Intro to Apache Shiro

5,791
-1

Published on

Apache Shiro, a simple easy-to-use framework to enforce user security by Shiro PMC Chair and Stormpath CTO, Les Hazlewood.
http://shiro.apache.org
http://stormpath.com

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,791
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
173
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • If this is interesting to you please contact me after this presentation or view email because we are looking for people to test our product and give us feedback.
  • In order to better support your cloud-based application we are building a cloud version of the product where we manage back-ups, upgrades, support, and server level hassles for security and you just have to use it.
  • Intro to Apache Shiro

    1. 1. Simple Application Security Les Hazlewood Apache Shiro Project Chair CTO, Stormpath
    2. 2. What is Apache Shiro?• Application security framework• ASF TLP - http://shiro.apache.org• Quick and Easy• Simplifies Security Concepts & Design
    3. 3. Agenda Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    4. 4. Quick Terminology• Subject – Security-specific user ‘view’• Principals – Subject’s identifying attributes• Credentials – Secret values that verify identity• Realm – Security-specific DAO
    5. 5. Authentication Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    6. 6. Authentication DefinedIdentity verification:Proving a user is who he says he is
    7. 7. Shiro Authentication Features• Subject-based (current user)• Single method call• Rich Exception Hierarchy• ‘Remember Me’ built in• Event listeners
    8. 8. How to Authenticate with ShiroSteps1. Collect principals & credentials2. Submit to Authentication System3. Allow, retry, or block access
    9. 9. Step 1: Collecting Principals & CredentialsUsernamePasswordToken token = new UsernamePasswordToken(username, password);//”Remember Me” built-in:token.setRememberMe(true);
    10. 10. Step 2: SubmissionSubject currentUser = SecurityUtils.getSubject();currentUser.login(token);
    11. 11. Step 3: Grant Access or Handle Failuretry {currentUser.login(token);} catch (UnknownAccountExceptionuae){ ...} catch (IncorrectCredentialsException ice { ...} catch ( LockedAccountExceptionlae ) { ...} catch ( ExcessiveAttemptsExceptioneae ) { ...} ... catch your own ...} catch ( AuthenticationExceptionae ) { //unexpected error?}//No problems, show authenticated view…
    12. 12. How does it work? Subject .login(token)
    13. 13. How does it work? Subject .login(token) SecurityManager
    14. 14. How does it work? Subject .login(token) SecurityManager Authenticator
    15. 15. How does it work? Subject .login(token) SecurityManager Authenticator Realm 1 Realm 2 … Realm N
    16. 16. How does it work? Subject .login(token) SecurityManager Authentication Authenticator Strategy Realm 1 Realm 2 … Realm N
    17. 17. Authorization Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    18. 18. Authorization DefinedProcess of determining “who can do what”AKA Access ControlElements of Authorization• Permissions• Roles• Users
    19. 19. Permissions Defined• Most atomic security element• Describes resource types and their behavior• The “what” of an application• Does not define “who”• AKA “rights”
    20. 20. Roles Defined• Implicit or Explicit construct• Implicit: Name only• Explicit: A named collection of Permissions Allows behavior aggregation Enables dynamic (runtime) alteration of user abilities.
    21. 21. Users Defined• The “who” of the application• What each user can do is defined by their association with Roles or PermissionsExample: User’s roles imply PrinterPermission
    22. 22. Authorization Features• Subject-centric (current user)• Checks based on roles or permissions• Powerful out-of-the-box WildcardPermission• Any data model – Realms decide
    23. 23. How to Authorize with ShiroMultiple means of checking access control:• Programmatically• JDK 1.5 annotations & AOP• JSP/GSP/JSF* TagLibs (web support)
    24. 24. Programmatic Authorization Role Check//get the current SubjectSubject currentUser=SecurityUtils.getSubject();if (currentUser.hasRole(“administrator”)) { //show the „delete user‟ button} else { //don‟t show the button?)}
    25. 25. Programmatic Authorization Permission CheckSubject currentUser=SecurityUtils.getSubject();Permission deleteUser=new UserPermission(“jsmith”,“delete”);If (currentUser.isPermitted(deleteUser)) { //show the „delete user‟ button} else {//don‟t show the button?}
    26. 26. Programmatic Authorization Permission Check (String-based)String perm = “user:delete:jsmith”;if(currentUser.isPermitted(perm)){//show the „delete user‟ button} else {//don‟t show the button?}
    27. 27. Annotation Authorization Role Check@RequiresRoles( “teller” )public void openAccount(Account a) { //do something in here that //only a „teller‟ should do}
    28. 28. Annotation Authorization Permission Check@RequiresPermissions(“account:create”)public void openAccount(Account a) { //create the account}
    29. 29. Enterprise Session Management Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    30. 30. Session Management DefinedManaging the lifecycle of Subject-specific temporal data context
    31. 31. Session Management Features• Heterogeneous client access• POJO/J2SE based (IoC friendly)• Event listeners• Host address retention• Inactivity/expiration support (touch())• Transparent web use - HttpSession• Container-Independent Clustering!
    32. 32. Acquiring and Creating SessionsSubject currentUser =SecurityUtils.getSubject()//guarantee a sessionSession session =subject.getSession();//get a session if it existssubject.getSession(false);
    33. 33. Session APIgetStartTimestamp()getLastAccessTime()getAttribute(key)setAttribute(key, value)get/setTimeout(long)touch()...
    34. 34. Cryptography Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    35. 35. Cryptography DefinedProtecting information from undesired access byhiding it or converting it into nonsense.Elements of Cryptography• Ciphers• Hashes
    36. 36. Ciphers DefinedEncryption and decryption data based on sharedor public/private keys.• Symmetric Cipher – same key • Block Cipher – chunks of bits • Stream Cipher – stream of bits• Asymmetric Cipher - different keys
    37. 37. Hashes DefinedA one-way, irreversible conversion of an inputsource (a.k.a. Message Digest)Used for:• Credentials transformation, Checksum• Data with underlying byte array Files, Streams, etc
    38. 38. Cryptography FeaturesSimplicity• Interface-driven, POJO based• Simplified wrapper over JCE infrastructure.• “Object Orientifies” cryptography concepts• Easier to understand API
    39. 39. Cipher Features• OO Hierarchy JcaCipherService, AbstractSymmetricCipherService, DefaultBlockCipherService, etc• Just instantiate a class No “Transformation String”/Factory methods• More secure default settings than JDK! Cipher Modes, Initialization Vectors, et. al.
    40. 40. Example: Plaintext (image courtesy WikiPedia)
    41. 41. Example: ECB Mode (JDK Default!) (image courtesy WikiPedia)
    42. 42. Example: Shiro Defaults (image courtesy WikiPedia)
    43. 43. Shiro’sCipherService Interfacepublic interface CipherService {ByteSourceencrypt(byte[] raw, byte[] key); void encrypt(InputStream in,OutputStreamout, byte[] key);ByteSourcedecrypt( byte[] cipherText, byte[] key); void decrypt(InputStream in,OutputStreamout, byte[] key);}
    44. 44. Hash Features• Default interface implementations MD5, SHA1, SHA-256, et. al.• Built in Hex &Base64 conversion• Built-in support for Salts and repeated hashing
    45. 45. Shiro’s Hash Interfacepublic interface Hash { byte[] getBytes(); String toHex(); String toBase64();}
    46. 46. Intuitive OO Hash API//some examples:new Md5Hash(“foo”).toHex();//File MD5 Hash value for checksum:new Md5Hash( aFile ).toHex();//store password, but not plaintext:new Sha512(aPassword, salt,1024).toBase64();
    47. 47. Web Support Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    48. 48. Web Support Features• Simple ShiroFilter web.xml definition• Protects all URLs• Innovative Filtering (URL-specific chains)• JSP Tag support• Transparent HttpSession support
    49. 49. web.xml<filter><filter-name>ShiroFilter</filter-name><filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class></filter><filter-mapping><filter-name>ShiroFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping>
    50. 50. shiro.ini[main]ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealmldapRealm.userDnTemplate = uid={0},ou=users,dc=mycompany,dc=comldapRealm.contextFactory.url = ldap://ldapHost:389securityManager.realm= $realm[urls]/images/** = anon/account/** = authc/rest/** = authcBasic/remoting/** = authc, roles[b2bClient], …
    51. 51. JSP TagLib Authorization<%@ taglib prefix=“shiro”uri=“http://shiro.apache.org/tags” %><html><body><shiro:hasRole name=“administrator”><a href=“manageUsers.jsp”> Click here to manage users</a></shiro:hasRole><shiro:lacksRole name=“administrator”> No user admin for you!</shiro:hasRole></body></html>
    52. 52. JSP TagLibs<%@ taglib prefix=“shiro”uri=http://shiro.apache.org/tags %><!-- Other tags: --><shiro:guest/><shiro:user/><shiro:principal/><shiro:hasRole/><shiro:lacksRole/><shiro:hasAnyRoles/><shiro:hasPermission/><shiro:lacksPermission/><shiro:authenticated/><shiro:notAuthenticated/>
    53. 53. Auxiliary Features Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    54. 54. Auxiliary Features• Threading & Concurrency Callable/Runnable & Executor/ExecutorService• “Run As” support• Ad-hoc Subject instance creation• Unit Testing• Remembered vs Authenticated
    55. 55. Logging OutOne method: user out, relinquishes account//Logs the//data, and invalidates any SessionSecurityUtils.getSubject().logout();App-specific log-out logic: Before/After the call Listen for Authentication or StoppedSession events.
    56. 56. Stormpath:Application Security Service • Realms + Plug-ins Application • REST API Stormpath +Stormpath Realm Authentication Access ControlOut-of-the-box Features• Managed security data model• Secure credential storage• Flexible permissions• Password self-service GUI• Management GUI
    57. 57. Stormpath: Cloud Deployment Public Cloud CorporateNetwork Application REST Firewall OpenId/OAu Active Application th Stormpath Outbound Directory Sync Application SAML
    58. 58. Thank You!• les@stormpath.com• http://www.stormpath.com• Seeking engineering talent• Seeking product feedback

    ×