Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec...
Transcript of Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec...
![Page 1: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/1.jpg)
Easy Applica+on Security with Apache Shiro
Les Hazlewood Apache Shiro Project Chair
CTO, Stormpath, stormpath.com
![Page 2: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/2.jpg)
• Iden9ty Management and Access Control API
• Security for your applica9ons • User security workflows • Security best prac9ces • Developer tools, SDKs, libraries
![Page 3: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/3.jpg)
Explosive Growth in Apache Shiro
Aug 2012 Dec 2010
300K
DOWNLOADS
• Applica9on security framework
• ASF TLP hJp://shiro.apache.org
• Quick and Easy • Simplifies Security
What is Apache Shiro?
![Page 4: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/4.jpg)
Agenda
Web Support
Auxiliary Features
Authen9ca9on
Session Management
Authoriza9on
Cryptography
![Page 5: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/5.jpg)
Quick Terminology
• Subject – Security-‐specific user ‘view’
• Principals – Subject’s iden9fying aJributes
• Creden+als – Secret values that verify iden9ty
• Realm – Security-‐specific DAO
![Page 6: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/6.jpg)
Authen+ca+on
Web Support
Auxiliary Features
Session Management
Authoriza9on Authen+ca+on
Cryptography
![Page 7: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/7.jpg)
Authen+ca+on Defined
Identity verification:
Proving a user is who he says he is
![Page 8: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/8.jpg)
Shiro Authen+ca+on Features • Subject-‐based (current user)
• Single method call
• Rich Excep9on Hierarchy
• ‘Remember Me’ built in
• Event listeners
![Page 9: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/9.jpg)
How to Authen+cate with Shiro
Steps
1. Collect principals & credentials
2. Submit to Authentication System
3. Allow, retry, or block access
![Page 10: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/10.jpg)
Step 1: Collec+ng Principals & Creden+als
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
//”Remember Me” built-in: token.setRememberMe(true);
![Page 11: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/11.jpg)
Step 2: Submission
Subject currentUser = SecurityUtils.getSubject();
currentUser.login(token);
![Page 12: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/12.jpg)
Step 3: Grant Access or Handle Failure try { currentUser.login(token); } catch (UnknownAccountException uae ){ ... } catch (IncorrectCredentialsException ice { ... } catch ( LockedAccountException lae ) { ... } catch ( ExcessiveAttemptsException eae ) { ... } ... catch your own ... } catch ( AuthenticationException ae ) { //unexpected error? }
//No problems, show authenticated view…
![Page 13: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/13.jpg)
How does it work? Subject .login(token)
![Page 14: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/14.jpg)
How does it work? Subject
SecurityManager
.login(token)
![Page 15: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/15.jpg)
How does it work? Subject
SecurityManager
Authen9cator
.login(token)
![Page 16: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/16.jpg)
How does it work? Subject
SecurityManager
Authen9cator
Realm 1
.login(token)
… Realm 2 Realm N
![Page 17: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/17.jpg)
How does it work? Subject
SecurityManager
Authen9cator
Realm 1
.login(token)
Authen9ca9on Strategy
… Realm 2 Realm N
![Page 18: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/18.jpg)
Authoriza+on
Web Support
Auxiliary Features
Session Management
Authen9ca9on Authoriza+on
Cryptography
![Page 19: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/19.jpg)
Authoriza+on Defined
Process of determining “who can do what” AKA Access Control
Elements of Authoriza+on • Permissions • Roles • Users
![Page 20: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/20.jpg)
Permissions Defined
• Most atomic security element
• Describes resource types and their behavior
• The “what” of an applica9on
• Does not define “who”
• AKA “rights”
![Page 21: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/21.jpg)
Roles Defined
• Implicit or Explicit construct
• Implicit: Name only
• Explicit: A named collec9on of Permissions
Allows behavior aggrega9on
Enables dynamic (run9me) altera9on of user abili9es.
![Page 22: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/22.jpg)
Users Defined
• The “who” of the applica9on
• What each user can do is defined by their associa9on with Roles or Permissions
Example: User’s roles imply PrinterPermission
![Page 23: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/23.jpg)
Authoriza+on Features
• Subject-‐centric (current user)
• Checks based on roles or permissions
• Powerful out-‐of-‐the-‐box WildcardPermission
• Any data model – Realms decide
![Page 24: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/24.jpg)
How to Authorize with Shiro
Mul9ple means of checking access control:
• Programma9cally
• JDK 1.5 annota9ons & AOP
• JSP/GSP/JSF* TagLibs (web support)
![Page 25: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/25.jpg)
Programma+c Authoriza+on
//get the current Subject Subject currentUser = SecurityUtils.getSubject(); if (currentUser.hasRole(“administrator”)) { //show the ‘delete user’ button } else { //don’t show the button?) }
Role Check
![Page 26: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/26.jpg)
Programma+c Authoriza+on
Subject currentUser = SecurityUtils.getSubject(); Permission deleteUser = new UserPermission(“jsmith”,“delete”); If (currentUser.isPermitted(deleteUser)) { //show the ‘delete user’ button } else { //don’t show the button? }
Permission Check
![Page 27: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/27.jpg)
Programma+c Authoriza+on
String perm = “user:delete:jsmith”; if(currentUser.isPermitted(perm)){ //show the ‘delete user’ button } else { //don’t show the button? }
Permission Check (String-‐based)
![Page 28: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/28.jpg)
Annota+on Authoriza+on
@RequiresRoles( “teller” ) public void openAccount(Account a) { //do something in here that //only a ‘teller’ should do }
Role Check
![Page 29: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/29.jpg)
Annota+on Authoriza+on
@RequiresPermissions(“account:create”) public void openAccount(Account a) { //create the account }
Permission Check
![Page 30: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/30.jpg)
Enterprise Session Management
Web Support
Auxiliary Features
Authoriza9on Authen9ca9on
Cryptography Session Management
![Page 31: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/31.jpg)
Session Management Defined
Managing the lifecycle of Subject-‐specific temporal data context
![Page 32: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/32.jpg)
Session Management Features
• Heterogeneous client access • POJO/J2SE based (IoC friendly) • Event listeners • Host address reten9on • Inac9vity/expira9on support (touch()) • Transparent web use -‐ HJpSession • Container-‐Independent Clustering!
![Page 33: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/33.jpg)
Acquiring and Crea+ng Sessions Subject currentUser = SecurityUtils.getSubject()
//guarantee a session Session session = subject.getSession();
//get a session if it exists
subject.getSession(false);
![Page 34: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/34.jpg)
Session API getStartTimestamp()
getLastAccessTime()
getAttribute(key)
setAttribute(key, value)
get/setTimeout(long)
touch()
...
![Page 35: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/35.jpg)
Cryptography
Web Support
Auxiliary Features
Authoriza9on Authen9ca9on
Session Management Cryptography
![Page 36: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/36.jpg)
Cryptography Defined
Protec9ng informa9on from undesired access by hiding it or conver9ng it into nonsense. Elements of Cryptography • Ciphers
• Hashes
![Page 37: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/37.jpg)
Ciphers Defined
Encryp9on and decryp9on data based on shared or public/private keys.
• Symmetric Cipher – same key • Block Cipher – chunks of bits • Stream Cipher – stream of bits
• Asymmetric Cipher -‐ different keys
![Page 38: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/38.jpg)
Hashes Defined
A one-‐way, irreversible conversion of an input source (a.k.a. Message Digest)
Used for:
• Creden9als transforma9on, Checksum
• Data with underlying byte array Files, Streams, etc
![Page 39: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/39.jpg)
Cryptography Features
Simplicity • Interface-‐driven, POJO based
• Simplified wrapper over JCE infrastructure.
• “Object Orien9fies” cryptography concepts
• Easier to understand API
![Page 40: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/40.jpg)
Cipher Features
• OO Hierarchy JcaCipherService, AbstractSymmetricCipherService, DefaultBlockCipherService, etc
• Just instan9ate a class No “Transforma9on String”/Factory methods
• More secure default seings than JDK! Cipher Modes, Ini9aliza9on Vectors, et. al.
![Page 41: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/41.jpg)
Example: Plaintext
(image courtesy WikiPedia)
![Page 42: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/42.jpg)
Example: ECB Mode (JDK Default!)
(image courtesy WikiPedia)
![Page 43: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/43.jpg)
Example: Shiro Defaults
(image courtesy WikiPedia)
![Page 44: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/44.jpg)
Shiro’s CipherService Interface public interface CipherService { ByteSource encrypt(byte[] raw, byte[] key); void encrypt(InputStream in, OutputStream out, byte[] key); ByteSource decrypt( byte[] cipherText, byte[] key); void decrypt(InputStream in, OutputStream out, byte[] key); }
![Page 45: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/45.jpg)
Hash Features
• Default interface implementa9ons MD5, SHA1, SHA-‐256, et. al.
• Built in Hex & Base64 conversion
• Built-‐in support for Salts and repeated hashing
![Page 46: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/46.jpg)
Shiro’s Hash Interface public interface Hash {
byte[] getBytes();
String toHex();
String toBase64();
}
![Page 47: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/47.jpg)
Intui+ve OO Hash API //some examples: new Md5Hash(“foo”).toHex(); //File MD5 Hash value for checksum: new Md5Hash( aFile ).toHex(); //store password, but not plaintext: new Sha512(aPassword, salt, 1024).toBase64();
![Page 48: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/48.jpg)
Web Support
Web Support
Auxiliary Features
Cryptography Session Management
Authoriza9on Authen9ca9on
![Page 49: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/49.jpg)
Web Support Features
• Simple ShiroFilter web.xml defini9on
• Protects all URLs
• Innova9ve Filtering (URL-‐specific chains)
• JSP Tag support
• Transparent HJpSession support
![Page 50: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/50.jpg)
web.xml <filter> <filter-name>ShiroFilter</filter-name> <filter-class> org.apache.shiro.web.servlet.IniShiroFilter </filter-class> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
![Page 51: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/51.jpg)
shiro.ini [main] ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm ldapRealm.userDnTemplate = uid={0},ou=users,dc=mycompany,dc=com ldapRealm.contextFactory.url = ldap://ldapHost:389 securityManager.realm = $realm [urls] /images/** = anon /account/** = authc /rest/** = authcBasic /remoting/** = authc, roles[b2bClient], …
![Page 52: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/52.jpg)
JSP TagLib Authoriza+on <%@ taglib prefix=“shiro” uri=“http://shiro.apache.org/tags” %> <html> <body> <shiro:hasRole name=“administrator”> <a href=“manageUsers.jsp”> Click here to manage users </a> </shiro:hasRole> <shiro:lacksRole name=“administrator”> No user admin for you! </shiro:hasRole> </body> </html>
![Page 53: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/53.jpg)
JSP TagLibs <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <!-- Other tags: --> <shiro:guest/> <shiro:user/> <shiro:principal/> <shiro:hasRole/> <shiro:lacksRole/> <shiro:hasAnyRoles/> <shiro:hasPermission/> <shiro:lacksPermission/> <shiro:authenticated/> <shiro:notAuthenticated/>
![Page 54: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/54.jpg)
Auxiliary Features
Web Support
Auxiliary Features
Cryptography Session Management
Authoriza9on Authen9ca9on
![Page 55: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/55.jpg)
Auxiliary Features
• Threading & Concurrency Callable/Runnable & Executor/ExecutorService
• “Run As” support • Ad-‐hoc Subject instance crea9on
• Unit Tes9ng • Remembered vs Authen9cated
![Page 56: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/56.jpg)
Logging Out
One method:
App-‐specific log-‐out logic:
Before/Amer the call
Listen for Authen9ca9on or StoppedSession events.
//Logs the user out, relinquishes account //data, and invalidates any Session SecurityUtils.getSubject().logout();
![Page 57: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/57.jpg)
Coming in 1.3, 2.0
• Typesafe EventBus • OOTB Hazelcast Session clustering • Lower coupling in components
Composi9on over Inheritance • Stronger JEE (CDI, JSF) support • Default Realm
Pluggable authc lookup, authz lookup • Default Authen9ca9on Filter
(mul9ple HTTP schemes + UI fallback)
![Page 58: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/58.jpg)
Applica+on + Stormpath Realm
Stormpath: User Management API Service
Out-‐of-‐the-‐box Features • Managed security data model • Secure creden9al storage • Password self-‐service • Management GUI
Stormpath Authen+ca+on Access Control
• Realms + Plug-‐ins • REST API
![Page 59: Easy%Applica+on%Security%% with%Apache%Shiro% to Apache Shiro...Explosive Growth in Apache Shiro Dec 2010 Aug 2012 300K DOWNLOADS • Applicaon’security’framework’ • ASF’TLPhJp:](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0f9a7c7e708231d444fbaa/html5/thumbnails/59.jpg)
Public Cloud
Stormpath: Cloud Deployment
Applica+on
Applica+on
Applica+on
Ac+ve Directory
Corporate Network
Firewall
Outbound Sync
Stormpath REST