Apache Shiro is a security framework that provides authentication, authorization, cryptography and session management. It uses a SecurityManager to centrally manage security operations. A Realm acts as a bridge to connect Shiro to the application's security data source. Shiro supports user login via tokens, role-based authorization checks and permission-based authorization checks. It also provides hashing functions for cryptography and remembers user sessions.

1. Apache Shiro
Prepared By: Smita Prasad

2.  Shiro provides the application security API to perform the
following aspects:
 Authentication - proving user identity, often called user ‘login’.
 Authorization - access control
 Cryptography - protecting or hiding data from prying eyes
 Session Management - per-user time-sensitive state
Introduction

3.  High-Level Overview
Architecture

4.  Subject - Anything or anyone communicating with
your application.
 Principals - A subjects identifying attributes. First
name, last name, social security number, username
 Credentials - secret data that are used to verify
identities. Passwords, Biometric data, x509 certificates
 Realms - Data access object, software component
that talks to a backend data source
Terminology

5.  Manages security operations for all users
 It is a singleton – One for every application
 A web application will usually specify a Shiro Servlet Filter in
web.xml, and that will set up the SecurityManager instance
 <filter-name>ShiroFilter</filter-name>
 Text-based INI configuration is also possible and then can be
loaded in the security manager.
Security Manager

6.  Acts as the ‘bridge’ or ‘connector’ between Shiro and application’s security data.
 Encapsulates connection details for data sources and makes the associated data
available to Shiro as needed
 More than one Realm may be configured, but at least one is required.
 Explicit Assignment
 Set them as a collection property on the securityManager object.
Realm

7. Subject currentUser = SecurityUtils.getSubject();
if ( !currentUser.isAuthenticated() ) {
UsernamePasswordToken token = new UsernamePasswordToken(username,
password);
token.setRememberMe(true);
currentUser.login(token);
}
User Login

8. try {
currentUser.login( token ); //if no exception, that's it, we're done!
} catch ( UnknownAccountException uae )
{
//username wasn't in the system, show them an error message?
}
catch ( IncorrectCredentialsException ice )
{
//password didn't match, try again?
}
catch ( LockedAccountException lae )
{
//account for that username is locked - can't login. Show them a message?
}
... more types exceptions to check if you want ...
}
catch ( AuthenticationException ae )
{
//unexpected condition - error?
}
If the login fails…

9.  A remembered subject is not an authenticated
subject
 A check against isAuthenticated() is a much more
strict check
 For example, a check to see if a subject can access
financial information should almost always depend
on isAuthenticated(), notisRemembered(), to
guarantee a verified identity.
Remembered vs Authenticated

10.  currentUser.logout();
 Removes all identifying information and invalidates
their session too.
Logging Out

11. Subject currentUser = SecurityUtils.getSubject();
if (currentUser.hasRole(“administrator”))
{
//show a special button
}
else
{
//don’t show the button?)
}
Authorization - Role Check

12. Subject currentUser = SecurityUtils.getSubject();
Permission printPermission = new
PrinterPermission(“laserjet3000n”,“print”);
If (currentUser.isPermitted(printPermission))
{
//do one thing (show the print button?)
} else
{
//don’t show the button?
}
Permission Check

13.  @RquiresPermissions(“account:create”)
 @RequiresRoles( “teller” )
Using Annotations

14.  String hex = new Md5Hash(myFile).toHex();
 String encodedPassword = new Sha512Hash(password,
salt, count).toBase64();
Cryptography - Hashing

15.  Thank You