SlideShare a Scribd company logo

Super simple application security with Apache Shiro

M
Marakana Inc.

Les Hazlewood, founder of the Apache Shiro project, covers the benefits of using Shiro as an application security framework. Check out the video for this presentation, as well as more training resources for Java here: http://marakana.com/forums/java/general/183.html

1 of 60
Downloaded 489 times
Simple Application Security Les Hazlewood Apache Shiro Project Chair
About Me Les Hazlewood Apache Shiro Project Chair JSecurity Founder Katasoft Founder & CTO
What is Apache Shiro? • Application security library • Quick and easy • Simplifies security concepts
About Shiro • Started in 2003, JSecurity in 2004 • Simplify or replace JAAS • Dynamic changes at runtime • Sessions - Heterogeneous Clients • Reduce Design Flaws • ‘One stop shop’ • Apache Top Level, September
Reduce Design Flaws
No Silver Bullets
Agenda Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Quick Terminology • Subject – Security-specific user ‘view’ • Principals – Subject’s identifying attributes • Credentials – Secret values that verify identity • Realm – Security-specific DAO
Authentication Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Authentication Defined Identity verification: Proving a user is who he says he is
Shiro Authentication Features • Subject-based (current user) • Single method call • Rich Exception Hierarchy • ‘Remember Me’ built in
How to Authenticate with Shiro Steps 1. Collect principals & credentials 2. Submit to Authentication System 3. Allow, retry, or block access
Step 1: Collecting Principals & Credentials //Example using most common scenario: //String username and password. Acquire in //system-specific manner (HTTP request, GUI, etc) UsernamePasswordToken token = new UsernamePasswordToken( username, password ); //”Remember Me” built-in, just do this: token.setRememberMe(true);
Step 2: Submission Subject currentUser = SecurityUtils.getSubject(); currentUser.login(token);
Step 3: Grant Access or Handle Failure try { currentUser.login(token); } catch ( UnknownAccountException uae ) { ... } catch ( IncorrectCredentialsException ice ) { .. } catch ( LockedAccountException lae ) { ... } catch ( ExcessiveAttemptsException eae ) { ... } ... catch your own ... } catch ( AuthenticationException ae ) { //unexpected error? } //No problems, show authenticated view…
“Remember Me” support • subject.isRemembered() • subject.isAuthenticated() • remembered != authenticated
Authorization Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Authorization Defined Process of determining Access Control “who can do what” Elements of Authorization • Permissions • Roles • Users
Permissions Defined • The “what” of an application • Most atomic security element • Describes resource types and their behavior • Does not define “who”
Roles Defined • Implicit or Explicit construct • Implicit: Name only • Explicit: A named collection of Permissions Allows behavior aggregation Enables dynamic (runtime) alteration of user abilities.
Users Defined • The “who” of the application • What each user can do is defined by their association with Roles or Permissions Example: User’s roles imply PrinterPermission
Authorization Features • Subject-centric (current user) • Checks based on roles or permissions • Powerful out-of-the-box WildcardPermission • Any data model – Realms decide
How to Authorize with Shiro Multiple means of checking access control: • Programmatically • JDK 1.5 annotations • JSP/GSP TagLibs (web support)
Programmatic Authorization Role Check //get the current Subject Subject currentUser = SecurityUtils.getSubject(); if (currentUser.hasRole(“administrator”)) { //do one thing (show a special button?)‫‏‬ } else { //don‟t show the button?)‫‏‬ }
Programmatic Authorization Permission Check Subject currentUser = SecurityUtils.getSubject(); Permission printPermission = new PrinterPermission(“laserjet3000n”,“print”); If (currentUser.isPermitted(printPermission)) { //do one thing (show the print button?)‫‏‬ } else { //don‟t show the button? }
Programmatic Authorization Permission Check (String-based) String perm = “printer:print:laserjet4400n”; if(currentUser.isPermitted(perm)){ //show the print button? } else { //don‟t show the button? }
Annotation Authorization Role Check //Throws an AuthorizationException if the caller //doesn‟t have the „teller‟ role: @RequiresRoles( “teller” ) public void openAccount( Account acct ) { //do something in here that only a teller //should do }
Annotation Authorization Permission Check //Will throw an AuthorizationException if none //of the caller‟s roles imply the Account //'create' permission @RequiresPermissions(“account:create”)‫‏‬ public void openAccount( Account acct ) { //create the account }
Enterprise Session Management Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Session Management Defined Managing the lifecycle of Subject-specific temporal data context
Session Management Features • Heterogeneous client access • POJO/J2SE based (IoC friendly) • Event listeners • Host address retention • Inactivity/expiration support (touch()) • Transparent web use - HttpSession • Can be used for SSO
Acquiring and Creating Sessions Subject currentUser = SecurityUtils.getSubject() //guarantee a session Session session = subject.getSession(); //get a session if it exists subject.getSession(false);
Session API getStartTimestamp() getLastAccessTime() getAttribute(key) setAttribute(key, value) get/setTimeout(long) touch() ...
Cryptography Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Cryptography Defined Protecting information from undesired access by hiding it or converting it into nonsense. Elements of Cryptography • Ciphers • Hashes
Ciphers Defined Encryption and decryption data based on public/private keys. • Symmetric Cipher - same key for encryption and decryption. • Asymmetric Cipher - different keys for encryption and decryption
Hashes Defined A one-way, irreversible conversion of an input source (a.k.a. Message Digest) Used for: • Credentials transformation • Data with underlying byte array Files, Streams, etc
Cryptography Features Simplicity • Simplified wrapper over JCE infrastructure. • Easier to understand API • “Object Orientifies” cryptography concepts • Interface-driven, POJO based
Cipher Features • OO Hierarchy JcaCipherService, AbstractSymmetricCipherService, DefaultBlockCipherService, etc • Just instantiate a class No “Transformation String”/Factory methods • More secure default settings Initialization Vectors, et. al.
Shiro’s CipherService Interface public interface CipherService { ByteSource encrypt( byte[] raw, byte[] key); void encrypt(InputStream in, OutputStream out, byte[] key); ByteSource decrypt( byte[] cipherText, byte[] key); void decrypt(InputStream in, OutputStream out, byte[] key); }
Hash Features • Default interface implementations MD5, SHA1, SHA-256, et. al. • Built in Hex & Base64 conversion • Built-in support for Salts and repeated hashing
Shiro’s Hash Interface public interface Hash { byte[] getBytes(); String toHex(); String toBase64(); }
Intuitive OO Hash API //some examples: new Md5Hash(“foo”).toHex(); //File MD5 Hash value for checksum: new MD5Hash( aFile ).toHex(); //store a password, but not raw: new Sha256(aPassword, salt, 1024).toBase64();
Web Support Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Web Support Features • Simple ShiroFilter web.xml definition • Protects all URLs • Innovative Filtering (URL-specific chains) • JSP Tag support • Transparent HttpSession support
web.xml <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter- class> <init-param><param-name>config</param-name><param-value> [main] realm = com.my.custom.realm.Implementation securityManager.realm = $realm [urls] /account/** = authc /remoting/** = authc, roles[b2bClient], ... </param-value></init-param> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
JSP TagLib Authorization <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <html> <body> <shiro:hasRole name=“administrator”> <a href=“manageUsers.jsp”> Click here to manage users </a> </shiro:hasRole> <shiro:lacksRole name=“administrator”> No user admin for you! </shiro:hasRole> </body> </html>
JSP TagLibs <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <!-- Other tags: --> <shiro:guest/> <shiro:user/> <shiro:principal/> <shiro:hasRole/> <shiro:lacksRole/> <shiro:hasAnyRoles/> <shiro:hasPermission/> <shiro:lacksPermission/> <shiro:authenticated/> <shiro:notAuthenticated/>
Threading & Concurrency Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Threading & Concurrency Features • Subject retained on multiple threads • Automatic thread cleanup • Transparent Executor/ExecutorService support
ThreadLocal • Currently-executing Subject is thread-bound via a ThreadContext • Executing logic in the current thread is fine. What about other threads? • Runnable & Callable support • ExecutorService support
Subject Thread Association Can associate a Subject with a Callable or Runnable intended to run on another thread: Callable myCallable = //create or acquire Subject currentUser = SecurityUtils.getSubject(); Callable associated = currentUser.associateWith(myCallable); associated.call(); //current thread //or another thread: anExecutorService.execute(associated);
Transparent Association Subject ‘Aware’ Executor implementations transparently retain Subject: SubjectAwareExecutor, SubjectAwareExecutorService, SubjectAwareScheduledExecutorService //Look mom! No Shiro API imports! Callable myCallable = //create or acquire anExecutorService.execute(myCallable);
MISCELLANEOUS
“Run As” Support • “Run As” allows a Subject to assume the identity of another • Useful for administrative interfaces • Identity retained until relinquished
“Run As” Support //assume current user is the „admin‟ user: Subject currentUser = SecurityUtils.getSubject(); PrincipalCollection newIdentity = new SimplePrincipalCollection(“jsmith”, “jdbcRealm”); currentUser.runAs(newIdentity); //behave as the „jsmith‟ user here currentuser.isRunAs(); //true = assumed identity currentUser.getPreviousPrincipals();//prev. identity //return back to the admin user: currentUser.releaseRunAs();
Unit Testing • Subject.Builder creates ad-hoc Subjects • Use with subject.execute for easy testing: Subject testSubject = Subject.Builder(securityManager) .principals(“jsmith”).buildSubject() testSubject.execute( new Runnable() { public void run() { callTestMethod(); } });
Logging Out One method: user out, relinquishes account //Logs the //data, and invalidates any Session SecurityUtils.getSubject().logout(); App-specific log-out logic: Before/After the call Listen for Authentication or StoppedSession events.
APACHE SHIRO DEMO
Thank You! • les@katasoft.com • http://www.katasoft.com • Seeking engineering talent • Seeking product feedback
Ad

Recommended

Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
Claire Hunsaker
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
Claire Hunsaker
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
DataStax Academy
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache Shiro
Smita Prasad
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIRO
Cygnet Infotech
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
robwinch
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
Jason Ferguson
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
Stormpath
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
Spring Security
Spring SecuritySpring Security
Spring Security
Manish Sharma
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
Frank Kim
 
Amazone
AmazoneAmazone
Amazone
Renée Bukay
 
Apache Syncope and Tirasa
Apache Syncope and TirasaApache Syncope and Tirasa
Apache Syncope and Tirasa
Francesco Chicchiriccò
 
Ad

More Related Content

What's hot (20)

Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
Jason Ferguson
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
Stormpath
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
Spring Security
Spring SecuritySpring Security
Spring Security
Manish Sharma
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
Frank Kim
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
Jason Ferguson
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
Stormpath
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
Spring Security
Spring SecuritySpring Security
Spring Security
Manish Sharma
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
Frank Kim
 

Viewers also liked (20)

Amazone
AmazoneAmazone
Amazone
Renée Bukay
 
Apache Syncope and Tirasa
Apache Syncope and TirasaApache Syncope and Tirasa
Apache Syncope and Tirasa
Francesco Chicchiriccò
 
Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011
Matt Raible
 
EEL316: Pseudo Random Bit Generation
EEL316: Pseudo Random Bit GenerationEEL316: Pseudo Random Bit Generation
EEL316: Pseudo Random Bit Generation
Umang Gupta
 
Sal Himalaya
Sal Himalaya Sal Himalaya
Sal Himalaya
shane9mcdaniel63
 
Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Algunas recomendaciones para lograr la efectividad en la preparación de los p...Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Mariana Calle
 
Technology, the 4th Amendment and National Security by Doug Bailey
Technology, the 4th Amendment and National Security by Doug BaileyTechnology, the 4th Amendment and National Security by Doug Bailey
Technology, the 4th Amendment and National Security by Doug Bailey
Vator
 
accompanying notes for e-learning implementation and design; the student pers...
accompanying notes for e-learning implementation and design; the student pers...accompanying notes for e-learning implementation and design; the student pers...
accompanying notes for e-learning implementation and design; the student pers...
rosevibe
 
Der Bürgerantrag - ein Modellversuch
Der Bürgerantrag - ein ModellversuchDer Bürgerantrag - ein Modellversuch
Der Bürgerantrag - ein Modellversuch
Gerhard Loub
 
Manual agricultura-urbana
Manual agricultura-urbanaManual agricultura-urbana
Manual agricultura-urbana
GUELFI
 
Diario Luz Dorada 1ºB
Diario Luz Dorada 1ºBDiario Luz Dorada 1ºB
Diario Luz Dorada 1ºB
aesperela
 
Cronicas desabafos rp_i
Cronicas desabafos rp_iCronicas desabafos rp_i
Cronicas desabafos rp_i
Maria Louro
 
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWCASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
PICKASO App Marketing
 
Annik capability document india
Annik capability document indiaAnnik capability document india
Annik capability document india
Atul Sharma
 
Content: create it, sustain it
Content: create it, sustain itContent: create it, sustain it
Content: create it, sustain it
Barb Sawyers MA, TESL
 
Presentación freeDôm
Presentación freeDômPresentación freeDôm
Presentación freeDôm
txamv
 
White Paper: Resilient Semi-Passive Optical Link Protection
White Paper: Resilient Semi-Passive Optical Link ProtectionWhite Paper: Resilient Semi-Passive Optical Link Protection
White Paper: Resilient Semi-Passive Optical Link Protection
Susmita Adhikari Joshi
 
Conexión de amor finalizada
Conexión de amor finalizadaConexión de amor finalizada
Conexión de amor finalizada
gracielacol
 
Presentación management as a service servitalent
Presentación management as a service servitalentPresentación management as a service servitalent
Presentación management as a service servitalent
Alberto Fernández Varela
 
july15_voice
july15_voicejuly15_voice
july15_voice
Tamara Clowers
 
Amazone
AmazoneAmazone
Amazone
Renée Bukay
 
Apache Syncope and Tirasa
Apache Syncope and TirasaApache Syncope and Tirasa
Apache Syncope and Tirasa
Francesco Chicchiriccò
 
Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011
Matt Raible
 
EEL316: Pseudo Random Bit Generation
EEL316: Pseudo Random Bit GenerationEEL316: Pseudo Random Bit Generation
EEL316: Pseudo Random Bit Generation
Umang Gupta
 
Sal Himalaya
Sal Himalaya Sal Himalaya
Sal Himalaya
shane9mcdaniel63
 
Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Algunas recomendaciones para lograr la efectividad en la preparación de los p...Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Mariana Calle
 
Technology, the 4th Amendment and National Security by Doug Bailey
Technology, the 4th Amendment and National Security by Doug BaileyTechnology, the 4th Amendment and National Security by Doug Bailey
Technology, the 4th Amendment and National Security by Doug Bailey
Vator
 
accompanying notes for e-learning implementation and design; the student pers...
accompanying notes for e-learning implementation and design; the student pers...accompanying notes for e-learning implementation and design; the student pers...
accompanying notes for e-learning implementation and design; the student pers...
rosevibe
 
Der Bürgerantrag - ein Modellversuch
Der Bürgerantrag - ein ModellversuchDer Bürgerantrag - ein Modellversuch
Der Bürgerantrag - ein Modellversuch
Gerhard Loub
 
Manual agricultura-urbana
Manual agricultura-urbanaManual agricultura-urbana
Manual agricultura-urbana
GUELFI
 
Diario Luz Dorada 1ºB
Diario Luz Dorada 1ºBDiario Luz Dorada 1ºB
Diario Luz Dorada 1ºB
aesperela
 
Cronicas desabafos rp_i
Cronicas desabafos rp_iCronicas desabafos rp_i
Cronicas desabafos rp_i
Maria Louro
 
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWCASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
PICKASO App Marketing
 
Annik capability document india
Annik capability document indiaAnnik capability document india
Annik capability document india
Atul Sharma
 
Content: create it, sustain it
Content: create it, sustain itContent: create it, sustain it
Content: create it, sustain it
Barb Sawyers MA, TESL
 
Presentación freeDôm
Presentación freeDômPresentación freeDôm
Presentación freeDôm
txamv
 
White Paper: Resilient Semi-Passive Optical Link Protection
White Paper: Resilient Semi-Passive Optical Link ProtectionWhite Paper: Resilient Semi-Passive Optical Link Protection
White Paper: Resilient Semi-Passive Optical Link Protection
Susmita Adhikari Joshi
 
Conexión de amor finalizada
Conexión de amor finalizadaConexión de amor finalizada
Conexión de amor finalizada
gracielacol
 
Presentación management as a service servitalent
Presentación management as a service servitalentPresentación management as a service servitalent
Presentación management as a service servitalent
Alberto Fernández Varela
 
july15_voice
july15_voicejuly15_voice
july15_voice
Tamara Clowers
 
Ad

Similar to Super simple application security with Apache Shiro (20)

Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
Rafal Gancarz
 
Rails Security
Rails SecurityRails Security
Rails Security
Wen-Tien Chang
 
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab examwapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
imgautam076
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
ihji
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
Grupo Gesfor I+D+i
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
Sang Shin
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
Ortus Solutions, Corp
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard Learn
Dan Rinzel
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Masoud Kalali
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
Stormpath
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day One
MongoDB
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdf
Jorge Alvarez
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
Valerii Moisieienko
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
Aman Singh
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
guestd5dde6
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
Sitaraman Lakshminarayanan
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?
smalltown
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
Rafal Gancarz
 
Rails Security
Rails SecurityRails Security
Rails Security
Wen-Tien Chang
 
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab examwapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
imgautam076
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
ihji
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
Grupo Gesfor I+D+i
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
Sang Shin
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
Ortus Solutions, Corp
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard Learn
Dan Rinzel
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Masoud Kalali
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
Stormpath
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day One
MongoDB
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdf
Jorge Alvarez
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
Valerii Moisieienko
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
Aman Singh
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
guestd5dde6
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
Sitaraman Lakshminarayanan
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?
smalltown
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Ad

More from Marakana Inc. (20)

Android Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar GargentaAndroid Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar Gargenta
Marakana Inc.
 
JRuby at Square
JRuby at SquareJRuby at Square
JRuby at Square
Marakana Inc.
 
Behavior Driven Development
Behavior Driven DevelopmentBehavior Driven Development
Behavior Driven Development
Marakana Inc.
 
Martin Odersky: What's next for Scala
Martin Odersky: What's next for ScalaMartin Odersky: What's next for Scala
Martin Odersky: What's next for Scala
Marakana Inc.
 
Why Java Needs Hierarchical Data
Why Java Needs Hierarchical DataWhy Java Needs Hierarchical Data
Why Java Needs Hierarchical Data
Marakana Inc.
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Securing Android
Securing AndroidSecuring Android
Securing Android
Marakana Inc.
 
Pictures from "Learn about RenderScript" meetup at SF Android User Group
Pictures from "Learn about RenderScript" meetup at SF Android User GroupPictures from "Learn about RenderScript" meetup at SF Android User Group
Pictures from "Learn about RenderScript" meetup at SF Android User Group
Marakana Inc.
 
Android UI Tips, Tricks and Techniques
Android UI Tips, Tricks and TechniquesAndroid UI Tips, Tricks and Techniques
Android UI Tips, Tricks and Techniques
Marakana Inc.
 
2010 07-18.wa.rails tdd-6
2010 07-18.wa.rails tdd-62010 07-18.wa.rails tdd-6
2010 07-18.wa.rails tdd-6
Marakana Inc.
 
Efficient Rails Test-Driven Development - Week 6
Efficient Rails Test-Driven Development - Week 6Efficient Rails Test-Driven Development - Week 6
Efficient Rails Test-Driven Development - Week 6
Marakana Inc.
 
Graphicsand animations devoxx2010 (1)
Graphicsand animations devoxx2010 (1)Graphicsand animations devoxx2010 (1)
Graphicsand animations devoxx2010 (1)
Marakana Inc.
 
What's this jQuery? Where it came from, and how it will drive innovation
What's this jQuery? Where it came from, and how it will drive innovationWhat's this jQuery? Where it came from, and how it will drive innovation
What's this jQuery? Where it came from, and how it will drive innovation
Marakana Inc.
 
jQuery State of the Union - Yehuda Katz
jQuery State of the Union - Yehuda KatzjQuery State of the Union - Yehuda Katz
jQuery State of the Union - Yehuda Katz
Marakana Inc.
 
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
Marakana Inc.
 
Efficient Rails Test Driven Development (class 4) by Wolfram Arnold
Efficient Rails Test Driven Development (class 4) by Wolfram ArnoldEfficient Rails Test Driven Development (class 4) by Wolfram Arnold
Efficient Rails Test Driven Development (class 4) by Wolfram Arnold
Marakana Inc.
 
Efficient Rails Test Driven Development (class 3) by Wolfram Arnold
Efficient Rails Test Driven Development (class 3) by Wolfram ArnoldEfficient Rails Test Driven Development (class 3) by Wolfram Arnold
Efficient Rails Test Driven Development (class 3) by Wolfram Arnold
Marakana Inc.
 
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas EneboLearn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
Marakana Inc.
 
Replacing Java Incrementally
Replacing Java IncrementallyReplacing Java Incrementally
Replacing Java Incrementally
Marakana Inc.
 
Learn to Build like you Code with Apache Buildr
Learn to Build like you Code with Apache BuildrLearn to Build like you Code with Apache Buildr
Learn to Build like you Code with Apache Buildr
Marakana Inc.
 
Android Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar GargentaAndroid Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar Gargenta
Marakana Inc.
 
JRuby at Square
JRuby at SquareJRuby at Square
JRuby at Square
Marakana Inc.
 
Behavior Driven Development
Behavior Driven DevelopmentBehavior Driven Development
Behavior Driven Development
Marakana Inc.
 
Martin Odersky: What's next for Scala
Martin Odersky: What's next for ScalaMartin Odersky: What's next for Scala
Martin Odersky: What's next for Scala
Marakana Inc.
 
Why Java Needs Hierarchical Data
Why Java Needs Hierarchical DataWhy Java Needs Hierarchical Data
Why Java Needs Hierarchical Data
Marakana Inc.
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Securing Android
Securing AndroidSecuring Android
Securing Android
Marakana Inc.
 
Pictures from "Learn about RenderScript" meetup at SF Android User Group
Pictures from "Learn about RenderScript" meetup at SF Android User GroupPictures from "Learn about RenderScript" meetup at SF Android User Group
Pictures from "Learn about RenderScript" meetup at SF Android User Group
Marakana Inc.
 
Android UI Tips, Tricks and Techniques
Android UI Tips, Tricks and TechniquesAndroid UI Tips, Tricks and Techniques
Android UI Tips, Tricks and Techniques
Marakana Inc.
 
2010 07-18.wa.rails tdd-6
2010 07-18.wa.rails tdd-62010 07-18.wa.rails tdd-6
2010 07-18.wa.rails tdd-6
Marakana Inc.
 
Efficient Rails Test-Driven Development - Week 6
Efficient Rails Test-Driven Development - Week 6Efficient Rails Test-Driven Development - Week 6
Efficient Rails Test-Driven Development - Week 6
Marakana Inc.
 
Graphicsand animations devoxx2010 (1)
Graphicsand animations devoxx2010 (1)Graphicsand animations devoxx2010 (1)
Graphicsand animations devoxx2010 (1)
Marakana Inc.
 
What's this jQuery? Where it came from, and how it will drive innovation
What's this jQuery? Where it came from, and how it will drive innovationWhat's this jQuery? Where it came from, and how it will drive innovation
What's this jQuery? Where it came from, and how it will drive innovation
Marakana Inc.
 
jQuery State of the Union - Yehuda Katz
jQuery State of the Union - Yehuda KatzjQuery State of the Union - Yehuda Katz
jQuery State of the Union - Yehuda Katz
Marakana Inc.
 
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
Marakana Inc.
 
Efficient Rails Test Driven Development (class 4) by Wolfram Arnold
Efficient Rails Test Driven Development (class 4) by Wolfram ArnoldEfficient Rails Test Driven Development (class 4) by Wolfram Arnold
Efficient Rails Test Driven Development (class 4) by Wolfram Arnold
Marakana Inc.
 
Efficient Rails Test Driven Development (class 3) by Wolfram Arnold
Efficient Rails Test Driven Development (class 3) by Wolfram ArnoldEfficient Rails Test Driven Development (class 3) by Wolfram Arnold
Efficient Rails Test Driven Development (class 3) by Wolfram Arnold
Marakana Inc.
 
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas EneboLearn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
Marakana Inc.
 
Replacing Java Incrementally
Replacing Java IncrementallyReplacing Java Incrementally
Replacing Java Incrementally
Marakana Inc.
 
Learn to Build like you Code with Apache Buildr
Learn to Build like you Code with Apache BuildrLearn to Build like you Code with Apache Buildr
Learn to Build like you Code with Apache Buildr
Marakana Inc.
 

Recently uploaded (20)

Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 

Super simple application security with Apache Shiro

  • 1. Simple Application Security Les Hazlewood Apache Shiro Project Chair
  • 2. About Me Les Hazlewood Apache Shiro Project Chair JSecurity Founder Katasoft Founder & CTO
  • 3. What is Apache Shiro? • Application security library • Quick and easy • Simplifies security concepts
  • 4. About Shiro • Started in 2003, JSecurity in 2004 • Simplify or replace JAAS • Dynamic changes at runtime • Sessions - Heterogeneous Clients • Reduce Design Flaws • ‘One stop shop’ • Apache Top Level, September
  • 7. Agenda Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 8. Quick Terminology • Subject – Security-specific user ‘view’ • Principals – Subject’s identifying attributes • Credentials – Secret values that verify identity • Realm – Security-specific DAO
  • 9. Authentication Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 11. Shiro Authentication Features • Subject-based (current user) • Single method call • Rich Exception Hierarchy • ‘Remember Me’ built in
  • 12. How to Authenticate with Shiro Steps 1. Collect principals & credentials 2. Submit to Authentication System 3. Allow, retry, or block access
  • 13. Step 1: Collecting Principals & Credentials //Example using most common scenario: //String username and password. Acquire in //system-specific manner (HTTP request, GUI, etc) UsernamePasswordToken token = new UsernamePasswordToken( username, password ); //”Remember Me” built-in, just do this: token.setRememberMe(true);
  • 14. Step 2: Submission Subject currentUser = SecurityUtils.getSubject(); currentUser.login(token);
  • 15. Step 3: Grant Access or Handle Failure try { currentUser.login(token); } catch ( UnknownAccountException uae ) { ... } catch ( IncorrectCredentialsException ice ) { .. } catch ( LockedAccountException lae ) { ... } catch ( ExcessiveAttemptsException eae ) { ... } ... catch your own ... } catch ( AuthenticationException ae ) { //unexpected error? } //No problems, show authenticated view…
  • 16. “Remember Me” support • subject.isRemembered() • subject.isAuthenticated() • remembered != authenticated
  • 17. Authorization Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 18. Authorization Defined Process of determining Access Control “who can do what” Elements of Authorization • Permissions • Roles • Users
  • 19. Permissions Defined • The “what” of an application • Most atomic security element • Describes resource types and their behavior • Does not define “who”
  • 20. Roles Defined • Implicit or Explicit construct • Implicit: Name only • Explicit: A named collection of Permissions Allows behavior aggregation Enables dynamic (runtime) alteration of user abilities.
  • 21. Users Defined • The “who” of the application • What each user can do is defined by their association with Roles or Permissions Example: User’s roles imply PrinterPermission
  • 22. Authorization Features • Subject-centric (current user) • Checks based on roles or permissions • Powerful out-of-the-box WildcardPermission • Any data model – Realms decide
  • 23. How to Authorize with Shiro Multiple means of checking access control: • Programmatically • JDK 1.5 annotations • JSP/GSP TagLibs (web support)
  • 24. Programmatic Authorization Role Check //get the current Subject Subject currentUser = SecurityUtils.getSubject(); if (currentUser.hasRole(“administrator”)) { //do one thing (show a special button?)‫‏‬ } else { //don‟t show the button?)‫‏‬ }
  • 25. Programmatic Authorization Permission Check Subject currentUser = SecurityUtils.getSubject(); Permission printPermission = new PrinterPermission(“laserjet3000n”,“print”); If (currentUser.isPermitted(printPermission)) { //do one thing (show the print button?)‫‏‬ } else { //don‟t show the button? }
  • 26. Programmatic Authorization Permission Check (String-based) String perm = “printer:print:laserjet4400n”; if(currentUser.isPermitted(perm)){ //show the print button? } else { //don‟t show the button? }
  • 27. Annotation Authorization Role Check //Throws an AuthorizationException if the caller //doesn‟t have the „teller‟ role: @RequiresRoles( “teller” ) public void openAccount( Account acct ) { //do something in here that only a teller //should do }
  • 28. Annotation Authorization Permission Check //Will throw an AuthorizationException if none //of the caller‟s roles imply the Account //'create' permission @RequiresPermissions(“account:create”)‫‏‬ public void openAccount( Account acct ) { //create the account }
  • 29. Enterprise Session Management Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 30. Session Management Defined Managing the lifecycle of Subject-specific temporal data context
  • 31. Session Management Features • Heterogeneous client access • POJO/J2SE based (IoC friendly) • Event listeners • Host address retention • Inactivity/expiration support (touch()) • Transparent web use - HttpSession • Can be used for SSO
  • 32. Acquiring and Creating Sessions Subject currentUser = SecurityUtils.getSubject() //guarantee a session Session session = subject.getSession(); //get a session if it exists subject.getSession(false);
  • 34. Cryptography Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 35. Cryptography Defined Protecting information from undesired access by hiding it or converting it into nonsense. Elements of Cryptography • Ciphers • Hashes
  • 36. Ciphers Defined Encryption and decryption data based on public/private keys. • Symmetric Cipher - same key for encryption and decryption. • Asymmetric Cipher - different keys for encryption and decryption
  • 37. Hashes Defined A one-way, irreversible conversion of an input source (a.k.a. Message Digest) Used for: • Credentials transformation • Data with underlying byte array Files, Streams, etc
  • 38. Cryptography Features Simplicity • Simplified wrapper over JCE infrastructure. • Easier to understand API • “Object Orientifies” cryptography concepts • Interface-driven, POJO based
  • 39. Cipher Features • OO Hierarchy JcaCipherService, AbstractSymmetricCipherService, DefaultBlockCipherService, etc • Just instantiate a class No “Transformation String”/Factory methods • More secure default settings Initialization Vectors, et. al.
  • 40. Shiro’s CipherService Interface public interface CipherService { ByteSource encrypt( byte[] raw, byte[] key); void encrypt(InputStream in, OutputStream out, byte[] key); ByteSource decrypt( byte[] cipherText, byte[] key); void decrypt(InputStream in, OutputStream out, byte[] key); }
  • 41. Hash Features • Default interface implementations MD5, SHA1, SHA-256, et. al. • Built in Hex & Base64 conversion • Built-in support for Salts and repeated hashing
  • 42. Shiro’s Hash Interface public interface Hash { byte[] getBytes(); String toHex(); String toBase64(); }
  • 43. Intuitive OO Hash API //some examples: new Md5Hash(“foo”).toHex(); //File MD5 Hash value for checksum: new MD5Hash( aFile ).toHex(); //store a password, but not raw: new Sha256(aPassword, salt, 1024).toBase64();
  • 44. Web Support Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 45. Web Support Features • Simple ShiroFilter web.xml definition • Protects all URLs • Innovative Filtering (URL-specific chains) • JSP Tag support • Transparent HttpSession support
  • 46. web.xml <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter- class> <init-param><param-name>config</param-name><param-value> [main] realm = com.my.custom.realm.Implementation securityManager.realm = $realm [urls] /account/** = authc /remoting/** = authc, roles[b2bClient], ... </param-value></init-param> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
  • 47. JSP TagLib Authorization <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <html> <body> <shiro:hasRole name=“administrator”> <a href=“manageUsers.jsp”> Click here to manage users </a> </shiro:hasRole> <shiro:lacksRole name=“administrator”> No user admin for you! </shiro:hasRole> </body> </html>
  • 48. JSP TagLibs <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <!-- Other tags: --> <shiro:guest/> <shiro:user/> <shiro:principal/> <shiro:hasRole/> <shiro:lacksRole/> <shiro:hasAnyRoles/> <shiro:hasPermission/> <shiro:lacksPermission/> <shiro:authenticated/> <shiro:notAuthenticated/>
  • 49. Threading & Concurrency Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 50. Threading & Concurrency Features • Subject retained on multiple threads • Automatic thread cleanup • Transparent Executor/ExecutorService support
  • 51. ThreadLocal • Currently-executing Subject is thread-bound via a ThreadContext • Executing logic in the current thread is fine. What about other threads? • Runnable & Callable support • ExecutorService support
  • 52. Subject Thread Association Can associate a Subject with a Callable or Runnable intended to run on another thread: Callable myCallable = //create or acquire Subject currentUser = SecurityUtils.getSubject(); Callable associated = currentUser.associateWith(myCallable); associated.call(); //current thread //or another thread: anExecutorService.execute(associated);
  • 53. Transparent Association Subject ‘Aware’ Executor implementations transparently retain Subject: SubjectAwareExecutor, SubjectAwareExecutorService, SubjectAwareScheduledExecutorService //Look mom! No Shiro API imports! Callable myCallable = //create or acquire anExecutorService.execute(myCallable);
  • 55. “Run As” Support • “Run As” allows a Subject to assume the identity of another • Useful for administrative interfaces • Identity retained until relinquished
  • 56. “Run As” Support //assume current user is the „admin‟ user: Subject currentUser = SecurityUtils.getSubject(); PrincipalCollection newIdentity = new SimplePrincipalCollection(“jsmith”, “jdbcRealm”); currentUser.runAs(newIdentity); //behave as the „jsmith‟ user here currentuser.isRunAs(); //true = assumed identity currentUser.getPreviousPrincipals();//prev. identity //return back to the admin user: currentUser.releaseRunAs();
  • 57. Unit Testing • Subject.Builder creates ad-hoc Subjects • Use with subject.execute for easy testing: Subject testSubject = Subject.Builder(securityManager) .principals(“jsmith”).buildSubject() testSubject.execute( new Runnable() { public void run() { callTestMethod(); } });
  • 58. Logging Out One method: user out, relinquishes account //Logs the //data, and invalidates any Session SecurityUtils.getSubject().logout(); App-specific log-out logic: Before/After the call Listen for Authentication or StoppedSession events.
  • 60. Thank You! • [email protected] http://www.katasoft.com • Seeking engineering talent • Seeking product feedback