MI
Uploaded byMarakana Inc.
PDF, PPTX19,224 views

Super simple application security with Apache Shiro

The document provides an overview of Apache Shiro, an application security library designed to simplify and enhance security features like authentication, authorization, session management, and cryptography. It details Shiro's architecture, core components, and practical use cases, outlining steps for implementing security within applications. The document also includes examples of how to authenticate users, manage sessions, and handle permissions using Shiro's APIs.

Technology
Related topics:
Application Security

Embed presentation

Download as PDF, PPTX
Simple Application Security Les Hazlewood Apache Shiro Project Chair
About Me Les Hazlewood Apache Shiro Project Chair JSecurity Founder Katasoft Founder & CTO
What is Apache Shiro? • Application security library • Quick and easy • Simplifies security concepts
About Shiro • Started in 2003, JSecurity in 2004 • Simplify or replace JAAS • Dynamic changes at runtime • Sessions - Heterogeneous Clients • Reduce Design Flaws • ‘One stop shop’ • Apache Top Level, September
Reduce Design Flaws
No Silver Bullets
Agenda Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Quick Terminology • Subject – Security-specific user ‘view’ • Principals – Subject’s identifying attributes • Credentials – Secret values that verify identity • Realm – Security-specific DAO
Authentication Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Authentication Defined Identity verification: Proving a user is who he says he is
Shiro Authentication Features • Subject-based (current user) • Single method call • Rich Exception Hierarchy • ‘Remember Me’ built in
How to Authenticate with Shiro Steps 1. Collect principals & credentials 2. Submit to Authentication System 3. Allow, retry, or block access
Step 1: Collecting Principals & Credentials //Example using most common scenario: //String username and password. Acquire in //system-specific manner (HTTP request, GUI, etc) UsernamePasswordToken token = new UsernamePasswordToken( username, password ); //”Remember Me” built-in, just do this: token.setRememberMe(true);
Step 2: Submission Subject currentUser = SecurityUtils.getSubject(); currentUser.login(token);
Step 3: Grant Access or Handle Failure try { currentUser.login(token); } catch ( UnknownAccountException uae ) { ... } catch ( IncorrectCredentialsException ice ) { .. } catch ( LockedAccountException lae ) { ... } catch ( ExcessiveAttemptsException eae ) { ... } ... catch your own ... } catch ( AuthenticationException ae ) { //unexpected error? } //No problems, show authenticated view…
“Remember Me” support • subject.isRemembered() • subject.isAuthenticated() • remembered != authenticated
Authorization Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Authorization Defined Process of determining Access Control “who can do what” Elements of Authorization • Permissions • Roles • Users
Permissions Defined • The “what” of an application • Most atomic security element • Describes resource types and their behavior • Does not define “who”
Roles Defined • Implicit or Explicit construct • Implicit: Name only • Explicit: A named collection of Permissions Allows behavior aggregation Enables dynamic (runtime) alteration of user abilities.
Users Defined • The “who” of the application • What each user can do is defined by their association with Roles or Permissions Example: User’s roles imply PrinterPermission
Authorization Features • Subject-centric (current user) • Checks based on roles or permissions • Powerful out-of-the-box WildcardPermission • Any data model – Realms decide
How to Authorize with Shiro Multiple means of checking access control: • Programmatically • JDK 1.5 annotations • JSP/GSP TagLibs (web support)
Programmatic Authorization Role Check //get the current Subject Subject currentUser = SecurityUtils.getSubject(); if (currentUser.hasRole(“administrator”)) { //do one thing (show a special button?)‫‏‬ } else { //don‟t show the button?)‫‏‬ }
Programmatic Authorization Permission Check Subject currentUser = SecurityUtils.getSubject(); Permission printPermission = new PrinterPermission(“laserjet3000n”,“print”); If (currentUser.isPermitted(printPermission)) { //do one thing (show the print button?)‫‏‬ } else { //don‟t show the button? }
Programmatic Authorization Permission Check (String-based) String perm = “printer:print:laserjet4400n”; if(currentUser.isPermitted(perm)){ //show the print button? } else { //don‟t show the button? }
Annotation Authorization Role Check //Throws an AuthorizationException if the caller //doesn‟t have the „teller‟ role: @RequiresRoles( “teller” ) public void openAccount( Account acct ) { //do something in here that only a teller //should do }
Annotation Authorization Permission Check //Will throw an AuthorizationException if none //of the caller‟s roles imply the Account //'create' permission @RequiresPermissions(“account:create”)‫‏‬ public void openAccount( Account acct ) { //create the account }
Enterprise Session Management Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Session Management Defined Managing the lifecycle of Subject-specific temporal data context
Session Management Features • Heterogeneous client access • POJO/J2SE based (IoC friendly) • Event listeners • Host address retention • Inactivity/expiration support (touch()) • Transparent web use - HttpSession • Can be used for SSO
Acquiring and Creating Sessions Subject currentUser = SecurityUtils.getSubject() //guarantee a session Session session = subject.getSession(); //get a session if it exists subject.getSession(false);
Session API getStartTimestamp() getLastAccessTime() getAttribute(key) setAttribute(key, value) get/setTimeout(long) touch() ...
Cryptography Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Cryptography Defined Protecting information from undesired access by hiding it or converting it into nonsense. Elements of Cryptography • Ciphers • Hashes
Ciphers Defined Encryption and decryption data based on public/private keys. • Symmetric Cipher - same key for encryption and decryption. • Asymmetric Cipher - different keys for encryption and decryption
Hashes Defined A one-way, irreversible conversion of an input source (a.k.a. Message Digest) Used for: • Credentials transformation • Data with underlying byte array Files, Streams, etc
Cryptography Features Simplicity • Simplified wrapper over JCE infrastructure. • Easier to understand API • “Object Orientifies” cryptography concepts • Interface-driven, POJO based
Cipher Features • OO Hierarchy JcaCipherService, AbstractSymmetricCipherService, DefaultBlockCipherService, etc • Just instantiate a class No “Transformation String”/Factory methods • More secure default settings Initialization Vectors, et. al.
Shiro’s CipherService Interface public interface CipherService { ByteSource encrypt( byte[] raw, byte[] key); void encrypt(InputStream in, OutputStream out, byte[] key); ByteSource decrypt( byte[] cipherText, byte[] key); void decrypt(InputStream in, OutputStream out, byte[] key); }
Hash Features • Default interface implementations MD5, SHA1, SHA-256, et. al. • Built in Hex & Base64 conversion • Built-in support for Salts and repeated hashing
Shiro’s Hash Interface public interface Hash { byte[] getBytes(); String toHex(); String toBase64(); }
Intuitive OO Hash API //some examples: new Md5Hash(“foo”).toHex(); //File MD5 Hash value for checksum: new MD5Hash( aFile ).toHex(); //store a password, but not raw: new Sha256(aPassword, salt, 1024).toBase64();
Web Support Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Web Support Features • Simple ShiroFilter web.xml definition • Protects all URLs • Innovative Filtering (URL-specific chains) • JSP Tag support • Transparent HttpSession support
web.xml <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter- class> <init-param><param-name>config</param-name><param-value> [main] realm = com.my.custom.realm.Implementation securityManager.realm = $realm [urls] /account/** = authc /remoting/** = authc, roles[b2bClient], ... </param-value></init-param> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
JSP TagLib Authorization <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <html> <body> <shiro:hasRole name=“administrator”> <a href=“manageUsers.jsp”> Click here to manage users </a> </shiro:hasRole> <shiro:lacksRole name=“administrator”> No user admin for you! </shiro:hasRole> </body> </html>
JSP TagLibs <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <!-- Other tags: --> <shiro:guest/> <shiro:user/> <shiro:principal/> <shiro:hasRole/> <shiro:lacksRole/> <shiro:hasAnyRoles/> <shiro:hasPermission/> <shiro:lacksPermission/> <shiro:authenticated/> <shiro:notAuthenticated/>
Threading & Concurrency Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Threading & Concurrency Features • Subject retained on multiple threads • Automatic thread cleanup • Transparent Executor/ExecutorService support
ThreadLocal • Currently-executing Subject is thread-bound via a ThreadContext • Executing logic in the current thread is fine. What about other threads? • Runnable & Callable support • ExecutorService support
Subject Thread Association Can associate a Subject with a Callable or Runnable intended to run on another thread: Callable myCallable = //create or acquire Subject currentUser = SecurityUtils.getSubject(); Callable associated = currentUser.associateWith(myCallable); associated.call(); //current thread //or another thread: anExecutorService.execute(associated);
Transparent Association Subject ‘Aware’ Executor implementations transparently retain Subject: SubjectAwareExecutor, SubjectAwareExecutorService, SubjectAwareScheduledExecutorService //Look mom! No Shiro API imports! Callable myCallable = //create or acquire anExecutorService.execute(myCallable);
MISCELLANEOUS
“Run As” Support • “Run As” allows a Subject to assume the identity of another • Useful for administrative interfaces • Identity retained until relinquished
“Run As” Support //assume current user is the „admin‟ user: Subject currentUser = SecurityUtils.getSubject(); PrincipalCollection newIdentity = new SimplePrincipalCollection(“jsmith”, “jdbcRealm”); currentUser.runAs(newIdentity); //behave as the „jsmith‟ user here currentuser.isRunAs(); //true = assumed identity currentUser.getPreviousPrincipals();//prev. identity //return back to the admin user: currentUser.releaseRunAs();
Unit Testing • Subject.Builder creates ad-hoc Subjects • Use with subject.execute for easy testing: Subject testSubject = Subject.Builder(securityManager) .principals(“jsmith”).buildSubject() testSubject.execute( new Runnable() { public void run() { callTestMethod(); } });
Logging Out One method: user out, relinquishes account //Logs the //data, and invalidates any Session SecurityUtils.getSubject().logout(); App-specific log-out logic: Before/After the call Listen for Authentication or StoppedSession events.
APACHE SHIRO DEMO
Thank You! • les@katasoft.com • http://www.katasoft.com • Seeking engineering talent • Seeking product feedback

More Related Content

PPTX
Java Security Framework's
byMohammed Fazuluddin
 
PPTX
Dao example
bymyrajendra
 
PDF
Testing with JUnit 5 and Spring - Spring I/O 2022
bySam Brannen
 
PPTX
Intro to Apache Shiro
byClaire Hunsaker
 
PPTX
Act.4 - Cuadro comparativo - Lengujes de desarrollo
byDafne Alcantar
 
PPTX
Junit 4.0
bypallavikhandekar212
 
PDF
Writing Parsers and Compilers with PLY
byDavid Beazley (Dabeaz LLC)
 
PPTX
Control structure of c
byKomal Kotak
 
Java Security Framework's
byMohammed Fazuluddin
 
Dao example
bymyrajendra
 
Testing with JUnit 5 and Spring - Spring I/O 2022
bySam Brannen
 
Intro to Apache Shiro
byClaire Hunsaker
 
Act.4 - Cuadro comparativo - Lengujes de desarrollo
byDafne Alcantar
 
Junit 4.0
bypallavikhandekar212
 
Writing Parsers and Compilers with PLY
byDavid Beazley (Dabeaz LLC)
 
Control structure of c
byKomal Kotak
 

What's hot

PPTX
Clean Code: Successive Refinement
byAli A Jalil
 
PPTX
An overview of selenium webdriver
byAnuraj S.L
 
PDF
Microsoft Information Protection Implementation using C# and PowerShell
byAditya Sharma
 
PPTX
c# programmation orientée objet (Classe & Objet)
byMahfoud EL HOUDAIGUI
 
PDF
Polymorphisme, interface et classe abstraite
byECAM Brussels Engineering School
 
PDF
Thick Client Testing Advanced
byNSConclave
 
PDF
Keychain Services Programming Guide
byDEVTYPE
 
PPTX
Vim Editor And Basic Scripting (Ch-7)
byMohsinHusenManasiya
 
PPTX
SOLID & IoC Principles
byPavlo Hodysh
 
PDF
UNIDAD 3 MODULARIZACIÓN
byInstituto Tecnológico de Tuxtla Gutiérrez
 
PPTX
Implementing a JavaScript Engine
byKris Mok
 
PPTX
Decision Making and Looping
byMunazza-Mah-Jabeen
 
PDF
Spring Boot
bykoppenolski
 
PPTX
Switch Case in C Programming
bySonya Akter Rupa
 
PDF
Course 101: Lecture 2: Introduction to Operating Systems
byAhmed El-Arabawy
 
PDF
Bloc for Pharo: Current State and Future Perspective
byESUG
 
PPTX
Loops in C
byKamal Acharya
 
PDF
Control structures in Java
byRavi_Kant_Sahu
 
PPT
Generador de codigo intermedio
byGuillermo
 
PPTX
Functional Patterns with Java8 @Bucharest Java User Group
byVictor Rentea
 
Clean Code: Successive Refinement
byAli A Jalil
 
An overview of selenium webdriver
byAnuraj S.L
 
Microsoft Information Protection Implementation using C# and PowerShell
byAditya Sharma
 
c# programmation orientée objet (Classe & Objet)
byMahfoud EL HOUDAIGUI
 
Polymorphisme, interface et classe abstraite
byECAM Brussels Engineering School
 
Thick Client Testing Advanced
byNSConclave
 
Keychain Services Programming Guide
byDEVTYPE
 
Vim Editor And Basic Scripting (Ch-7)
byMohsinHusenManasiya
 
SOLID & IoC Principles
byPavlo Hodysh
 
UNIDAD 3 MODULARIZACIÓN
byInstituto Tecnológico de Tuxtla Gutiérrez
 
Implementing a JavaScript Engine
byKris Mok
 
Decision Making and Looping
byMunazza-Mah-Jabeen
 
Spring Boot
bykoppenolski
 
Switch Case in C Programming
bySonya Akter Rupa
 
Course 101: Lecture 2: Introduction to Operating Systems
byAhmed El-Arabawy
 
Bloc for Pharo: Current State and Future Perspective
byESUG
 
Loops in C
byKamal Acharya
 
Control structures in Java
byRavi_Kant_Sahu
 
Generador de codigo intermedio
byGuillermo
 
Functional Patterns with Java8 @Bucharest Java User Group
byVictor Rentea
 

Viewers also liked

PPTX
Learn Apache Shiro
bySmita Prasad
 
PDF
Securing REST APIs
byClaire Hunsaker
 
PPS
Amazone
byRenée Bukay
 
ODP
Apache Syncope and Tirasa
byFrancesco Chicchiriccò
 
PDF
Java Web Application Security - Utah JUG 2011
byMatt Raible
 
PDF
EEL316: Pseudo Random Bit Generation
byUmang Gupta
 
PDF
Sal Himalaya
byshane9mcdaniel63
 
DOCX
Algunas recomendaciones para lograr la efectividad en la preparación de los p...
byMariana Calle
 
PPTX
Technology, the 4th Amendment and National Security by Doug Bailey
byVator
 
PDF
accompanying notes for e-learning implementation and design; the student pers...
byrosevibe
 
PPTX
Der Bürgerantrag - ein Modellversuch
byGerhard Loub
 
PDF
Manual agricultura-urbana
byGUELFI
 
PDF
Diario Luz Dorada 1ºB
byaesperela
 
PDF
Cronicas desabafos rp_i
byMaria Louro
 
PDF
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
byPICKASO App Marketing
 
PPTX
Annik capability document india
byAtul Sharma
 
PPTX
Content: create it, sustain it
byBarb Sawyers MA, TESL
 
PPT
Presentación freeDôm
bytxamv
 
PDF
White Paper: Resilient Semi-Passive Optical Link Protection
bySusmita Adhikari Joshi
 
PPS
Conexión de amor finalizada
bygracielacol
 
Learn Apache Shiro
bySmita Prasad
 
Securing REST APIs
byClaire Hunsaker
 
Amazone
byRenée Bukay
 
Apache Syncope and Tirasa
byFrancesco Chicchiriccò
 
Java Web Application Security - Utah JUG 2011
byMatt Raible
 
EEL316: Pseudo Random Bit Generation
byUmang Gupta
 
Sal Himalaya
byshane9mcdaniel63
 
Algunas recomendaciones para lograr la efectividad en la preparación de los p...
byMariana Calle
 
Technology, the 4th Amendment and National Security by Doug Bailey
byVator
 
accompanying notes for e-learning implementation and design; the student pers...
byrosevibe
 
Der Bürgerantrag - ein Modellversuch
byGerhard Loub
 
Manual agricultura-urbana
byGUELFI
 
Diario Luz Dorada 1ºB
byaesperela
 
Cronicas desabafos rp_i
byMaria Louro
 
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
byPICKASO App Marketing
 
Annik capability document india
byAtul Sharma
 
Content: create it, sustain it
byBarb Sawyers MA, TESL
 
Presentación freeDôm
bytxamv
 
White Paper: Resilient Semi-Passive Optical Link Protection
bySusmita Adhikari Joshi
 
Conexión de amor finalizada
bygracielacol
 

Similar to Super simple application security with Apache Shiro

PDF
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
byWebStackAcademy
 
PPT
Top Ten Proactive Web Security Controls v5
byJim Manico
 
PPTX
SCWCD : Secure web
byBen Abdallah Helmi
 
PPTX
SCWCD : Secure web : CHAP : 7
byBen Abdallah Helmi
 
PDF
Apache shiro security framework
byAshokkumar T A
 
PDF
J2EE Security with Apache SHIRO
byCygnet Infotech
 
PDF
Authorisation: Concepts and Implementation
byOmar Bashir
 
PDF
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
byMarkus Eisele
 
PDF
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
byArtur Barseghyan
 
PDF
Spring4 security
bySang Shin
 
PDF
Securing Web Applications with Token Authentication
byStormpath
 
PDF
CNIT 129S - Ch 6a: Attacking Authentication
bySam Bowne
 
PPTX
Crypto passport authentication
byHarry Potter
 
PPTX
Crypto passport authentication
byDavid Hoen
 
PPTX
Crypto passport authentication
byTony Nguyen
 
PPTX
Crypto passport authentication
byYoung Alista
 
PPTX
Crypto passport authentication
byJames Wong
 
PPTX
Crypto passport authentication
byLuis Goldster
 
PPTX
Crypto passport authentication
byFraboni Ec
 
PPTX
Utilize the Full Power of GlassFish Server and Java EE Security
byMasoud Kalali
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
byWebStackAcademy
 
Top Ten Proactive Web Security Controls v5
byJim Manico
 
SCWCD : Secure web
byBen Abdallah Helmi
 
SCWCD : Secure web : CHAP : 7
byBen Abdallah Helmi
 
Apache shiro security framework
byAshokkumar T A
 
J2EE Security with Apache SHIRO
byCygnet Infotech
 
Authorisation: Concepts and Implementation
byOmar Bashir
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
byMarkus Eisele
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
byArtur Barseghyan
 
Spring4 security
bySang Shin
 
Securing Web Applications with Token Authentication
byStormpath
 
CNIT 129S - Ch 6a: Attacking Authentication
bySam Bowne
 
Crypto passport authentication
byHarry Potter
 
Crypto passport authentication
byDavid Hoen
 
Crypto passport authentication
byTony Nguyen
 
Crypto passport authentication
byYoung Alista
 
Crypto passport authentication
byJames Wong
 
Crypto passport authentication
byLuis Goldster
 
Crypto passport authentication
byFraboni Ec
 
Utilize the Full Power of GlassFish Server and Java EE Security
byMasoud Kalali
 

More from Marakana Inc.

PDF
Android Services Black Magic by Aleksandar Gargenta
byMarakana Inc.
 
PDF
JRuby at Square
byMarakana Inc.
 
PDF
Behavior Driven Development
byMarakana Inc.
 
PDF
Martin Odersky: What's next for Scala
byMarakana Inc.
 
PPT
Why Java Needs Hierarchical Data
byMarakana Inc.
 
PDF
Deep Dive Into Android Security
byMarakana Inc.
 
PDF
Securing Android
byMarakana Inc.
 
PDF
Pictures from "Learn about RenderScript" meetup at SF Android User Group
byMarakana Inc.
 
PDF
Android UI Tips, Tricks and Techniques
byMarakana Inc.
 
PDF
2010 07-18.wa.rails tdd-6
byMarakana Inc.
 
PDF
Efficient Rails Test-Driven Development - Week 6
byMarakana Inc.
 
PDF
Graphicsand animations devoxx2010 (1)
byMarakana Inc.
 
PDF
What's this jQuery? Where it came from, and how it will drive innovation
byMarakana Inc.
 
PDF
jQuery State of the Union - Yehuda Katz
byMarakana Inc.
 
PDF
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
byMarakana Inc.
 
PDF
Efficient Rails Test Driven Development (class 4) by Wolfram Arnold
byMarakana Inc.
 
PDF
Efficient Rails Test Driven Development (class 3) by Wolfram Arnold
byMarakana Inc.
 
PDF
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
byMarakana Inc.
 
PDF
Replacing Java Incrementally
byMarakana Inc.
 
PDF
Learn to Build like you Code with Apache Buildr
byMarakana Inc.
 
Android Services Black Magic by Aleksandar Gargenta
byMarakana Inc.
 
JRuby at Square
byMarakana Inc.
 
Behavior Driven Development
byMarakana Inc.
 
Martin Odersky: What's next for Scala
byMarakana Inc.
 
Why Java Needs Hierarchical Data
byMarakana Inc.
 
Deep Dive Into Android Security
byMarakana Inc.
 
Securing Android
byMarakana Inc.
 
Pictures from "Learn about RenderScript" meetup at SF Android User Group
byMarakana Inc.
 
Android UI Tips, Tricks and Techniques
byMarakana Inc.
 
2010 07-18.wa.rails tdd-6
byMarakana Inc.
 
Efficient Rails Test-Driven Development - Week 6
byMarakana Inc.
 
Graphicsand animations devoxx2010 (1)
byMarakana Inc.
 
What's this jQuery? Where it came from, and how it will drive innovation
byMarakana Inc.
 
jQuery State of the Union - Yehuda Katz
byMarakana Inc.
 
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
byMarakana Inc.
 
Efficient Rails Test Driven Development (class 4) by Wolfram Arnold
byMarakana Inc.
 
Efficient Rails Test Driven Development (class 3) by Wolfram Arnold
byMarakana Inc.
 
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
byMarakana Inc.
 
Replacing Java Incrementally
byMarakana Inc.
 
Learn to Build like you Code with Apache Buildr
byMarakana Inc.
 

Recently uploaded

PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PDF
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
PPTX
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
PDF
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
PDF
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
PDF
Talaria: A Sound-Driven Music Search Engine for Discovery Beyond Metadata
byShuen-Huei Guan
 
PDF
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
PDF
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
PPTX
Migrating-Hadoop-to-Databricks-Ebook-FINAL.pptx
byssuserf37fc8
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PPTX
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
PPT
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
PDF
Skills to Pass the UiPath Agentic Automation Associate (UiAAA) Certification
byUiPathCommunity
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
PDF
Introduction to Linux and Basic Commands
byiDev Semarang
 
PDF
What Is AI LXP and Why Enterprises Are Adopting It.pdf
byneuralminds4
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
Talaria: A Sound-Driven Music Search Engine for Discovery Beyond Metadata
byShuen-Huei Guan
 
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
Migrating-Hadoop-to-Databricks-Ebook-FINAL.pptx
byssuserf37fc8
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
Skills to Pass the UiPath Agentic Automation Associate (UiAAA) Certification
byUiPathCommunity
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
Introduction to Linux and Basic Commands
byiDev Semarang
 
What Is AI LXP and Why Enterprises Are Adopting It.pdf
byneuralminds4
 

Super simple application security with Apache Shiro

  • 1.
    Simple Application Security Les Hazlewood Apache Shiro Project Chair
  • 2.
    About Me Les Hazlewood Apache Shiro Project Chair JSecurity Founder Katasoft Founder & CTO
  • 3.
    What is ApacheShiro? • Application security library • Quick and easy • Simplifies security concepts
  • 4.
    About Shiro • Started in 2003, JSecurity in 2004 • Simplify or replace JAAS • Dynamic changes at runtime • Sessions - Heterogeneous Clients • Reduce Design Flaws • ‘One stop shop’ • Apache Top Level, September
  • 5.
  • 6.
  • 7.
    Agenda Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 8.
    Quick Terminology • Subject– Security-specific user ‘view’ • Principals – Subject’s identifying attributes • Credentials – Secret values that verify identity • Realm – Security-specific DAO
  • 9.
    Authentication Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 10.
  • 11.
    Shiro Authentication Features •Subject-based (current user) • Single method call • Rich Exception Hierarchy • ‘Remember Me’ built in
  • 12.
    How to Authenticatewith Shiro Steps 1. Collect principals & credentials 2. Submit to Authentication System 3. Allow, retry, or block access
  • 13.
    Step 1: CollectingPrincipals & Credentials //Example using most common scenario: //String username and password. Acquire in //system-specific manner (HTTP request, GUI, etc) UsernamePasswordToken token = new UsernamePasswordToken( username, password ); //”Remember Me” built-in, just do this: token.setRememberMe(true);
  • 14.
    Step 2: Submission SubjectcurrentUser = SecurityUtils.getSubject(); currentUser.login(token);
  • 15.
    Step 3: GrantAccess or Handle Failure try { currentUser.login(token); } catch ( UnknownAccountException uae ) { ... } catch ( IncorrectCredentialsException ice ) { .. } catch ( LockedAccountException lae ) { ... } catch ( ExcessiveAttemptsException eae ) { ... } ... catch your own ... } catch ( AuthenticationException ae ) { //unexpected error? } //No problems, show authenticated view…
  • 16.
    “Remember Me” support •subject.isRemembered() • subject.isAuthenticated() • remembered != authenticated
  • 17.
    Authorization Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 18.
    Authorization Defined Process ofdetermining Access Control “who can do what” Elements of Authorization • Permissions • Roles • Users
  • 19.
    Permissions Defined • The“what” of an application • Most atomic security element • Describes resource types and their behavior • Does not define “who”
  • 20.
    Roles Defined • Implicitor Explicit construct • Implicit: Name only • Explicit: A named collection of Permissions Allows behavior aggregation Enables dynamic (runtime) alteration of user abilities.
  • 21.
    Users Defined • The“who” of the application • What each user can do is defined by their association with Roles or Permissions Example: User’s roles imply PrinterPermission
  • 22.
    Authorization Features • Subject-centric(current user) • Checks based on roles or permissions • Powerful out-of-the-box WildcardPermission • Any data model – Realms decide
  • 23.
    How to Authorizewith Shiro Multiple means of checking access control: • Programmatically • JDK 1.5 annotations • JSP/GSP TagLibs (web support)
  • 24.
    Programmatic Authorization Role Check //get the current Subject Subject currentUser = SecurityUtils.getSubject(); if (currentUser.hasRole(“administrator”)) { //do one thing (show a special button?)‫‏‬ } else { //don‟t show the button?)‫‏‬ }
  • 25.
    Programmatic Authorization Permission Check Subject currentUser = SecurityUtils.getSubject(); Permission printPermission = new PrinterPermission(“laserjet3000n”,“print”); If (currentUser.isPermitted(printPermission)) { //do one thing (show the print button?)‫‏‬ } else { //don‟t show the button? }
  • 26.
    Programmatic Authorization Permission Check (String-based) String perm = “printer:print:laserjet4400n”; if(currentUser.isPermitted(perm)){ //show the print button? } else { //don‟t show the button? }
  • 27.
    Annotation Authorization Role Check //Throws an AuthorizationException if the caller //doesn‟t have the „teller‟ role: @RequiresRoles( “teller” ) public void openAccount( Account acct ) { //do something in here that only a teller //should do }
  • 28.
    Annotation Authorization Permission Check //Will throw an AuthorizationException if none //of the caller‟s roles imply the Account //'create' permission @RequiresPermissions(“account:create”)‫‏‬ public void openAccount( Account acct ) { //create the account }
  • 29.
    Enterprise Session Management Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 30.
    Session Management Defined Managingthe lifecycle of Subject-specific temporal data context
  • 31.
    Session Management Features • Heterogeneous client access • POJO/J2SE based (IoC friendly) • Event listeners • Host address retention • Inactivity/expiration support (touch()) • Transparent web use - HttpSession • Can be used for SSO
  • 32.
    Acquiring and CreatingSessions Subject currentUser = SecurityUtils.getSubject() //guarantee a session Session session = subject.getSession(); //get a session if it exists subject.getSession(false);
  • 33.
  • 34.
    Cryptography Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 35.
    Cryptography Defined Protecting informationfrom undesired access by hiding it or converting it into nonsense. Elements of Cryptography • Ciphers • Hashes
  • 36.
    Ciphers Defined Encryption anddecryption data based on public/private keys. • Symmetric Cipher - same key for encryption and decryption. • Asymmetric Cipher - different keys for encryption and decryption
  • 37.
    Hashes Defined A one-way,irreversible conversion of an input source (a.k.a. Message Digest) Used for: • Credentials transformation • Data with underlying byte array Files, Streams, etc
  • 38.
    Cryptography Features Simplicity • Simplified wrapper over JCE infrastructure. • Easier to understand API • “Object Orientifies” cryptography concepts • Interface-driven, POJO based
  • 39.
    Cipher Features • OOHierarchy JcaCipherService, AbstractSymmetricCipherService, DefaultBlockCipherService, etc • Just instantiate a class No “Transformation String”/Factory methods • More secure default settings Initialization Vectors, et. al.
  • 40.
    Shiro’s CipherService Interface publicinterface CipherService { ByteSource encrypt( byte[] raw, byte[] key); void encrypt(InputStream in, OutputStream out, byte[] key); ByteSource decrypt( byte[] cipherText, byte[] key); void decrypt(InputStream in, OutputStream out, byte[] key); }
  • 41.
    Hash Features • Defaultinterface implementations MD5, SHA1, SHA-256, et. al. • Built in Hex & Base64 conversion • Built-in support for Salts and repeated hashing
  • 42.
    Shiro’s Hash Interface publicinterface Hash { byte[] getBytes(); String toHex(); String toBase64(); }
  • 43.
    Intuitive OO HashAPI //some examples: new Md5Hash(“foo”).toHex(); //File MD5 Hash value for checksum: new MD5Hash( aFile ).toHex(); //store a password, but not raw: new Sha256(aPassword, salt, 1024).toBase64();
  • 44.
    Web Support Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 45.
    Web Support Features •Simple ShiroFilter web.xml definition • Protects all URLs • Innovative Filtering (URL-specific chains) • JSP Tag support • Transparent HttpSession support
  • 46.
    web.xml <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter- class> <init-param><param-name>config</param-name><param-value> [main] realm = com.my.custom.realm.Implementation securityManager.realm = $realm [urls] /account/** = authc /remoting/** = authc, roles[b2bClient], ... </param-value></init-param> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
  • 47.
    JSP TagLib Authorization <%@taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <html> <body> <shiro:hasRole name=“administrator”> <a href=“manageUsers.jsp”> Click here to manage users </a> </shiro:hasRole> <shiro:lacksRole name=“administrator”> No user admin for you! </shiro:hasRole> </body> </html>
  • 48.
    JSP TagLibs <%@ taglibprefix=“shiro” uri=http://shiro.apache.org/tags %> <!-- Other tags: --> <shiro:guest/> <shiro:user/> <shiro:principal/> <shiro:hasRole/> <shiro:lacksRole/> <shiro:hasAnyRoles/> <shiro:hasPermission/> <shiro:lacksPermission/> <shiro:authenticated/> <shiro:notAuthenticated/>
  • 49.
    Threading & Concurrency Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 50.
    Threading & ConcurrencyFeatures • Subject retained on multiple threads • Automatic thread cleanup • Transparent Executor/ExecutorService support
  • 51.
    ThreadLocal • Currently-executing Subjectis thread-bound via a ThreadContext • Executing logic in the current thread is fine. What about other threads? • Runnable & Callable support • ExecutorService support
  • 52.
    Subject Thread Association Canassociate a Subject with a Callable or Runnable intended to run on another thread: Callable myCallable = //create or acquire Subject currentUser = SecurityUtils.getSubject(); Callable associated = currentUser.associateWith(myCallable); associated.call(); //current thread //or another thread: anExecutorService.execute(associated);
  • 53.
    Transparent Association Subject ‘Aware’Executor implementations transparently retain Subject: SubjectAwareExecutor, SubjectAwareExecutorService, SubjectAwareScheduledExecutorService //Look mom! No Shiro API imports! Callable myCallable = //create or acquire anExecutorService.execute(myCallable);
  • 54.
  • 55.
    “Run As” Support •“Run As” allows a Subject to assume the identity of another • Useful for administrative interfaces • Identity retained until relinquished
  • 56.
    “Run As” Support //assumecurrent user is the „admin‟ user: Subject currentUser = SecurityUtils.getSubject(); PrincipalCollection newIdentity = new SimplePrincipalCollection(“jsmith”, “jdbcRealm”); currentUser.runAs(newIdentity); //behave as the „jsmith‟ user here currentuser.isRunAs(); //true = assumed identity currentUser.getPreviousPrincipals();//prev. identity //return back to the admin user: currentUser.releaseRunAs();
  • 57.
    Unit Testing • Subject.Buildercreates ad-hoc Subjects • Use with subject.execute for easy testing: Subject testSubject = Subject.Builder(securityManager) .principals(“jsmith”).buildSubject() testSubject.execute( new Runnable() { public void run() { callTestMethod(); } });
  • 58.
    Logging Out One method:user out, relinquishes account //Logs the //data, and invalidates any Session SecurityUtils.getSubject().logout(); App-specific log-out logic: Before/After the call Listen for Authentication or StoppedSession events.
  • 59.
  • 60.
    Thank You! • les@katasoft.com •http://www.katasoft.com • Seeking engineering talent • Seeking product feedback