[Question] Apache Shiro for Javascript

[uahic]

Search before asking

• I had searched in the issues and found no similar issues.

Question

Hi there,

I will work on a project where we consider using Apache Jena along with Shiro + Fuseki. Our main UI, however, will be developed in React.js or Angular and I'd like to ask if Shiro is the right tool in this regard as it seems to be made only for Java applications. Of course, I could replicate the API with some HTTP Server (maybe written with Spring) and pass a token to the frontend user. But I would like not to, as I'm not a security engineer. The UI will definitely be a SPA and not managed by Shiro or Spring.

Would love to hear your opinions on this.

Thank you very much

[lprimak]

As far as I know, in React world (which changes every day) the "standard" way to do auth is to pay for something like Okta or Auth0 (now also Okta). JavaScript / TypeScript world is too complicated and too fluid, and thus there are 1000s of startups and SAAS services that are trying to provide products to make applications work in that world.

However, I am no react expert by any means, and avoid JavaScript altogether in favor of Jakarta EE / Jakarta Faces w/Shiro. Currently, there is something like htmx that's gaining popularity, which is basically Jakarta Faces that's trying to be rewritten in TypeScript / Node.

IMHO Jakarta EE / MicroProfile / Jakarta Faces have more features, more stable and much simpler than anything in the JavaScript world.

[uahic]

The project I'm working on is a publicly funded one (with no funding for paying other companies, so we need to rely on open source with nice licenses);

Jakarta EE is not an option for us (starting with the fact that I wont find students who want work for us and use Java in frontend development), although I understand the points you make clearly. I'm personally not primarily a web dev but have tons of experiences with Angular, then also a few with react and some with pure JS, Python frameworks (no typing => pain) and so on.

Has someone in the community developed a general JavaScript API for authentication with the Fuseki Server based on REST (or websockets) yet? That is actually the core of my question :)

thanks!

[lprimak]

I am not familiar with "Fuseki Server" but I would try to ask that community as well.

(starting with the fact that I wont find students who want work for us and use Java in frontend development)

I have to push back on that. There are plenty of students that are interested and will do that.

[bdemers]

There is an older Angular library listed in the "Ports" section of the Shiro site.
https://shiro.apache.org/integration.html#ports
It could be used as a starting point.

That said, using permissions on the frontend is mostly about user experience, you still need to protect any backend resources. (e.g. the backend can tell the frontend what capabilities the user has, the frontend could disable them. But this doesn't prevent an attacker from accessing those resources)