SlideShare a Scribd company logo

Intro to Apache Shiro

Download as PPTX, PDF
Claire Hunsaker
Claire Hunsaker

Apache Shiro, a simple easy-to-use framework to enforce user security by Shiro PMC Chair and Stormpath CTO, Les Hazlewood. http://shiro.apache.org http://stormpath.com

Technology
1 of 59
Simple Application Security Les Hazlewood Apache Shiro Project Chair CTO, Stormpath
What is Apache Shiro? • Application security framework • ASF TLP - http://shiro.apache.org • Quick and Easy • Simplifies Security Concepts & Design
Agenda Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
Quick Terminology • Subject – Security-specific user ‘view’ • Principals – Subject’s identifying attributes • Credentials – Secret values that verify identity • Realm – Security-specific DAO
Authentication Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
Authentication Defined Identity verification: Proving a user is who he says he is
Shiro Authentication Features • Subject-based (current user) • Single method call • Rich Exception Hierarchy • ‘Remember Me’ built in • Event listeners
How to Authenticate with Shiro Steps 1. Collect principals & credentials 2. Submit to Authentication System 3. Allow, retry, or block access
Step 1: Collecting Principals & Credentials UsernamePasswordToken token = new UsernamePasswordToken(username, password); //”Remember Me” built-in: token.setRememberMe(true);
Step 2: Submission Subject currentUser = SecurityUtils.getSubject(); currentUser.login(token);
Step 3: Grant Access or Handle Failure try { currentUser.login(token); } catch (UnknownAccountExceptionuae){ ... } catch (IncorrectCredentialsException ice { ... } catch ( LockedAccountExceptionlae ) { ... } catch ( ExcessiveAttemptsExceptioneae ) { ... } ... catch your own ... } catch ( AuthenticationExceptionae ) { //unexpected error? } //No problems, show authenticated view…
How does it work? Subject .login(token)
How does it work? Subject .login(token) SecurityManager
How does it work? Subject .login(token) SecurityManager Authenticator
How does it work? Subject .login(token) SecurityManager Authenticator Realm 1 Realm 2 … Realm N
How does it work? Subject .login(token) SecurityManager Authentication Authenticator Strategy Realm 1 Realm 2 … Realm N
Authorization Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
Authorization Defined Process of determining “who can do what” AKA Access Control Elements of Authorization • Permissions • Roles • Users
Permissions Defined • Most atomic security element • Describes resource types and their behavior • The “what” of an application • Does not define “who” • AKA “rights”
Roles Defined • Implicit or Explicit construct • Implicit: Name only • Explicit: A named collection of Permissions Allows behavior aggregation Enables dynamic (runtime) alteration of user abilities.
Users Defined • The “who” of the application • What each user can do is defined by their association with Roles or Permissions Example: User’s roles imply PrinterPermission
Authorization Features • Subject-centric (current user) • Checks based on roles or permissions • Powerful out-of-the-box WildcardPermission • Any data model – Realms decide
How to Authorize with Shiro Multiple means of checking access control: • Programmatically • JDK 1.5 annotations & AOP • JSP/GSP/JSF* TagLibs (web support)
Programmatic Authorization Role Check //get the current Subject Subject currentUser= SecurityUtils.getSubject(); if (currentUser.hasRole(“administrator”)) { //show the „delete user‟ button } else { //don‟t show the button?) }
Programmatic Authorization Permission Check Subject currentUser= SecurityUtils.getSubject(); Permission deleteUser= new UserPermission(“jsmith”,“delete”); If (currentUser.isPermitted(deleteUser)) { //show the „delete user‟ button } else { //don‟t show the button? }
Programmatic Authorization Permission Check (String-based) String perm = “user:delete:jsmith”; if(currentUser.isPermitted(perm)){ //show the „delete user‟ button } else { //don‟t show the button? }
Annotation Authorization Role Check @RequiresRoles( “teller” ) public void openAccount(Account a) { //do something in here that //only a „teller‟ should do }
Annotation Authorization Permission Check @RequiresPermissions(“account:create”) public void openAccount(Account a) { //create the account }
Enterprise Session Management Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
Session Management Defined Managing the lifecycle of Subject-specific temporal data context
Session Management Features • Heterogeneous client access • POJO/J2SE based (IoC friendly) • Event listeners • Host address retention • Inactivity/expiration support (touch()) • Transparent web use - HttpSession • Container-Independent Clustering!
Acquiring and Creating Sessions Subject currentUser = SecurityUtils.getSubject() //guarantee a session Session session = subject.getSession(); //get a session if it exists subject.getSession(false);
Session API getStartTimestamp() getLastAccessTime() getAttribute(key) setAttribute(key, value) get/setTimeout(long) touch() ...
Cryptography Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
Cryptography Defined Protecting information from undesired access by hiding it or converting it into nonsense. Elements of Cryptography • Ciphers • Hashes
Ciphers Defined Encryption and decryption data based on shared or public/private keys. • Symmetric Cipher – same key • Block Cipher – chunks of bits • Stream Cipher – stream of bits • Asymmetric Cipher - different keys
Hashes Defined A one-way, irreversible conversion of an input source (a.k.a. Message Digest) Used for: • Credentials transformation, Checksum • Data with underlying byte array Files, Streams, etc
Cryptography Features Simplicity • Interface-driven, POJO based • Simplified wrapper over JCE infrastructure. • “Object Orientifies” cryptography concepts • Easier to understand API
Cipher Features • OO Hierarchy JcaCipherService, AbstractSymmetricCipherService, DefaultBlockCipherService, etc • Just instantiate a class No “Transformation String”/Factory methods • More secure default settings than JDK! Cipher Modes, Initialization Vectors, et. al.
Example: Plaintext (image courtesy WikiPedia)
Example: ECB Mode (JDK Default!) (image courtesy WikiPedia)
Example: Shiro Defaults (image courtesy WikiPedia)
Shiro’sCipherService Interface public interface CipherService { ByteSourceencrypt(byte[] raw, byte[] key); void encrypt(InputStream in, OutputStreamout, byte[] key); ByteSourcedecrypt( byte[] cipherText, byte[] key); void decrypt(InputStream in, OutputStreamout, byte[] key); }
Hash Features • Default interface implementations MD5, SHA1, SHA-256, et. al. • Built in Hex &Base64 conversion • Built-in support for Salts and repeated hashing
Shiro’s Hash Interface public interface Hash { byte[] getBytes(); String toHex(); String toBase64(); }
Intuitive OO Hash API //some examples: new Md5Hash(“foo”).toHex(); //File MD5 Hash value for checksum: new Md5Hash( aFile ).toHex(); //store password, but not plaintext: new Sha512(aPassword, salt, 1024).toBase64();
Web Support Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
Web Support Features • Simple ShiroFilter web.xml definition • Protects all URLs • Innovative Filtering (URL-specific chains) • JSP Tag support • Transparent HttpSession support
web.xml <filter> <filter-name>ShiroFilter</filter-name> <filter-class> org.apache.shiro.web.servlet.IniShiroFilter </filter-class> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
shiro.ini [main] ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm ldapRealm.userDnTemplate = uid={0},ou=users,dc=mycompany,dc=com ldapRealm.contextFactory.url = ldap://ldapHost:389 securityManager.realm= $realm [urls] /images/** = anon /account/** = authc /rest/** = authcBasic /remoting/** = authc, roles[b2bClient], …
JSP TagLib Authorization <%@ taglib prefix=“shiro” uri=“http://shiro.apache.org/tags” %> <html> <body> <shiro:hasRole name=“administrator”> <a href=“manageUsers.jsp”> Click here to manage users </a> </shiro:hasRole> <shiro:lacksRole name=“administrator”> No user admin for you! </shiro:hasRole> </body> </html>
JSP TagLibs <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <!-- Other tags: --> <shiro:guest/> <shiro:user/> <shiro:principal/> <shiro:hasRole/> <shiro:lacksRole/> <shiro:hasAnyRoles/> <shiro:hasPermission/> <shiro:lacksPermission/> <shiro:authenticated/> <shiro:notAuthenticated/>
Auxiliary Features Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
Auxiliary Features • Threading & Concurrency Callable/Runnable & Executor/ExecutorService • “Run As” support • Ad-hoc Subject instance creation • Unit Testing • Remembered vs Authenticated
Logging Out One method: user out, relinquishes account //Logs the //data, and invalidates any Session SecurityUtils.getSubject().logout(); App-specific log-out logic: Before/After the call Listen for Authentication or StoppedSession events.
Stormpath:Application Security Service • Realms + Plug-ins Application • REST API Stormpath +Stormpath Realm Authentication Access Control Out-of-the-box Features • Managed security data model • Secure credential storage • Flexible permissions • Password self-service GUI • Management GUI
Stormpath: Cloud Deployment Public Cloud CorporateNetwork Application REST Firewall OpenId/OAu Active Application th Stormpath Outbound Directory Sync Application SAML
Thank You! • les@stormpath.com • http://www.stormpath.com • Seeking engineering talent • Seeking product feedback

Recommended

Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
DataStax Academy
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
Claire Hunsaker
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache Shiro
Smita Prasad
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIRO
Cygnet Infotech
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
robwinch
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 

Recommended

Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
DataStax Academy
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
Claire Hunsaker
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache Shiro
Smita Prasad
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIRO
Cygnet Infotech
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
robwinch
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
Jason Ferguson
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Spring Security
Spring SecuritySpring Security
Spring Security
Manish Sharma
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
Stormpath
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Hermann Burgmeier
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Masoud Kalali
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
Rafal Gancarz
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
Ortus Solutions, Corp
 

More Related Content

What's hot

Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Hermann Burgmeier
 

What's hot (20)

Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 

Similar to Intro to Apache Shiro

Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
Rudy De Busscher
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
Stormpath
 

Similar to Intro to Apache Shiro (20)

Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdf
 
Advance java session 19
Advance java session 19Advance java session 19
Advance java session 19
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
 
What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
4 the 3rd party libraries
4 the 3rd party libraries4 the 3rd party libraries
4 the 3rd party libraries
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Intro to Apache Shiro

  • 1. Simple Application Security Les Hazlewood Apache Shiro Project Chair CTO, Stormpath
  • 2. What is Apache Shiro? • Application security framework • ASF TLP - http://shiro.apache.org • Quick and Easy • Simplifies Security Concepts & Design
  • 3.
  • 4. Agenda Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
  • 5. Quick Terminology • Subject – Security-specific user ‘view’ • Principals – Subject’s identifying attributes • Credentials – Secret values that verify identity • Realm – Security-specific DAO
  • 6. Authentication Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
  • 8. Shiro Authentication Features • Subject-based (current user) • Single method call • Rich Exception Hierarchy • ‘Remember Me’ built in • Event listeners
  • 9. How to Authenticate with Shiro Steps 1. Collect principals & credentials 2. Submit to Authentication System 3. Allow, retry, or block access
  • 10. Step 1: Collecting Principals & Credentials UsernamePasswordToken token = new UsernamePasswordToken(username, password); //”Remember Me” built-in: token.setRememberMe(true);
  • 11. Step 2: Submission Subject currentUser = SecurityUtils.getSubject(); currentUser.login(token);
  • 12. Step 3: Grant Access or Handle Failure try { currentUser.login(token); } catch (UnknownAccountExceptionuae){ ... } catch (IncorrectCredentialsException ice { ... } catch ( LockedAccountExceptionlae ) { ... } catch ( ExcessiveAttemptsExceptioneae ) { ... } ... catch your own ... } catch ( AuthenticationExceptionae ) { //unexpected error? } //No problems, show authenticated view…
  • 13. How does it work? Subject .login(token)
  • 14. How does it work? Subject .login(token) SecurityManager
  • 15. How does it work? Subject .login(token) SecurityManager Authenticator
  • 16. How does it work? Subject .login(token) SecurityManager Authenticator Realm 1 Realm 2 … Realm N
  • 17. How does it work? Subject .login(token) SecurityManager Authentication Authenticator Strategy Realm 1 Realm 2 … Realm N
  • 18. Authorization Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
  • 19. Authorization Defined Process of determining “who can do what” AKA Access Control Elements of Authorization • Permissions • Roles • Users
  • 20. Permissions Defined • Most atomic security element • Describes resource types and their behavior • The “what” of an application • Does not define “who” • AKA “rights”
  • 21. Roles Defined • Implicit or Explicit construct • Implicit: Name only • Explicit: A named collection of Permissions Allows behavior aggregation Enables dynamic (runtime) alteration of user abilities.
  • 22. Users Defined • The “who” of the application • What each user can do is defined by their association with Roles or Permissions Example: User’s roles imply PrinterPermission
  • 23. Authorization Features • Subject-centric (current user) • Checks based on roles or permissions • Powerful out-of-the-box WildcardPermission • Any data model – Realms decide
  • 24. How to Authorize with Shiro Multiple means of checking access control: • Programmatically • JDK 1.5 annotations & AOP • JSP/GSP/JSF* TagLibs (web support)
  • 25. Programmatic Authorization Role Check //get the current Subject Subject currentUser= SecurityUtils.getSubject(); if (currentUser.hasRole(“administrator”)) { //show the „delete user‟ button } else { //don‟t show the button?) }
  • 26. Programmatic Authorization Permission Check Subject currentUser= SecurityUtils.getSubject(); Permission deleteUser= new UserPermission(“jsmith”,“delete”); If (currentUser.isPermitted(deleteUser)) { //show the „delete user‟ button } else { //don‟t show the button? }
  • 27. Programmatic Authorization Permission Check (String-based) String perm = “user:delete:jsmith”; if(currentUser.isPermitted(perm)){ //show the „delete user‟ button } else { //don‟t show the button? }
  • 28. Annotation Authorization Role Check @RequiresRoles( “teller” ) public void openAccount(Account a) { //do something in here that //only a „teller‟ should do }
  • 29. Annotation Authorization Permission Check @RequiresPermissions(“account:create”) public void openAccount(Account a) { //create the account }
  • 30. Enterprise Session Management Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
  • 31. Session Management Defined Managing the lifecycle of Subject-specific temporal data context
  • 32. Session Management Features • Heterogeneous client access • POJO/J2SE based (IoC friendly) • Event listeners • Host address retention • Inactivity/expiration support (touch()) • Transparent web use - HttpSession • Container-Independent Clustering!
  • 33. Acquiring and Creating Sessions Subject currentUser = SecurityUtils.getSubject() //guarantee a session Session session = subject.getSession(); //get a session if it exists subject.getSession(false);
  • 35. Cryptography Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
  • 36. Cryptography Defined Protecting information from undesired access by hiding it or converting it into nonsense. Elements of Cryptography • Ciphers • Hashes
  • 37. Ciphers Defined Encryption and decryption data based on shared or public/private keys. • Symmetric Cipher – same key • Block Cipher – chunks of bits • Stream Cipher – stream of bits • Asymmetric Cipher - different keys
  • 38. Hashes Defined A one-way, irreversible conversion of an input source (a.k.a. Message Digest) Used for: • Credentials transformation, Checksum • Data with underlying byte array Files, Streams, etc
  • 39. Cryptography Features Simplicity • Interface-driven, POJO based • Simplified wrapper over JCE infrastructure. • “Object Orientifies” cryptography concepts • Easier to understand API
  • 40. Cipher Features • OO Hierarchy JcaCipherService, AbstractSymmetricCipherService, DefaultBlockCipherService, etc • Just instantiate a class No “Transformation String”/Factory methods • More secure default settings than JDK! Cipher Modes, Initialization Vectors, et. al.
  • 41. Example: Plaintext (image courtesy WikiPedia)
  • 42. Example: ECB Mode (JDK Default!) (image courtesy WikiPedia)
  • 43. Example: Shiro Defaults (image courtesy WikiPedia)
  • 44. Shiro’sCipherService Interface public interface CipherService { ByteSourceencrypt(byte[] raw, byte[] key); void encrypt(InputStream in, OutputStreamout, byte[] key); ByteSourcedecrypt( byte[] cipherText, byte[] key); void decrypt(InputStream in, OutputStreamout, byte[] key); }
  • 45. Hash Features • Default interface implementations MD5, SHA1, SHA-256, et. al. • Built in Hex &Base64 conversion • Built-in support for Salts and repeated hashing
  • 46. Shiro’s Hash Interface public interface Hash { byte[] getBytes(); String toHex(); String toBase64(); }
  • 47. Intuitive OO Hash API //some examples: new Md5Hash(“foo”).toHex(); //File MD5 Hash value for checksum: new Md5Hash( aFile ).toHex(); //store password, but not plaintext: new Sha512(aPassword, salt, 1024).toBase64();
  • 48. Web Support Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
  • 49. Web Support Features • Simple ShiroFilter web.xml definition • Protects all URLs • Innovative Filtering (URL-specific chains) • JSP Tag support • Transparent HttpSession support
  • 51. shiro.ini [main] ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm ldapRealm.userDnTemplate = uid={0},ou=users,dc=mycompany,dc=com ldapRealm.contextFactory.url = ldap://ldapHost:389 securityManager.realm= $realm [urls] /images/** = anon /account/** = authc /rest/** = authcBasic /remoting/** = authc, roles[b2bClient], …
  • 52. JSP TagLib Authorization <%@ taglib prefix=“shiro” uri=“http://shiro.apache.org/tags” %> <html> <body> <shiro:hasRole name=“administrator”> <a href=“manageUsers.jsp”> Click here to manage users </a> </shiro:hasRole> <shiro:lacksRole name=“administrator”> No user admin for you! </shiro:hasRole> </body> </html>
  • 53. JSP TagLibs <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <!-- Other tags: --> <shiro:guest/> <shiro:user/> <shiro:principal/> <shiro:hasRole/> <shiro:lacksRole/> <shiro:hasAnyRoles/> <shiro:hasPermission/> <shiro:lacksPermission/> <shiro:authenticated/> <shiro:notAuthenticated/>
  • 54. Auxiliary Features Authentication Authorization Session Cryptography Management Web Support Auxiliary Features
  • 55. Auxiliary Features • Threading & Concurrency Callable/Runnable & Executor/ExecutorService • “Run As” support • Ad-hoc Subject instance creation • Unit Testing • Remembered vs Authenticated
  • 56. Logging Out One method: user out, relinquishes account //Logs the //data, and invalidates any Session SecurityUtils.getSubject().logout(); App-specific log-out logic: Before/After the call Listen for Authentication or StoppedSession events.
  • 57. Stormpath:Application Security Service • Realms + Plug-ins Application • REST API Stormpath +Stormpath Realm Authentication Access Control Out-of-the-box Features • Managed security data model • Secure credential storage • Flexible permissions • Password self-service GUI • Management GUI
  • 58. Stormpath: Cloud Deployment Public Cloud CorporateNetwork Application REST Firewall OpenId/OAu Active Application th Stormpath Outbound Directory Sync Application SAML
  • 59. Thank You! • les@stormpath.com • http://www.stormpath.com • Seeking engineering talent • Seeking product feedback

Editor's Notes

  1. If this is interesting to you please contact me after this presentation or view email because we are looking for people to test our product and give us feedback.
  2. In order to better support your cloud-based application we are building a cloud version of the product where we manage back-ups, upgrades, support, and server level hassles for security and you just have to use it.