Intro to Apache Shiro

chunsaker 5,230 views 58 slides Apr 17, 2012
Slide 1
Slide 1 of 58
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38
Slide 39
39
Slide 40
40
Slide 41
41
Slide 42
42
Slide 43
43
Slide 44
44
Slide 45
45
Slide 46
46
Slide 47
47
Slide 48
48
Slide 49
49
Slide 50
50
Slide 51
51
Slide 52
52
Slide 53
53
Slide 54
54
Slide 55
55
Slide 56
56
Slide 57
57
Slide 58
58

About This Presentation

Apache Shiro, a simple easy-to-use framework to enforce user security by Shiro PMC Chair and Stormpath CTO, Les Hazlewood.
http://shiro.apache.org
http://stormpath.com

Size: 445.81 KB
Language: en
Added: Apr 17, 2012
Slides: 58 pages

Slide Content

Simple Application Security Les Hazlewood Apache Shiro Project Chair CTO, Stormpath

What is Apache Shiro? Application security framework ASF TLP - http:// shiro.apache.org Quick and Easy Simplifies Security Concepts & Design

Security Design

Agenda Web Support Auxiliary Features Authentication Session Management Authorization Cryptography

Quick Terminology Subject – Security-specific user ‘view’ Principals – Subject’s identifying attributes Credentials – Secret values that verify identity Realm – Security-specific DAO

Authentication Web Support Auxiliary Features Session Management Authorization Authentication Cryptography

Authentication Defined Identity verification: Proving a user is who he says he is

Shiro Authentication Features Subject-based (current user) Single method call Rich Exception Hierarchy ‘Remember Me’ built in Event listeners

How to Authenticate with Shiro Steps Collect principals & credentials Submit to Authentication System Allow, retry, or block access

Step 1: Collecting Principals & Credentials UsernamePasswordToken token = new UsernamePasswordToken (username, password); / /”Remember Me” built- in: token.setRememberMe (true);

Step 2: Submission Subject currentUser = SecurityUtils.getSubject (); currentUser.login (token);

Step 3: Grant Access or Handle Failure try { currentUser.login (token); } catch ( UnknownAccountException uae ){ ... } catch ( IncorrectCredentialsException ice { ... } catch ( LockedAccountException lae ) { ... } catch ( ExcessiveAttemptsException eae ) { ... } ... catch your own ... } catch ( AuthenticationException ae ) { //unexpected error? } // No problems, show authenticated view…

How does it work? Subject .login(token)

How does it work? Subject SecurityManager .login(token)

How does it work? Subject SecurityManager Authenticator .login(token)

How does it work? Subject SecurityManager Authenticator Realm 1 .login(token) … Realm 2 Realm N

How does it work? Subject SecurityManager Authenticator Realm 1 .login(token) Authentication Strategy … Realm 2 Realm N

Authorization Web Support Auxiliary Features Session Management Authentication Authorization Cryptography

Authorization Defined Process of determining “who can do what” AKA Access Control Elements of Authorization Permissions Roles Users

Permissions Defined Most atomic security element Describes resource types and their behavior The “what” of an application Does not define “who” AKA “rights”

Roles Defined Implicit or Explicit construct Implicit: Name only Explicit: A named collection of Permissions Allows behavior aggregation Enables dynamic (runtime) alteration of user abilities .

Users Defined The “who” of the application What each user can do is defined by their association with Roles or Permissions Example: User’s roles imply PrinterPermission

Authorization Features Subject-centric (current user) Checks based on roles or permissions Powerful out-of-the-box WildcardPermission Any data model – Realms decide

How to Authorize with Shiro Multiple means of checking access control : Programmatically JDK 1.5 annotations & AOP JSP/ GSP/JSF* TagLibs (web support)

Programmatic Authorization // get the current Subject Subject currentUser = SecurityUtils.getSubject (); if ( currentUser.hasRole (“ administrator ”)) { / /show the ‘delete user’ button‏ } else { //don’t show the button?)‏ } Role Check

Programmatic Authorization Subject currentUser = SecurityUtils.getSubject (); Permission deleteUser = n ew UserPermission (“ jsmith ”,“delete”); If ( currentUser.isPermitted ( deleteUser )) { / /show the ‘delete user’ button‏ } else { //don’t show the button ? } Permission Check

Programmatic Authorization String perm = “ user:delete:jsmith ”; if( currentUser.isPermitted (perm)){ //show the ‘delete user’ button } else { //don’t show the button ? } Permission Check (String-based)

Annotation Authorization @ RequiresRoles ( “teller” ) public void openAccount (Account a) { //do something in here that //only a ‘teller’ should do } Role Check

Annotation Authorization @ RequiresPermissions (“ account:create ” ) public void openAccount (Account a) { //create the account } Permission Check

Enterprise Session Management Web Support Auxiliary Features Authorization Authentication Cryptography Session Management

Session Management Defined Managing the lifecycle of Subject-specific temporal data context

Session Management Features Heterogeneous client access POJO/J2SE based ( IoC friendly) Event listeners Host address retention Inactivity/expiration support (touch()) Transparent web use - HttpSession Container-Independent Clustering!

Acquiring and Creating Sessions Subject currentUser = SecurityUtils.getSubject () // guarantee a session Session session = subject.getSession (); //get a session if it exists subject.getSession (false );

Session API getStartTimestamp () getLastAccessTime () getAttribute (key) setAttribute (key, value) get/ setTimeout (long) touch() ...

Cryptography Web Support Auxiliary Features Authorization Authentication Session Management Cryptography

Cryptography Defined Protecting information from undesired access by hiding it or converting it into nonsense. Elements of Cryptography Ciphers Hashes

Ciphers Defined Encryption and decryption data based on shared or public/private keys . Symmetric Cipher – same key Block Cipher – chunks of bits Stream Cipher – stream of bits Asymmetric Cipher - different keys

Hashes Defined A one-way, irreversible conversion of an input source (a.k.a. Message Digest) Used for: Credentials transformation, Checksum Data with underlying byte array Files, Streams, etc

Cryptography Features Simplicity Interface-driven, POJO based Simplified wrapper over JCE infrastructure . “Object Orientifies ” cryptography concepts Easier to understand API

Cipher Features OO Hierarchy JcaCipherService , AbstractSymmetricCipherService , DefaultBlockCipherService , etc Just instantiate a class No “ Transformation String”/Factory methods More secure default settings than JDK! Cipher Modes, Initialization Vectors, et. al.

Example: Plaintext (image courtesy WikiPedia )

Example: ECB Mode (JDK Default!) (image courtesy WikiPedia )

Example: Shiro Defaults (image courtesy WikiPedia )

Shiro’s CipherService Interface public interface CipherService { ByteSource encrypt (byte [] raw, byte [ ] key ); void encrypt( InputStream in, OutputStream out, byte[] key); ByteSource decrypt( byte[] cipherText , byte [] key); void decrypt( InputStream in, OutputStream out, byte[] key); }

Hash Features Default interface implementations MD5 , SHA1, SHA-256, et. al . Built in Hex & Base64 conversion Built-in support for Salts and repeated hashing

Shiro’s Hash Interface public interface Hash { byte[] getBytes (); String toHex (); String toBase64(); }

Intuitive OO Hash API //some examples: new Md5Hash(“foo”). toHex (); // File MD5 Hash value for checksum: new Md5Hash ( aFile ). toHex (); // store password , but not plaintext: new Sha512( aPassword , salt , 1024).toBase64();

Web Support Web Support Auxiliary Features Cryptography Session Management Authorization Authentication

Web Support Features Simple ShiroFilter web.xml definition Protects all URLs Innovative Filtering (URL-specific chains) JSP Tag support Transparent HttpSession support

web.xml < filter> <filter-name> ShiroFilter </filter-name> <filter-class > org.apache.shiro.web.servlet.IniShiroFilte r < /filter-class> < /filter> <filter-mapping> <filter-name> ShiroFilter </filter-name> < url -pattern>/*</ url -pattern> </filter-mapping >

shiro.ini [main] ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm ldapRealm.userDnTemplate = uid ={0}, ou = users,dc = mycompany,dc =com ldapRealm.contextFactory.url = ldap ://ldapHost:389 securityManager.realm = $realm [ urls ] /images/** = anon / account/** = authc /rest/** = authcBasic / remoting /** = authc , roles[b2bClient ], …

JSP TagLib Authorization <%@ taglib prefix=“ shiro ” uri =“ http ://shiro.apache.org/ tags” %> <html> <body> < shiro:hasRole name=“administrator”> <a href =“manageUsers.jsp ”> Click here to manage users </ a> </ shiro:hasRole > < shiro:lacksRole name=“administrator”> No user admin for you! </ shiro:hasRole > </body> </html>

JSP TagLibs <%@ taglib prefix=“ shiro ” uri = http://shiro.apache.org/tags %> <!-- Other tags: --> < shiro:guest /> < shiro :user/> < shiro :principal/> < shiro : hasRole /> < shiro : lacksRole /> < shiro : hasAnyRoles /> < shiro : hasPermission /> < shiro : lacksPermission /> < shiro :authenticated/> < shiro : notAuthenticated />

Auxiliary Features Web Support Auxiliary Features Cryptography Session Management Authorization Authentication

Auxiliary Features Threading & Concurrency Callable/Runnable & Executor/ ExecutorService “Run As” support Ad-hoc Subject instance creation Unit Testing Remembered vs Authenticated

Logging Out One method: App-specific log-out logic: Before/After the call Listen for Authentication or StoppedSession events. //Logs the user out, relinquishes account //data, and invalidates any Session SecurityUtils.getSubject().logout ();

Application + Stormpath Realm Stormpath : Application Security Service Out-of-the-box Features Managed security data model Secure credential storage Flexible permissions Password self-service GUI Management GUI Stormpath Authentication Access Control Realms + Plug-ins REST API

Public Cloud Stormpath : Cloud Deployment Application Application Application Active Directory Corporate Network Firewall Outbound Sync SAML REST Stormpath OpenId / OAuth
Tags
authentication apache shiro authorization access control apache application security shiro java
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 5,230
  • Slides 58
  • Favorites 5
  • Age 4976 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
Know for Certain 21
Know for Certain
DaveSinNM
19 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views
View More in This Category