primary commercial supporter of Apache Shiro) might be
> interested in taking this on...
>
> >
> >
> > We have upgraded nimble to upgrade the underlying shiro,
> > https://github.com/snimavat/nimble
> >
> >
> >
> > Sudhir
> >
> >
> > ________________________________
> > From: virtualdogbert <[hidden email]>
> > To: [hidden email]
> > Sent: Wednesday, 25 January 2012 8:30 PM
> > Subject: [grails-user] Evaluating Migrating from Nimble Security plugin to
> > Spring Security plugin
> >
> > My company is using the Nimble plugin for security and for the time being it
> > works well enough, but since it's not being maintained and hasn't been for
> > quite a while, I've been tasked with evaluating the migration to Spring
> > Security, staying put and enhancing or going to vanilla Shiro.  Now my
> > timeline for the migration is about a month but that is going to include
> > adding new security based features.  I've done some initial investigation
> > and I have some concerns that I will list out bellow.  If you have any
> > suggestions, clarifications, can fill in any gaps in my knowledge, point me
> > to a resource that I haven't found yet, or just quell some of my concerns, I
> > welcome the comments.
> >
> > Concerns:
> > If I migrate to spring security I'm pretty sure I can't migrate passwords,
> > so I think I'm going to have to reset them and have all the users reset
> > there passwords.
> >
> > Another Concern is migrating permissions, if I go the spring security route
> > I'm sure Its not going to be the same.  Any insight on the possible
> > migration of permissions.
> >
> > If I go the vanilla Shiro route  it looks like I would just lose some of the
> > ui and have to do a bunch of config changes.  If I decided to stay in the
> > Shiro realm it might make sense to just upgrade the shiro version under
> > nimble?
> >
> > If I stick with nimble(which we have a slightly modified version running),
> > from the one post I've found and from a test run I did, it doesn't look like
> > it works with Grails 2.0. This might be a topic for a whole other post, but
> > what might be involved in migrating that, to work with 2.0. When I did my
> > test run upgrade to Grails 2.0 It didn't even see the nimble plugin.
> >
> > Anything I missed that I should be concerned about going in any direction.
> >
> > --
> > View this message in context:
> > http://grails.1312388.n4.nabble.com/Evaluating-Migrating-from-Nimble-Security-plugin-to-Spring-Security-plugin-tp4327470p4327470.html


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: Evaluating Migrating from Nimble Security plugin to Spring Security plugin

olivertynes
To reply to the earlier question:

Without knowing anything of how Shiro / Nimble encodes passwords, I'd
just like to point out that you can replicate whatever password
encoding you'd like and swap out the default encoders in Spring
Security, so there is no absolute need for users to reset their
password.

(Of course, from a security point of view you should do it anyways and
start using bcrypt ;) )

-Oliver

On Fri, Jan 27, 2012 at 2:04 AM, Burt Beckwith <[hidden email]> wrote:

> Nimble is rather opinionated and aims to be more than just a Shiro UI, but I'd think that a solid UI for Shiro based on the work done for Nimble would be useful.
>
> Burt
>
> On Thursday, January 26, 2012 02:32:20 PM Les Hazlewood wrote:
>> Is the Nimble plugin something the Grails community wants
>> professionally developed and supported?  If there is enough interest,
>> Katasoft (the primary commercial supporter of Apache Shiro) might be
>> interested in taking this on...
>>
>> >
>> >
>> > We have upgraded nimble to upgrade the underlying shiro,
>> > https://github.com/snimavat/nimble
>> >
>> >
>> >
>> > Sudhir
>> >
>> >
>> > ________________________________
>> > From: virtualdogbert <[hidden email]>
>> > To: [hidden email]
>> > Sent: Wednesday, 25 January 2012 8:30 PM
>> > Subject: [grails-user] Evaluating Migrating from Nimble Security plugin to
>> > Spring Security plugin
>> >
>> > My company is using the Nimble plugin for security and for the time being it
>> > works well enough, but since it's not being maintained and hasn't been for
>> > quite a while, I've been tasked with evaluating the migration to Spring
>> > Security, staying put and enhancing or going to vanilla Shiro.  Now my
>> > timeline for the migration is about a month but that is going to include
>> > adding new security based features.  I've done some initial investigation
>> > and I have some concerns that I will list out bellow.  If you have any
>> > suggestions, clarifications, can fill in any gaps in my knowledge, point me
>> > to a resource that I haven't found yet, or just quell some of my concerns, I
>> > welcome the comments.
>> >
>> > Concerns:
>> > If I migrate to spring security I'm pretty sure I can't migrate passwords,
>> > so I think I'm going to have to reset them and have all the users reset
>> > there passwords.
>> >
>> > Another Concern is migrating permissions, if I go the spring security route
>> > I'm sure Its not going to be the same.  Any insight on the possible
>> > migration of permissions.
>> >
>> > If I go the vanilla Shiro route  it looks like I would just lose some of the
>> > ui and have to do a bunch of config changes.  If I decided to stay in the
>> > Shiro realm it might make sense to just upgrade the shiro version under
>> > nimble?
>> >
>> > If I stick with nimble(which we have a slightly modified version running),
>> > from the one post I've found and from a test run I did, it doesn't look like
>> > it works with Grails 2.0. This might be a topic for a whole other post, but
>> > what might be involved in migrating that, to work with 2.0. When I did my
>> > test run upgrade to Grails 2.0 It didn't even see the nimble plugin.
>> >
>> > Anything I missed that I should be concerned about going in any direction.
>> >
>> > --
>> > View this message in context:
>> > http://grails.1312388.n4.nabble.com/Evaluating-Migrating-from-Nimble-Security-plugin-to-Spring-Security-plugin-tp4327470p4327470.html
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>



--
*****
Oliver Tynes
Developer
Uni CIPR -- www.cipr.uni.no
55588266
*****

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: Evaluating Migrating from Nimble Security plugin to Spring Security plugin

virtualdogbert
Yeah after a bit more research I came to that same conclusion.  So my real concern becomes if I decide to migrate to Spring Security, is how I'm going to migrate permissioning, and just figuring out any other possible pitfalls, that I might run into.

I hear your point on bcrypt, which is a future battle I will have to have with management, but our db itself is encrypted, so it's not as immediate concern, as it could be.
Reply | Threaded
Open this post in threaded view
|

Re: Evaluating Migrating from Nimble Security plugin to Spring Security plugin

Jean Barmash 1
In reply to this post by Les Hazlewood
Les,

IMO the nimble plugin is quite excellent, and we spent a bunch of time customizing it for our needs.

I know at one point we would have appreciated if it was professionally supported (and even tried to hire the nimble author to do some customizations for us), but then ended up doing it ourselves.

While it has some issues, I think overall it works quite well and is well conceived and executed.

Thanks,

Jean

On Thu, Jan 26, 2012 at 5:32 PM, Les Hazlewood <[hidden email]> wrote:
Is the Nimble plugin something the Grails community wants
professionally developed and supported?  If there is enough interest,
Katasoft (the primary commercial supporter of Apache Shiro) might be
interested in taking this on...

--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | <a href="tel:888.391.5282" value="+18883915282">888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

On Thu, Jan 26, 2012 at 12:38 AM, [hidden email]
<[hidden email]> wrote:
>
>
> We have upgraded nimble to upgrade the underlying shiro,
> https://github.com/snimavat/nimble
>
>
>
> Sudhir
>
>
> ________________________________
> From: virtualdogbert <[hidden email]>
> To: [hidden email]
> Sent: Wednesday, 25 January 2012 8:30 PM
> Subject: [grails-user] Evaluating Migrating from Nimble Security plugin to
> Spring Security plugin
>
> My company is using the Nimble plugin for security and for the time being it
> works well enough, but since it's not being maintained and hasn't been for
> quite a while, I've been tasked with evaluating the migration to Spring
> Security, staying put and enhancing or going to vanilla Shiro.  Now my
> timeline for the migration is about a month but that is going to include
> adding new security based features.  I've done some initial investigation
> and I have some concerns that I will list out bellow.  If you have any
> suggestions, clarifications, can fill in any gaps in my knowledge, point me
> to a resource that I haven't found yet, or just quell some of my concerns, I
> welcome the comments.
>
> Concerns:
> If I migrate to spring security I'm pretty sure I can't migrate passwords,
> so I think I'm going to have to reset them and have all the users reset
> there passwords.
>
> Another Concern is migrating permissions, if I go the spring security route
> I'm sure Its not going to be the same.  Any insight on the possible
> migration of permissions.
>
> If I go the vanilla Shiro route  it looks like I would just lose some of the
> ui and have to do a bunch of config changes.  If I decided to stay in the
> Shiro realm it might make sense to just upgrade the shiro version under
> nimble?
>
> If I stick with nimble(which we have a slightly modified version running),
> from the one post I've found and from a test run I did, it doesn't look like
> it works with Grails 2.0. This might be a topic for a whole other post, but
> what might be involved in migrating that, to work with 2.0. When I did my
> test run upgrade to Grails 2.0 It didn't even see the nimble plugin.
>
> Anything I missed that I should be concerned about going in any direction.
>
> --
> View this message in context:
> http://grails.1312388.n4.nabble.com/Evaluating-Migrating-from-Nimble-Security-plugin-to-Spring-Security-plugin-tp4327470p4327470.html
> Sent from the Grails - user mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>     http://xircles.codehaus.org/manage_email

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|

Re: Evaluating Migrating from Nimble Security plugin to Spring Security plugin

virtualdogbert
In reply to this post by Les Hazlewood
It would be nice to have a Shiro UI that is known to be maintained.  I saw another Shiro UI plugin http://grails.org/plugin/shiro-ui, but that considers it self beta and hasn't been touched in 5 months.  Beyond the UI there are a couple of features that would be nice if shiro had, which would make it a more attractive alternative to spring security in my eyes:

1. Annotations for both controller actions and any methods.  This would be just to facilitate a separation of concerns between business logic and security code.  While I know we can use filters, that only covers the controller action part of the equation. With these annotations I think it would be nice to have two parameters, a closure for the security check(i.e. hasPermission, hasRole, etc) and another optional closure to handle exception cases.  In Spring Security while RTFM, it looks like they have events to take care of the optional exception case, which is another way to go.

2. An overridable configuration that handles the hashing/encrypting of passwords, because what I've seen of Shiro thus far I would have to do that when I create/save/update a user.  This would mean that there would be a good default in place, so that generally I wouldn't have to think about it, but I wouldn't be limited to the default.

So just a couple of thoughts based on my current evolving understanding. So now it's back to evaluating do I go shiro, and probably do some form of what I purposed or go spring security, and deal with it's rigidity. that I've been recently made more aware of.
Reply | Threaded
Open this post in threaded view
|

Re: Evaluating Migrating from Nimble Security plugin to Spring Security plugin

basejump (Josh)
1. don't Shiro's annotations work for you? http://shiro.apache.org/java-annotations-list.html 
you can always do what Burt did with his Spring Security plugin (see the AOP code for example) and build your own based on Shiro's if it doesn't do what you want/

2. Not sure what you mean by this. the hashing and encrypting in Shiro is very easy and flexible. 

"It would be nice to have a Shiro UI that is known to be maintained. ..http://grails.org/plugin/shiro-ui considers it self beta and hasn't been touched in 5 months"
-> you can always grab the source and jump in to help out. 5 months is not a long time. Have you tried it out yet?


On Feb 2, 2012, at 10:52 AM, virtualdogbert wrote:

It would be nice to have a Shiro UI that is known to be maintained.  I saw
another Shiro UI plugin http://grails.org/plugin/shiro-ui, but that
considers it self beta and hasn't been touched in 5 months.  Beyond the UI
there are a couple of features that would be nice if shiro had, which would
make it a more attractive alternative to spring security in my eyes:

1. Annotations for both controller actions and any methods.  This would be
just to facilitate a separation of concerns between business logic and
security code.  While I know we can use filters, that only covers the
controller action part of the equation. With these annotations I think it
would be nice to have two parameters, a closure for the security check(i.e.
hasPermission, hasRole, etc) and another optional closure to handle
exception cases.  In Spring Security while RTFM, it looks like they have
events to take care of the optional exception case, which is another way to
go.

2. An overridable configuration that handles the hashing/encrypting of
passwords, because what I've seen of Shiro thus far I would have to do that
when I create/save/update a user.  This would mean that there would be a
good default in place, so that generally I wouldn't have to think about it,
but I wouldn't be limited to the default.

So just a couple of thoughts based on my current evolving understanding. So
now it's back to evaluating do I go shiro, and probably do some form of what
I purposed or go spring security, and deal with it's rigidity. that I've
been recently made more aware of.

--
View this message in context: http://grails.1312388.n4.nabble.com/Evaluating-Migrating-from-Nimble-Security-plugin-to-Spring-Security-plugin-tp4327470p4352052.html
Sent from the Grails - user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|

Re: Evaluating Migrating from Nimble Security plugin to Spring Security plugin

virtualdogbert
1.   Ah my bad for not digging deeper.  Although they are not enabled in the plugin, and from other posts I saw it looks like the plugin discourages there use. Yes I could implement my own on top, but then I going down a similar road as nimble.

2.  I wasn't really talking about Shiro, but more the Shiro plugin.  In my opinion it's nice when a plugin implements good defaults that you can override.  For example the plugin could do a SHA-256 of passwords by default, but then let you override it and do whatever you want.

The comment about the Shiro UI was more in the context of what Les and Burt were talking about. Definitely encouraging someone getting behind maintaining the plugins for shiro/ui.  From the perspective of someone looking to move off Nimble(unmaintained) to either the shiro or spring security plugin, prior to talking to Burt, Spring Security looks to have the community, is actively supported and maintained. Where the shiro plugins has a smaller portion of the community and hasn't seen an update in months(11 for the main and 5 for the ui).  With all that in mind spring security seems like a better choice, but now knowing that spring security can be harder to extend makes shiro look better.  

In the end because of other context that I won't bore you with, I'm probably still going to go with spring security.  However I wouldn't mind seeing the shiro plugin become more competitive with spring security plugin

SN
Reply | Threaded
Open this post in threaded view
|

Re: Evaluating Migrating from Nimble Security plugin to Spring Security plugin

SN
In reply to this post by Les Hazlewood
@Les Hazlewood : +1 for maintaining nimble,
Currently we are using it, its a nice plugin, though there are some bugs that we have to fix, it works great for us, I think there are other developers as well who use it.

Its a nice plugin but soon it will be completely dead I guess, it uses old shiro, old Jquery (that too using its own jquery provider rather then depending on jquery plugin), Apart from shiro, nimble supports, Facebook auth,  Twitter and openid, but its facebook support is based on legacy facebook api.
Reply | Threaded
Open this post in threaded view
|

Re: Evaluating Migrating from Nimble Security plugin to Spring Security plugin

buffonomics
In reply to this post by virtualdogbert
+1 for nimble :)