SlideShare a Scribd company logo
1 of 60
Download to read offline
Simple Application Security
                   Les Hazlewood
         Apache Shiro Project Chair
About Me

Les Hazlewood
  Apache Shiro Project Chair

  JSecurity Founder

  Katasoft Founder & CTO
What is Apache Shiro?
• Application security library

• Quick and easy

• Simplifies security concepts
About Shiro
•   Started in 2003, JSecurity in 2004
•   Simplify or replace JAAS
•   Dynamic changes at runtime
•   Sessions - Heterogeneous Clients
•   Reduce Design Flaws
•   ‘One stop shop’
•   Apache Top Level, September
Reduce Design Flaws
No Silver Bullets
Agenda

    Authentication    Authorization

      Session
                      Cryptography
    Management

              Web Support
         Threading & Concurrency
Quick Terminology
• Subject – Security-specific user ‘view’

• Principals – Subject’s identifying attributes

• Credentials – Secret values that verify identity

• Realm – Security-specific DAO
Authentication

     Authentication   Authorization

       Session
                      Cryptography
     Management

              Web Support
        Threading & Concurrency
Authentication Defined

Identity verification:

Proving a user is who he says he is
Shiro Authentication Features
• Subject-based (current user)
• Single method call

• Rich Exception Hierarchy

• ‘Remember Me’ built in
How to Authenticate with Shiro

Steps

1. Collect principals & credentials

2. Submit to Authentication System

3. Allow, retry, or block access
Step 1: Collecting Principals & Credentials

//Example using most common scenario:
//String username and password. Acquire in
//system-specific manner (HTTP request, GUI, etc)

UsernamePasswordToken token =
 new UsernamePasswordToken( username, password );

//”Remember Me” built-in, just do this:
token.setRememberMe(true);
Step 2: Submission
Subject currentUser =
    SecurityUtils.getSubject();

currentUser.login(token);
Step 3: Grant Access or Handle Failure
try {
    currentUser.login(token);
} catch ( UnknownAccountException uae ) { ...
} catch ( IncorrectCredentialsException ice ) { ..
} catch ( LockedAccountException lae ) { ...
} catch ( ExcessiveAttemptsException eae ) { ...
} ... catch your own ...
} catch ( AuthenticationException ae ) {
    //unexpected error?
}
//No problems, show authenticated view…
“Remember Me” support
• subject.isRemembered()

• subject.isAuthenticated()

• remembered != authenticated
Authorization

     Authentication   Authorization

       Session
                      Cryptography
     Management

              Web Support
        Threading & Concurrency
Authorization Defined
Process of determining Access Control
“who can do what”

Elements of Authorization
• Permissions
• Roles
• Users
Permissions Defined
• The “what” of an application
• Most atomic security element

• Describes resource types and their behavior

• Does not define “who”
Roles Defined
• Implicit or Explicit construct
• Implicit: Name only

• Explicit: A named collection of Permissions
   Allows behavior aggregation

   Enables dynamic (runtime) alteration of user abilities.
Users Defined
• The “who” of the application

• What each user can do is defined by their
  association with Roles or Permissions

Example: User’s roles imply PrinterPermission
Authorization Features
• Subject-centric (current user)

• Checks based on roles or permissions

• Powerful out-of-the-box WildcardPermission

• Any data model – Realms decide
How to Authorize with Shiro
Multiple means of checking access control:
• Programmatically

• JDK 1.5 annotations

• JSP/GSP TagLibs (web support)
Programmatic Authorization
  Role Check

//get the current Subject
Subject currentUser =
    SecurityUtils.getSubject();

if (currentUser.hasRole(“administrator”)) {
    //do one thing (show a special button?)‫‏‬
} else {
    //don‟t show the button?)‫‏‬
}
Programmatic Authorization
  Permission Check
Subject currentUser =
    SecurityUtils.getSubject();

Permission printPermission =
new PrinterPermission(“laserjet3000n”,“print”);

If (currentUser.isPermitted(printPermission)) {
    //do one thing (show the print button?)‫‏‬
} else {
    //don‟t show the button?
}
Programmatic Authorization
  Permission Check (String-based)
String perm = “printer:print:laserjet4400n”;

if(currentUser.isPermitted(perm)){
    //show the print button?
} else {
    //don‟t show the button?
}
Annotation Authorization
  Role Check
//Throws an AuthorizationException if the caller
//doesn‟t have the „teller‟ role:

@RequiresRoles( “teller” )
public void openAccount( Account acct ) {
    //do something in here that only a teller
    //should do
}
Annotation Authorization
  Permission Check
//Will throw an AuthorizationException if none
//of the caller‟s roles imply the Account
//'create' permission

@RequiresPermissions(“account:create”)‫‏‬
public void openAccount( Account acct ) {
    //create the account
}
Enterprise Session Management

     Authentication   Authorization

       Session
                      Cryptography
     Management

              Web Support
        Threading & Concurrency
Session Management Defined
Managing the lifecycle of Subject-specific
 temporal data context
Session Management Features
•   Heterogeneous client access
•   POJO/J2SE based (IoC friendly)
•   Event listeners
•   Host address retention
•   Inactivity/expiration support (touch())
•   Transparent web use - HttpSession
•   Can be used for SSO
Acquiring and Creating Sessions
Subject currentUser =
    SecurityUtils.getSubject()

//guarantee a session
Session session =
subject.getSession();


//get a session if it exists
subject.getSession(false);
Session API
getStartTimestamp()
getLastAccessTime()
getAttribute(key)
setAttribute(key, value)
get/setTimeout(long)
touch()
...
Cryptography

     Authentication   Authorization

       Session
                      Cryptography
     Management

              Web Support
        Threading & Concurrency
Cryptography Defined
Protecting information from undesired access by
hiding it or converting it into nonsense.

Elements of Cryptography
• Ciphers
• Hashes
Ciphers Defined
Encryption and decryption data based on
public/private keys.

• Symmetric Cipher - same key for encryption
  and decryption.

• Asymmetric Cipher - different keys for
  encryption and decryption
Hashes Defined
A one-way, irreversible conversion of an input
source (a.k.a. Message Digest)
Used for:
• Credentials transformation
• Data with underlying byte array
  Files, Streams, etc
Cryptography Features
Simplicity
•   Simplified wrapper over JCE infrastructure.
•   Easier to understand API
•   “Object Orientifies” cryptography concepts
•   Interface-driven, POJO based
Cipher Features
• OO Hierarchy
  JcaCipherService, AbstractSymmetricCipherService,
    DefaultBlockCipherService, etc

• Just instantiate a class
  No “Transformation String”/Factory methods

• More secure default settings
  Initialization Vectors, et. al.
Shiro’s CipherService Interface
public interface CipherService {

   ByteSource encrypt( byte[] raw, byte[]
key);

   void encrypt(InputStream in,
OutputStream out, byte[] key);

   ByteSource decrypt( byte[] cipherText,
byte[] key);

   void decrypt(InputStream in,
OutputStream out, byte[] key);
}
Hash Features
• Default interface implementations
   MD5, SHA1, SHA-256, et. al.

• Built in Hex & Base64 conversion

• Built-in support for Salts and repeated hashing
Shiro’s Hash Interface
public interface Hash {

    byte[] getBytes();

    String toHex();

    String toBase64();

}
Intuitive OO Hash API
//some examples:
new Md5Hash(“foo”).toHex();

//File MD5 Hash value for checksum:
new MD5Hash( aFile ).toHex();

//store a password, but not raw:
new Sha256(aPassword, salt,
           1024).toBase64();
Web Support

    Authentication   Authorization

                     Session
     Cryptography
                     Management

             Web Support
       Threading & Concurrency
Web Support Features
• Simple ShiroFilter web.xml definition
• Protects all URLs

• Innovative Filtering (URL-specific chains)

• JSP Tag support

• Transparent HttpSession support
web.xml
<filter>
  <filter-name>ShiroFilter</filter-name>
  <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-
class>
  <init-param><param-name>config</param-name><param-value>
  [main]
    realm = com.my.custom.realm.Implementation
    securityManager.realm = $realm
  [urls]
    /account/** = authc
    /remoting/** = authc, roles[b2bClient], ...
  </param-value></init-param>
</filter>

<filter-mapping>
  <filter-name>ShiroFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
JSP TagLib Authorization
<%@ taglib prefix=“shiro”
uri=http://shiro.apache.org/tags %>
<html>
<body>
    <shiro:hasRole name=“administrator”>
        <a href=“manageUsers.jsp”>
            Click here to manage users
        </a>
    </shiro:hasRole>
    <shiro:lacksRole name=“administrator”>
        No user admin for you!
    </shiro:hasRole>
</body>
</html>
JSP TagLibs
<%@ taglib prefix=“shiro”
uri=http://shiro.apache.org/tags %>

<!-- Other tags: -->
<shiro:guest/>
<shiro:user/>
<shiro:principal/>
<shiro:hasRole/>
<shiro:lacksRole/>
<shiro:hasAnyRoles/>
<shiro:hasPermission/>
<shiro:lacksPermission/>
<shiro:authenticated/>
<shiro:notAuthenticated/>
Threading & Concurrency

     Authentication   Authorization

                      Session
     Cryptography
                      Management

              Web Support
        Threading & Concurrency
Threading & Concurrency Features
• Subject retained on multiple threads

• Automatic thread cleanup

• Transparent Executor/ExecutorService support
ThreadLocal
• Currently-executing Subject is thread-bound
  via a ThreadContext
• Executing logic in the current thread is fine.
  What about other threads?
• Runnable & Callable support
• ExecutorService support
Subject Thread Association
Can associate a Subject with a Callable or
  Runnable intended to run on another thread:
Callable myCallable = //create or acquire
Subject currentUser = SecurityUtils.getSubject();

Callable associated =
currentUser.associateWith(myCallable);

associated.call(); //current thread
//or another thread:
anExecutorService.execute(associated);
Transparent Association
Subject ‘Aware’ Executor implementations
transparently retain Subject:
SubjectAwareExecutor,
SubjectAwareExecutorService,
SubjectAwareScheduledExecutorService

//Look mom! No Shiro API imports!

Callable myCallable = //create or acquire
anExecutorService.execute(myCallable);
MISCELLANEOUS
“Run As” Support
• “Run As” allows a Subject to assume the
  identity of another

• Useful for administrative interfaces

• Identity retained until relinquished
“Run As” Support
//assume current user is the „admin‟ user:
Subject currentUser = SecurityUtils.getSubject();

PrincipalCollection newIdentity = new
SimplePrincipalCollection(“jsmith”, “jdbcRealm”);

currentUser.runAs(newIdentity);
//behave as the „jsmith‟ user here

currentuser.isRunAs(); //true = assumed identity
currentUser.getPreviousPrincipals();//prev. identity

//return back to the admin user:
currentUser.releaseRunAs();
Unit Testing
• Subject.Builder creates ad-hoc Subjects
• Use with subject.execute for easy testing:
Subject testSubject =
  Subject.Builder(securityManager)
  .principals(“jsmith”).buildSubject()

testSubject.execute( new Runnable() {
  public void run() {
      callTestMethod();
  }

});
Logging Out
One method: user out, relinquishes account
//Logs the
//data, and invalidates any Session
SecurityUtils.getSubject().logout();


App-specific log-out logic:
  Before/After the call

  Listen for Authentication or StoppedSession events.
APACHE SHIRO DEMO
Thank You!
• les@katasoft.com
• http://www.katasoft.com

• Seeking engineering talent

• Seeking product feedback

More Related Content

What's hot

Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
Frank Kim
 

What's hot (20)

Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
 

Viewers also liked

Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Algunas recomendaciones para lograr la efectividad en la preparación de los p...Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Mariana Calle
 
Manual agricultura-urbana
Manual agricultura-urbanaManual agricultura-urbana
Manual agricultura-urbana
GUELFI
 
Diario Luz Dorada 1ºB
Diario Luz Dorada 1ºBDiario Luz Dorada 1ºB
Diario Luz Dorada 1ºB
aesperela
 
Cronicas desabafos rp_i
Cronicas desabafos rp_iCronicas desabafos rp_i
Cronicas desabafos rp_i
Maria Louro
 
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWCASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
PICKASO App Marketing
 
Annik capability document india
Annik capability document   indiaAnnik capability document   india
Annik capability document india
Atul Sharma
 
Presentación freeDôm
Presentación freeDômPresentación freeDôm
Presentación freeDôm
txamv
 
Conexión de amor finalizada
Conexión de amor finalizadaConexión de amor finalizada
Conexión de amor finalizada
gracielacol
 

Viewers also liked (20)

Amazone
AmazoneAmazone
Amazone
 
Apache Syncope and Tirasa
Apache Syncope and TirasaApache Syncope and Tirasa
Apache Syncope and Tirasa
 
Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011
 
EEL316: Pseudo Random Bit Generation
EEL316: Pseudo Random Bit GenerationEEL316: Pseudo Random Bit Generation
EEL316: Pseudo Random Bit Generation
 
Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator
 
Sal Himalaya
Sal Himalaya
Sal Himalaya
Sal Himalaya
 
Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Algunas recomendaciones para lograr la efectividad en la preparación de los p...Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Algunas recomendaciones para lograr la efectividad en la preparación de los p...
 
Technology, the 4th Amendment and National Security by Doug Bailey
Technology, the 4th Amendment and National Security by Doug BaileyTechnology, the 4th Amendment and National Security by Doug Bailey
Technology, the 4th Amendment and National Security by Doug Bailey
 
accompanying notes for e-learning implementation and design; the student pers...
accompanying notes for e-learning implementation and design; the student pers...accompanying notes for e-learning implementation and design; the student pers...
accompanying notes for e-learning implementation and design; the student pers...
 
Der Bürgerantrag - ein Modellversuch
Der Bürgerantrag - ein ModellversuchDer Bürgerantrag - ein Modellversuch
Der Bürgerantrag - ein Modellversuch
 
Manual agricultura-urbana
Manual agricultura-urbanaManual agricultura-urbana
Manual agricultura-urbana
 
Diario Luz Dorada 1ºB
Diario Luz Dorada 1ºBDiario Luz Dorada 1ºB
Diario Luz Dorada 1ºB
 
Cronicas desabafos rp_i
Cronicas desabafos rp_iCronicas desabafos rp_i
Cronicas desabafos rp_i
 
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWCASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
 
Annik capability document india
Annik capability document   indiaAnnik capability document   india
Annik capability document india
 
Content: create it, sustain it
Content: create it, sustain itContent: create it, sustain it
Content: create it, sustain it
 
Presentación freeDôm
Presentación freeDômPresentación freeDôm
Presentación freeDôm
 
White Paper: Resilient Semi-Passive Optical Link Protection
White Paper: Resilient Semi-Passive Optical Link ProtectionWhite Paper: Resilient Semi-Passive Optical Link Protection
White Paper: Resilient Semi-Passive Optical Link Protection
 
Conexión de amor finalizada
Conexión de amor finalizadaConexión de amor finalizada
Conexión de amor finalizada
 
Presentación management as a service servitalent
Presentación management as a service   servitalentPresentación management as a service   servitalent
Presentación management as a service servitalent
 

Similar to Super simple application security with Apache Shiro

Similar to Super simple application security with Apache Shiro (20)

Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard Learn
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day One
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdf
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 

More from Marakana Inc.

Behavior Driven Development
Behavior Driven DevelopmentBehavior Driven Development
Behavior Driven Development
Marakana Inc.
 
Why Java Needs Hierarchical Data
Why Java Needs Hierarchical DataWhy Java Needs Hierarchical Data
Why Java Needs Hierarchical Data
Marakana Inc.
 
Pictures from "Learn about RenderScript" meetup at SF Android User Group
Pictures from "Learn about RenderScript" meetup at SF Android User GroupPictures from "Learn about RenderScript" meetup at SF Android User Group
Pictures from "Learn about RenderScript" meetup at SF Android User Group
Marakana Inc.
 
2010 07-18.wa.rails tdd-6
2010 07-18.wa.rails tdd-62010 07-18.wa.rails tdd-6
2010 07-18.wa.rails tdd-6
Marakana Inc.
 
Graphicsand animations devoxx2010 (1)
Graphicsand animations devoxx2010 (1)Graphicsand animations devoxx2010 (1)
Graphicsand animations devoxx2010 (1)
Marakana Inc.
 

More from Marakana Inc. (20)

Android Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar GargentaAndroid Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar Gargenta
 
JRuby at Square
JRuby at SquareJRuby at Square
JRuby at Square
 
Behavior Driven Development
Behavior Driven DevelopmentBehavior Driven Development
Behavior Driven Development
 
Martin Odersky: What's next for Scala
Martin Odersky: What's next for ScalaMartin Odersky: What's next for Scala
Martin Odersky: What's next for Scala
 
Why Java Needs Hierarchical Data
Why Java Needs Hierarchical DataWhy Java Needs Hierarchical Data
Why Java Needs Hierarchical Data
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Pictures from "Learn about RenderScript" meetup at SF Android User Group
Pictures from "Learn about RenderScript" meetup at SF Android User GroupPictures from "Learn about RenderScript" meetup at SF Android User Group
Pictures from "Learn about RenderScript" meetup at SF Android User Group
 
Android UI Tips, Tricks and Techniques
Android UI Tips, Tricks and TechniquesAndroid UI Tips, Tricks and Techniques
Android UI Tips, Tricks and Techniques
 
2010 07-18.wa.rails tdd-6
2010 07-18.wa.rails tdd-62010 07-18.wa.rails tdd-6
2010 07-18.wa.rails tdd-6
 
Efficient Rails Test-Driven Development - Week 6
Efficient Rails Test-Driven Development - Week 6Efficient Rails Test-Driven Development - Week 6
Efficient Rails Test-Driven Development - Week 6
 
Graphicsand animations devoxx2010 (1)
Graphicsand animations devoxx2010 (1)Graphicsand animations devoxx2010 (1)
Graphicsand animations devoxx2010 (1)
 
What's this jQuery? Where it came from, and how it will drive innovation
What's this jQuery? Where it came from, and how it will drive innovationWhat's this jQuery? Where it came from, and how it will drive innovation
What's this jQuery? Where it came from, and how it will drive innovation
 
jQuery State of the Union - Yehuda Katz
jQuery State of the Union - Yehuda KatzjQuery State of the Union - Yehuda Katz
jQuery State of the Union - Yehuda Katz
 
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
 
Efficient Rails Test Driven Development (class 4) by Wolfram Arnold
Efficient Rails Test Driven Development (class 4) by Wolfram ArnoldEfficient Rails Test Driven Development (class 4) by Wolfram Arnold
Efficient Rails Test Driven Development (class 4) by Wolfram Arnold
 
Efficient Rails Test Driven Development (class 3) by Wolfram Arnold
Efficient Rails Test Driven Development (class 3) by Wolfram ArnoldEfficient Rails Test Driven Development (class 3) by Wolfram Arnold
Efficient Rails Test Driven Development (class 3) by Wolfram Arnold
 
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas EneboLearn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
 
Replacing Java Incrementally
Replacing Java IncrementallyReplacing Java Incrementally
Replacing Java Incrementally
 
Learn to Build like you Code with Apache Buildr
Learn to Build like you Code with Apache BuildrLearn to Build like you Code with Apache Buildr
Learn to Build like you Code with Apache Buildr
 

Recently uploaded

Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 

Super simple application security with Apache Shiro

  • 1. Simple Application Security Les Hazlewood Apache Shiro Project Chair
  • 2. About Me Les Hazlewood Apache Shiro Project Chair JSecurity Founder Katasoft Founder & CTO
  • 3. What is Apache Shiro? • Application security library • Quick and easy • Simplifies security concepts
  • 4. About Shiro • Started in 2003, JSecurity in 2004 • Simplify or replace JAAS • Dynamic changes at runtime • Sessions - Heterogeneous Clients • Reduce Design Flaws • ‘One stop shop’ • Apache Top Level, September
  • 7. Agenda Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 8. Quick Terminology • Subject – Security-specific user ‘view’ • Principals – Subject’s identifying attributes • Credentials – Secret values that verify identity • Realm – Security-specific DAO
  • 9. Authentication Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 11. Shiro Authentication Features • Subject-based (current user) • Single method call • Rich Exception Hierarchy • ‘Remember Me’ built in
  • 12. How to Authenticate with Shiro Steps 1. Collect principals & credentials 2. Submit to Authentication System 3. Allow, retry, or block access
  • 13. Step 1: Collecting Principals & Credentials //Example using most common scenario: //String username and password. Acquire in //system-specific manner (HTTP request, GUI, etc) UsernamePasswordToken token = new UsernamePasswordToken( username, password ); //”Remember Me” built-in, just do this: token.setRememberMe(true);
  • 14. Step 2: Submission Subject currentUser = SecurityUtils.getSubject(); currentUser.login(token);
  • 15. Step 3: Grant Access or Handle Failure try { currentUser.login(token); } catch ( UnknownAccountException uae ) { ... } catch ( IncorrectCredentialsException ice ) { .. } catch ( LockedAccountException lae ) { ... } catch ( ExcessiveAttemptsException eae ) { ... } ... catch your own ... } catch ( AuthenticationException ae ) { //unexpected error? } //No problems, show authenticated view…
  • 16. “Remember Me” support • subject.isRemembered() • subject.isAuthenticated() • remembered != authenticated
  • 17. Authorization Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 18. Authorization Defined Process of determining Access Control “who can do what” Elements of Authorization • Permissions • Roles • Users
  • 19. Permissions Defined • The “what” of an application • Most atomic security element • Describes resource types and their behavior • Does not define “who”
  • 20. Roles Defined • Implicit or Explicit construct • Implicit: Name only • Explicit: A named collection of Permissions Allows behavior aggregation Enables dynamic (runtime) alteration of user abilities.
  • 21. Users Defined • The “who” of the application • What each user can do is defined by their association with Roles or Permissions Example: User’s roles imply PrinterPermission
  • 22. Authorization Features • Subject-centric (current user) • Checks based on roles or permissions • Powerful out-of-the-box WildcardPermission • Any data model – Realms decide
  • 23. How to Authorize with Shiro Multiple means of checking access control: • Programmatically • JDK 1.5 annotations • JSP/GSP TagLibs (web support)
  • 24. Programmatic Authorization Role Check //get the current Subject Subject currentUser = SecurityUtils.getSubject(); if (currentUser.hasRole(“administrator”)) { //do one thing (show a special button?)‫‏‬ } else { //don‟t show the button?)‫‏‬ }
  • 25. Programmatic Authorization Permission Check Subject currentUser = SecurityUtils.getSubject(); Permission printPermission = new PrinterPermission(“laserjet3000n”,“print”); If (currentUser.isPermitted(printPermission)) { //do one thing (show the print button?)‫‏‬ } else { //don‟t show the button? }
  • 26. Programmatic Authorization Permission Check (String-based) String perm = “printer:print:laserjet4400n”; if(currentUser.isPermitted(perm)){ //show the print button? } else { //don‟t show the button? }
  • 27. Annotation Authorization Role Check //Throws an AuthorizationException if the caller //doesn‟t have the „teller‟ role: @RequiresRoles( “teller” ) public void openAccount( Account acct ) { //do something in here that only a teller //should do }
  • 28. Annotation Authorization Permission Check //Will throw an AuthorizationException if none //of the caller‟s roles imply the Account //'create' permission @RequiresPermissions(“account:create”)‫‏‬ public void openAccount( Account acct ) { //create the account }
  • 29. Enterprise Session Management Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 30. Session Management Defined Managing the lifecycle of Subject-specific temporal data context
  • 31. Session Management Features • Heterogeneous client access • POJO/J2SE based (IoC friendly) • Event listeners • Host address retention • Inactivity/expiration support (touch()) • Transparent web use - HttpSession • Can be used for SSO
  • 32. Acquiring and Creating Sessions Subject currentUser = SecurityUtils.getSubject() //guarantee a session Session session = subject.getSession(); //get a session if it exists subject.getSession(false);
  • 34. Cryptography Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 35. Cryptography Defined Protecting information from undesired access by hiding it or converting it into nonsense. Elements of Cryptography • Ciphers • Hashes
  • 36. Ciphers Defined Encryption and decryption data based on public/private keys. • Symmetric Cipher - same key for encryption and decryption. • Asymmetric Cipher - different keys for encryption and decryption
  • 37. Hashes Defined A one-way, irreversible conversion of an input source (a.k.a. Message Digest) Used for: • Credentials transformation • Data with underlying byte array Files, Streams, etc
  • 38. Cryptography Features Simplicity • Simplified wrapper over JCE infrastructure. • Easier to understand API • “Object Orientifies” cryptography concepts • Interface-driven, POJO based
  • 39. Cipher Features • OO Hierarchy JcaCipherService, AbstractSymmetricCipherService, DefaultBlockCipherService, etc • Just instantiate a class No “Transformation String”/Factory methods • More secure default settings Initialization Vectors, et. al.
  • 40. Shiro’s CipherService Interface public interface CipherService { ByteSource encrypt( byte[] raw, byte[] key); void encrypt(InputStream in, OutputStream out, byte[] key); ByteSource decrypt( byte[] cipherText, byte[] key); void decrypt(InputStream in, OutputStream out, byte[] key); }
  • 41. Hash Features • Default interface implementations MD5, SHA1, SHA-256, et. al. • Built in Hex & Base64 conversion • Built-in support for Salts and repeated hashing
  • 42. Shiro’s Hash Interface public interface Hash { byte[] getBytes(); String toHex(); String toBase64(); }
  • 43. Intuitive OO Hash API //some examples: new Md5Hash(“foo”).toHex(); //File MD5 Hash value for checksum: new MD5Hash( aFile ).toHex(); //store a password, but not raw: new Sha256(aPassword, salt, 1024).toBase64();
  • 44. Web Support Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 45. Web Support Features • Simple ShiroFilter web.xml definition • Protects all URLs • Innovative Filtering (URL-specific chains) • JSP Tag support • Transparent HttpSession support
  • 46. web.xml <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter- class> <init-param><param-name>config</param-name><param-value> [main] realm = com.my.custom.realm.Implementation securityManager.realm = $realm [urls] /account/** = authc /remoting/** = authc, roles[b2bClient], ... </param-value></init-param> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
  • 47. JSP TagLib Authorization <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <html> <body> <shiro:hasRole name=“administrator”> <a href=“manageUsers.jsp”> Click here to manage users </a> </shiro:hasRole> <shiro:lacksRole name=“administrator”> No user admin for you! </shiro:hasRole> </body> </html>
  • 48. JSP TagLibs <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <!-- Other tags: --> <shiro:guest/> <shiro:user/> <shiro:principal/> <shiro:hasRole/> <shiro:lacksRole/> <shiro:hasAnyRoles/> <shiro:hasPermission/> <shiro:lacksPermission/> <shiro:authenticated/> <shiro:notAuthenticated/>
  • 49. Threading & Concurrency Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 50. Threading & Concurrency Features • Subject retained on multiple threads • Automatic thread cleanup • Transparent Executor/ExecutorService support
  • 51. ThreadLocal • Currently-executing Subject is thread-bound via a ThreadContext • Executing logic in the current thread is fine. What about other threads? • Runnable & Callable support • ExecutorService support
  • 52. Subject Thread Association Can associate a Subject with a Callable or Runnable intended to run on another thread: Callable myCallable = //create or acquire Subject currentUser = SecurityUtils.getSubject(); Callable associated = currentUser.associateWith(myCallable); associated.call(); //current thread //or another thread: anExecutorService.execute(associated);
  • 53. Transparent Association Subject ‘Aware’ Executor implementations transparently retain Subject: SubjectAwareExecutor, SubjectAwareExecutorService, SubjectAwareScheduledExecutorService //Look mom! No Shiro API imports! Callable myCallable = //create or acquire anExecutorService.execute(myCallable);
  • 55. “Run As” Support • “Run As” allows a Subject to assume the identity of another • Useful for administrative interfaces • Identity retained until relinquished
  • 56. “Run As” Support //assume current user is the „admin‟ user: Subject currentUser = SecurityUtils.getSubject(); PrincipalCollection newIdentity = new SimplePrincipalCollection(“jsmith”, “jdbcRealm”); currentUser.runAs(newIdentity); //behave as the „jsmith‟ user here currentuser.isRunAs(); //true = assumed identity currentUser.getPreviousPrincipals();//prev. identity //return back to the admin user: currentUser.releaseRunAs();
  • 57. Unit Testing • Subject.Builder creates ad-hoc Subjects • Use with subject.execute for easy testing: Subject testSubject = Subject.Builder(securityManager) .principals(“jsmith”).buildSubject() testSubject.execute( new Runnable() { public void run() { callTestMethod(); } });
  • 58. Logging Out One method: user out, relinquishes account //Logs the //data, and invalidates any Session SecurityUtils.getSubject().logout(); App-specific log-out logic: Before/After the call Listen for Authentication or StoppedSession events.
  • 60. Thank You! • les@katasoft.com • http://www.katasoft.com • Seeking engineering talent • Seeking product feedback