Your SlideShare is downloading. ×
0
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Intro to Apache Shiro
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Intro to Apache Shiro

5,330

Published on

Apache Shiro, a simple easy-to-use framework to enforce user security by Shiro PMC Chair and Stormpath CTO, Les Hazlewood. …

Apache Shiro, a simple easy-to-use framework to enforce user security by Shiro PMC Chair and Stormpath CTO, Les Hazlewood.
http://shiro.apache.org
http://stormpath.com

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,330
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
157
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • If this is interesting to you please contact me after this presentation or view email because we are looking for people to test our product and give us feedback.
  • In order to better support your cloud-based application we are building a cloud version of the product where we manage back-ups, upgrades, support, and server level hassles for security and you just have to use it.
  • Transcript

    • 1. Simple Application Security Les Hazlewood Apache Shiro Project Chair CTO, Stormpath
    • 2. What is Apache Shiro?• Application security framework• ASF TLP - http://shiro.apache.org• Quick and Easy• Simplifies Security Concepts & Design
    • 3. Agenda Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    • 4. Quick Terminology• Subject – Security-specific user ‘view’• Principals – Subject’s identifying attributes• Credentials – Secret values that verify identity• Realm – Security-specific DAO
    • 5. Authentication Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    • 6. Authentication DefinedIdentity verification:Proving a user is who he says he is
    • 7. Shiro Authentication Features• Subject-based (current user)• Single method call• Rich Exception Hierarchy• ‘Remember Me’ built in• Event listeners
    • 8. How to Authenticate with ShiroSteps1. Collect principals & credentials2. Submit to Authentication System3. Allow, retry, or block access
    • 9. Step 1: Collecting Principals & CredentialsUsernamePasswordToken token = new UsernamePasswordToken(username, password);//”Remember Me” built-in:token.setRememberMe(true);
    • 10. Step 2: SubmissionSubject currentUser = SecurityUtils.getSubject();currentUser.login(token);
    • 11. Step 3: Grant Access or Handle Failuretry {currentUser.login(token);} catch (UnknownAccountExceptionuae){ ...} catch (IncorrectCredentialsException ice { ...} catch ( LockedAccountExceptionlae ) { ...} catch ( ExcessiveAttemptsExceptioneae ) { ...} ... catch your own ...} catch ( AuthenticationExceptionae ) { //unexpected error?}//No problems, show authenticated view…
    • 12. How does it work? Subject .login(token)
    • 13. How does it work? Subject .login(token) SecurityManager
    • 14. How does it work? Subject .login(token) SecurityManager Authenticator
    • 15. How does it work? Subject .login(token) SecurityManager Authenticator Realm 1 Realm 2 … Realm N
    • 16. How does it work? Subject .login(token) SecurityManager Authentication Authenticator Strategy Realm 1 Realm 2 … Realm N
    • 17. Authorization Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    • 18. Authorization DefinedProcess of determining “who can do what”AKA Access ControlElements of Authorization• Permissions• Roles• Users
    • 19. Permissions Defined• Most atomic security element• Describes resource types and their behavior• The “what” of an application• Does not define “who”• AKA “rights”
    • 20. Roles Defined• Implicit or Explicit construct• Implicit: Name only• Explicit: A named collection of Permissions Allows behavior aggregation Enables dynamic (runtime) alteration of user abilities.
    • 21. Users Defined• The “who” of the application• What each user can do is defined by their association with Roles or PermissionsExample: User’s roles imply PrinterPermission
    • 22. Authorization Features• Subject-centric (current user)• Checks based on roles or permissions• Powerful out-of-the-box WildcardPermission• Any data model – Realms decide
    • 23. How to Authorize with ShiroMultiple means of checking access control:• Programmatically• JDK 1.5 annotations & AOP• JSP/GSP/JSF* TagLibs (web support)
    • 24. Programmatic Authorization Role Check//get the current SubjectSubject currentUser=SecurityUtils.getSubject();if (currentUser.hasRole(“administrator”)) { //show the „delete user‟ button} else { //don‟t show the button?)}
    • 25. Programmatic Authorization Permission CheckSubject currentUser=SecurityUtils.getSubject();Permission deleteUser=new UserPermission(“jsmith”,“delete”);If (currentUser.isPermitted(deleteUser)) { //show the „delete user‟ button} else {//don‟t show the button?}
    • 26. Programmatic Authorization Permission Check (String-based)String perm = “user:delete:jsmith”;if(currentUser.isPermitted(perm)){//show the „delete user‟ button} else {//don‟t show the button?}
    • 27. Annotation Authorization Role Check@RequiresRoles( “teller” )public void openAccount(Account a) { //do something in here that //only a „teller‟ should do}
    • 28. Annotation Authorization Permission Check@RequiresPermissions(“account:create”)public void openAccount(Account a) { //create the account}
    • 29. Enterprise Session Management Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    • 30. Session Management DefinedManaging the lifecycle of Subject-specific temporal data context
    • 31. Session Management Features• Heterogeneous client access• POJO/J2SE based (IoC friendly)• Event listeners• Host address retention• Inactivity/expiration support (touch())• Transparent web use - HttpSession• Container-Independent Clustering!
    • 32. Acquiring and Creating SessionsSubject currentUser =SecurityUtils.getSubject()//guarantee a sessionSession session =subject.getSession();//get a session if it existssubject.getSession(false);
    • 33. Session APIgetStartTimestamp()getLastAccessTime()getAttribute(key)setAttribute(key, value)get/setTimeout(long)touch()...
    • 34. Cryptography Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    • 35. Cryptography DefinedProtecting information from undesired access byhiding it or converting it into nonsense.Elements of Cryptography• Ciphers• Hashes
    • 36. Ciphers DefinedEncryption and decryption data based on sharedor public/private keys.• Symmetric Cipher – same key • Block Cipher – chunks of bits • Stream Cipher – stream of bits• Asymmetric Cipher - different keys
    • 37. Hashes DefinedA one-way, irreversible conversion of an inputsource (a.k.a. Message Digest)Used for:• Credentials transformation, Checksum• Data with underlying byte array Files, Streams, etc
    • 38. Cryptography FeaturesSimplicity• Interface-driven, POJO based• Simplified wrapper over JCE infrastructure.• “Object Orientifies” cryptography concepts• Easier to understand API
    • 39. Cipher Features• OO Hierarchy JcaCipherService, AbstractSymmetricCipherService, DefaultBlockCipherService, etc• Just instantiate a class No “Transformation String”/Factory methods• More secure default settings than JDK! Cipher Modes, Initialization Vectors, et. al.
    • 40. Example: Plaintext (image courtesy WikiPedia)
    • 41. Example: ECB Mode (JDK Default!) (image courtesy WikiPedia)
    • 42. Example: Shiro Defaults (image courtesy WikiPedia)
    • 43. Shiro’sCipherService Interfacepublic interface CipherService {ByteSourceencrypt(byte[] raw, byte[] key); void encrypt(InputStream in,OutputStreamout, byte[] key);ByteSourcedecrypt( byte[] cipherText, byte[] key); void decrypt(InputStream in,OutputStreamout, byte[] key);}
    • 44. Hash Features• Default interface implementations MD5, SHA1, SHA-256, et. al.• Built in Hex &Base64 conversion• Built-in support for Salts and repeated hashing
    • 45. Shiro’s Hash Interfacepublic interface Hash { byte[] getBytes(); String toHex(); String toBase64();}
    • 46. Intuitive OO Hash API//some examples:new Md5Hash(“foo”).toHex();//File MD5 Hash value for checksum:new Md5Hash( aFile ).toHex();//store password, but not plaintext:new Sha512(aPassword, salt,1024).toBase64();
    • 47. Web Support Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    • 48. Web Support Features• Simple ShiroFilter web.xml definition• Protects all URLs• Innovative Filtering (URL-specific chains)• JSP Tag support• Transparent HttpSession support
    • 49. web.xml<filter><filter-name>ShiroFilter</filter-name><filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class></filter><filter-mapping><filter-name>ShiroFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping>
    • 50. shiro.ini[main]ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealmldapRealm.userDnTemplate = uid={0},ou=users,dc=mycompany,dc=comldapRealm.contextFactory.url = ldap://ldapHost:389securityManager.realm= $realm[urls]/images/** = anon/account/** = authc/rest/** = authcBasic/remoting/** = authc, roles[b2bClient], …
    • 51. JSP TagLib Authorization<%@ taglib prefix=“shiro”uri=“http://shiro.apache.org/tags” %><html><body><shiro:hasRole name=“administrator”><a href=“manageUsers.jsp”> Click here to manage users</a></shiro:hasRole><shiro:lacksRole name=“administrator”> No user admin for you!</shiro:hasRole></body></html>
    • 52. JSP TagLibs<%@ taglib prefix=“shiro”uri=http://shiro.apache.org/tags %><!-- Other tags: --><shiro:guest/><shiro:user/><shiro:principal/><shiro:hasRole/><shiro:lacksRole/><shiro:hasAnyRoles/><shiro:hasPermission/><shiro:lacksPermission/><shiro:authenticated/><shiro:notAuthenticated/>
    • 53. Auxiliary Features Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
    • 54. Auxiliary Features• Threading & Concurrency Callable/Runnable & Executor/ExecutorService• “Run As” support• Ad-hoc Subject instance creation• Unit Testing• Remembered vs Authenticated
    • 55. Logging OutOne method: user out, relinquishes account//Logs the//data, and invalidates any SessionSecurityUtils.getSubject().logout();App-specific log-out logic: Before/After the call Listen for Authentication or StoppedSession events.
    • 56. Stormpath:Application Security Service • Realms + Plug-ins Application • REST API Stormpath +Stormpath Realm Authentication Access ControlOut-of-the-box Features• Managed security data model• Secure credential storage• Flexible permissions• Password self-service GUI• Management GUI
    • 57. Stormpath: Cloud Deployment Public Cloud CorporateNetwork Application REST Firewall OpenId/OAu Active Application th Stormpath Outbound Directory Sync Application SAML
    • 58. Thank You!• les@stormpath.com• http://www.stormpath.com• Seeking engineering talent• Seeking product feedback

    ×