SlideShare a Scribd company logo

Super simple application security with Apache Shiro

M
Marakana Inc.

Les Hazlewood, founder of the Apache Shiro project, covers the benefits of using Shiro as an application security framework. Check out the video for this presentation, as well as more training resources for Java here: http://marakana.com/forums/java/general/183.html

Technology
1 of 60
Download to read offline
Simple Application Security Les Hazlewood Apache Shiro Project Chair
About Me Les Hazlewood Apache Shiro Project Chair JSecurity Founder Katasoft Founder & CTO
What is Apache Shiro? • Application security library • Quick and easy • Simplifies security concepts
About Shiro • Started in 2003, JSecurity in 2004 • Simplify or replace JAAS • Dynamic changes at runtime • Sessions - Heterogeneous Clients • Reduce Design Flaws • ‘One stop shop’ • Apache Top Level, September
Reduce Design Flaws
No Silver Bullets
Agenda Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Quick Terminology • Subject – Security-specific user ‘view’ • Principals – Subject’s identifying attributes • Credentials – Secret values that verify identity • Realm – Security-specific DAO
Authentication Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Authentication Defined Identity verification: Proving a user is who he says he is
Shiro Authentication Features • Subject-based (current user) • Single method call • Rich Exception Hierarchy • ‘Remember Me’ built in
How to Authenticate with Shiro Steps 1. Collect principals & credentials 2. Submit to Authentication System 3. Allow, retry, or block access
Step 1: Collecting Principals & Credentials //Example using most common scenario: //String username and password. Acquire in //system-specific manner (HTTP request, GUI, etc) UsernamePasswordToken token = new UsernamePasswordToken( username, password ); //”Remember Me” built-in, just do this: token.setRememberMe(true);
Step 2: Submission Subject currentUser = SecurityUtils.getSubject(); currentUser.login(token);
Step 3: Grant Access or Handle Failure try { currentUser.login(token); } catch ( UnknownAccountException uae ) { ... } catch ( IncorrectCredentialsException ice ) { .. } catch ( LockedAccountException lae ) { ... } catch ( ExcessiveAttemptsException eae ) { ... } ... catch your own ... } catch ( AuthenticationException ae ) { //unexpected error? } //No problems, show authenticated view…
“Remember Me” support • subject.isRemembered() • subject.isAuthenticated() • remembered != authenticated
Authorization Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Authorization Defined Process of determining Access Control “who can do what” Elements of Authorization • Permissions • Roles • Users
Permissions Defined • The “what” of an application • Most atomic security element • Describes resource types and their behavior • Does not define “who”
Roles Defined • Implicit or Explicit construct • Implicit: Name only • Explicit: A named collection of Permissions Allows behavior aggregation Enables dynamic (runtime) alteration of user abilities.
Users Defined • The “who” of the application • What each user can do is defined by their association with Roles or Permissions Example: User’s roles imply PrinterPermission
Authorization Features • Subject-centric (current user) • Checks based on roles or permissions • Powerful out-of-the-box WildcardPermission • Any data model – Realms decide
How to Authorize with Shiro Multiple means of checking access control: • Programmatically • JDK 1.5 annotations • JSP/GSP TagLibs (web support)
Programmatic Authorization Role Check //get the current Subject Subject currentUser = SecurityUtils.getSubject(); if (currentUser.hasRole(“administrator”)) { //do one thing (show a special button?)‫‏‬ } else { //don‟t show the button?)‫‏‬ }
Programmatic Authorization Permission Check Subject currentUser = SecurityUtils.getSubject(); Permission printPermission = new PrinterPermission(“laserjet3000n”,“print”); If (currentUser.isPermitted(printPermission)) { //do one thing (show the print button?)‫‏‬ } else { //don‟t show the button? }
Programmatic Authorization Permission Check (String-based) String perm = “printer:print:laserjet4400n”; if(currentUser.isPermitted(perm)){ //show the print button? } else { //don‟t show the button? }
Annotation Authorization Role Check //Throws an AuthorizationException if the caller //doesn‟t have the „teller‟ role: @RequiresRoles( “teller” ) public void openAccount( Account acct ) { //do something in here that only a teller //should do }
Annotation Authorization Permission Check //Will throw an AuthorizationException if none //of the caller‟s roles imply the Account //'create' permission @RequiresPermissions(“account:create”)‫‏‬ public void openAccount( Account acct ) { //create the account }
Enterprise Session Management Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Session Management Defined Managing the lifecycle of Subject-specific temporal data context
Session Management Features • Heterogeneous client access • POJO/J2SE based (IoC friendly) • Event listeners • Host address retention • Inactivity/expiration support (touch()) • Transparent web use - HttpSession • Can be used for SSO
Acquiring and Creating Sessions Subject currentUser = SecurityUtils.getSubject() //guarantee a session Session session = subject.getSession(); //get a session if it exists subject.getSession(false);
Session API getStartTimestamp() getLastAccessTime() getAttribute(key) setAttribute(key, value) get/setTimeout(long) touch() ...
Cryptography Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Cryptography Defined Protecting information from undesired access by hiding it or converting it into nonsense. Elements of Cryptography • Ciphers • Hashes
Ciphers Defined Encryption and decryption data based on public/private keys. • Symmetric Cipher - same key for encryption and decryption. • Asymmetric Cipher - different keys for encryption and decryption
Hashes Defined A one-way, irreversible conversion of an input source (a.k.a. Message Digest) Used for: • Credentials transformation • Data with underlying byte array Files, Streams, etc
Cryptography Features Simplicity • Simplified wrapper over JCE infrastructure. • Easier to understand API • “Object Orientifies” cryptography concepts • Interface-driven, POJO based
Cipher Features • OO Hierarchy JcaCipherService, AbstractSymmetricCipherService, DefaultBlockCipherService, etc • Just instantiate a class No “Transformation String”/Factory methods • More secure default settings Initialization Vectors, et. al.
Shiro’s CipherService Interface public interface CipherService { ByteSource encrypt( byte[] raw, byte[] key); void encrypt(InputStream in, OutputStream out, byte[] key); ByteSource decrypt( byte[] cipherText, byte[] key); void decrypt(InputStream in, OutputStream out, byte[] key); }
Hash Features • Default interface implementations MD5, SHA1, SHA-256, et. al. • Built in Hex & Base64 conversion • Built-in support for Salts and repeated hashing
Shiro’s Hash Interface public interface Hash { byte[] getBytes(); String toHex(); String toBase64(); }
Intuitive OO Hash API //some examples: new Md5Hash(“foo”).toHex(); //File MD5 Hash value for checksum: new MD5Hash( aFile ).toHex(); //store a password, but not raw: new Sha256(aPassword, salt, 1024).toBase64();
Web Support Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Web Support Features • Simple ShiroFilter web.xml definition • Protects all URLs • Innovative Filtering (URL-specific chains) • JSP Tag support • Transparent HttpSession support
web.xml <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter- class> <init-param><param-name>config</param-name><param-value> [main] realm = com.my.custom.realm.Implementation securityManager.realm = $realm [urls] /account/** = authc /remoting/** = authc, roles[b2bClient], ... </param-value></init-param> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
JSP TagLib Authorization <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <html> <body> <shiro:hasRole name=“administrator”> <a href=“manageUsers.jsp”> Click here to manage users </a> </shiro:hasRole> <shiro:lacksRole name=“administrator”> No user admin for you! </shiro:hasRole> </body> </html>
JSP TagLibs <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <!-- Other tags: --> <shiro:guest/> <shiro:user/> <shiro:principal/> <shiro:hasRole/> <shiro:lacksRole/> <shiro:hasAnyRoles/> <shiro:hasPermission/> <shiro:lacksPermission/> <shiro:authenticated/> <shiro:notAuthenticated/>
Threading & Concurrency Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
Threading & Concurrency Features • Subject retained on multiple threads • Automatic thread cleanup • Transparent Executor/ExecutorService support
ThreadLocal • Currently-executing Subject is thread-bound via a ThreadContext • Executing logic in the current thread is fine. What about other threads? • Runnable & Callable support • ExecutorService support
Subject Thread Association Can associate a Subject with a Callable or Runnable intended to run on another thread: Callable myCallable = //create or acquire Subject currentUser = SecurityUtils.getSubject(); Callable associated = currentUser.associateWith(myCallable); associated.call(); //current thread //or another thread: anExecutorService.execute(associated);
Transparent Association Subject ‘Aware’ Executor implementations transparently retain Subject: SubjectAwareExecutor, SubjectAwareExecutorService, SubjectAwareScheduledExecutorService //Look mom! No Shiro API imports! Callable myCallable = //create or acquire anExecutorService.execute(myCallable);
MISCELLANEOUS
“Run As” Support • “Run As” allows a Subject to assume the identity of another • Useful for administrative interfaces • Identity retained until relinquished
“Run As” Support //assume current user is the „admin‟ user: Subject currentUser = SecurityUtils.getSubject(); PrincipalCollection newIdentity = new SimplePrincipalCollection(“jsmith”, “jdbcRealm”); currentUser.runAs(newIdentity); //behave as the „jsmith‟ user here currentuser.isRunAs(); //true = assumed identity currentUser.getPreviousPrincipals();//prev. identity //return back to the admin user: currentUser.releaseRunAs();
Unit Testing • Subject.Builder creates ad-hoc Subjects • Use with subject.execute for easy testing: Subject testSubject = Subject.Builder(securityManager) .principals(“jsmith”).buildSubject() testSubject.execute( new Runnable() { public void run() { callTestMethod(); } });
Logging Out One method: user out, relinquishes account //Logs the //data, and invalidates any Session SecurityUtils.getSubject().logout(); App-specific log-out logic: Before/After the call Listen for Authentication or StoppedSession events.
APACHE SHIRO DEMO
Thank You! • les@katasoft.com • http://www.katasoft.com • Seeking engineering talent • Seeking product feedback

Recommended

Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache ShiroSmita Prasad
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 

Recommended

Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache ShiroSmita Prasad
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Stormpath
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Spring Security
Spring SecuritySpring Security
Spring SecurityManish Sharma
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
Amazone
AmazoneAmazone
AmazoneRenée Bukay
 
Apache Syncope and Tirasa
Apache Syncope and TirasaApache Syncope and Tirasa
Apache Syncope and TirasaFrancesco Chicchiriccò
 

More Related Content

What's hot

Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Stormpath
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 

What's hot (20)

Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
 

Viewers also liked

Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Matt Raible
 
EEL316: Pseudo Random Bit Generation
EEL316: Pseudo Random Bit GenerationEEL316: Pseudo Random Bit Generation
EEL316: Pseudo Random Bit GenerationUmang Gupta
 
Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator ajay singh
 
Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Algunas recomendaciones para lograr la efectividad en la preparación de los p...Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Algunas recomendaciones para lograr la efectividad en la preparación de los p...Mariana Calle
 
Technology, the 4th Amendment and National Security by Doug Bailey
Technology, the 4th Amendment and National Security by Doug BaileyTechnology, the 4th Amendment and National Security by Doug Bailey
Technology, the 4th Amendment and National Security by Doug BaileyVator
 
accompanying notes for e-learning implementation and design; the student pers...
accompanying notes for e-learning implementation and design; the student pers...accompanying notes for e-learning implementation and design; the student pers...
accompanying notes for e-learning implementation and design; the student pers...rosevibe
 
Der Bürgerantrag - ein Modellversuch
Der Bürgerantrag - ein ModellversuchDer Bürgerantrag - ein Modellversuch
Der Bürgerantrag - ein ModellversuchGerhard Loub
 
Manual agricultura-urbana
Manual agricultura-urbanaManual agricultura-urbana
Manual agricultura-urbanaGUELFI
 
Diario Luz Dorada 1ºB
Diario Luz Dorada 1ºBDiario Luz Dorada 1ºB
Diario Luz Dorada 1ºBaesperela
 
Cronicas desabafos rp_i
Cronicas desabafos rp_iCronicas desabafos rp_i
Cronicas desabafos rp_iMaria Louro
 
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWCASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWCPICKASO App Marketing
 
Annik capability document india
Annik capability document indiaAnnik capability document india
Annik capability document indiaAtul Sharma
 
Presentación freeDôm
Presentación freeDômPresentación freeDôm
Presentación freeDômtxamv
 
White Paper: Resilient Semi-Passive Optical Link Protection
White Paper: Resilient Semi-Passive Optical Link ProtectionWhite Paper: Resilient Semi-Passive Optical Link Protection
White Paper: Resilient Semi-Passive Optical Link ProtectionSusmita Adhikari Joshi
 
Conexión de amor finalizada
Conexión de amor finalizadaConexión de amor finalizada
Conexión de amor finalizadagracielacol
 
Presentación management as a service servitalent
Presentación management as a service servitalentPresentación management as a service servitalent
Presentación management as a service servitalentAlberto Fernández Varela
 

Viewers also liked (20)

Amazone
AmazoneAmazone
Amazone
 
Apache Syncope and Tirasa
Apache Syncope and TirasaApache Syncope and Tirasa
Apache Syncope and Tirasa
 
Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011
 
EEL316: Pseudo Random Bit Generation
EEL316: Pseudo Random Bit GenerationEEL316: Pseudo Random Bit Generation
EEL316: Pseudo Random Bit Generation
 
Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator
 
Sal Himalaya
Sal Himalaya Sal Himalaya
Sal Himalaya
 
Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Algunas recomendaciones para lograr la efectividad en la preparación de los p...Algunas recomendaciones para lograr la efectividad en la preparación de los p...
Algunas recomendaciones para lograr la efectividad en la preparación de los p...
 
Technology, the 4th Amendment and National Security by Doug Bailey
Technology, the 4th Amendment and National Security by Doug BaileyTechnology, the 4th Amendment and National Security by Doug Bailey
Technology, the 4th Amendment and National Security by Doug Bailey
 
accompanying notes for e-learning implementation and design; the student pers...
accompanying notes for e-learning implementation and design; the student pers...accompanying notes for e-learning implementation and design; the student pers...
accompanying notes for e-learning implementation and design; the student pers...
 
Der Bürgerantrag - ein Modellversuch
Der Bürgerantrag - ein ModellversuchDer Bürgerantrag - ein Modellversuch
Der Bürgerantrag - ein Modellversuch
 
Manual agricultura-urbana
Manual agricultura-urbanaManual agricultura-urbana
Manual agricultura-urbana
 
Diario Luz Dorada 1ºB
Diario Luz Dorada 1ºBDiario Luz Dorada 1ºB
Diario Luz Dorada 1ºB
 
Cronicas desabafos rp_i
Cronicas desabafos rp_iCronicas desabafos rp_i
Cronicas desabafos rp_i
 
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWCASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
ASO (App Store Optimization) para Startups - BeMobile 2015 Barcelona MWC
 
Annik capability document india
Annik capability document indiaAnnik capability document india
Annik capability document india
 
Content: create it, sustain it
Content: create it, sustain itContent: create it, sustain it
Content: create it, sustain it
 
Presentación freeDôm
Presentación freeDômPresentación freeDôm
Presentación freeDôm
 
White Paper: Resilient Semi-Passive Optical Link Protection
White Paper: Resilient Semi-Passive Optical Link ProtectionWhite Paper: Resilient Semi-Passive Optical Link Protection
White Paper: Resilient Semi-Passive Optical Link Protection
 
Conexión de amor finalizada
Conexión de amor finalizadaConexión de amor finalizada
Conexión de amor finalizada
 
Presentación management as a service servitalent
Presentación management as a service servitalentPresentación management as a service servitalent
Presentación management as a service servitalent
 

Similar to Super simple application security with Apache Shiro

Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guideihji
 
Spring4 security
Spring4 securitySpring4 security
Spring4 securitySang Shin
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnDan Rinzel
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular jsStormpath
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfJorge Alvarez
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Valerii Moisieienko
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldSitaraman Lakshminarayanan
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?smalltown
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 

Similar to Super simple application security with Apache Shiro (20)

Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard Learn
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day One
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdf
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 

More from Marakana Inc.

Android Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar GargentaAndroid Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar GargentaMarakana Inc.
 
Behavior Driven Development
Behavior Driven DevelopmentBehavior Driven Development
Behavior Driven DevelopmentMarakana Inc.
 
Martin Odersky: What's next for Scala
Martin Odersky: What's next for ScalaMartin Odersky: What's next for Scala
Martin Odersky: What's next for ScalaMarakana Inc.
 
Why Java Needs Hierarchical Data
Why Java Needs Hierarchical DataWhy Java Needs Hierarchical Data
Why Java Needs Hierarchical DataMarakana Inc.
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Pictures from "Learn about RenderScript" meetup at SF Android User Group
Pictures from "Learn about RenderScript" meetup at SF Android User GroupPictures from "Learn about RenderScript" meetup at SF Android User Group
Pictures from "Learn about RenderScript" meetup at SF Android User GroupMarakana Inc.
 
Android UI Tips, Tricks and Techniques
Android UI Tips, Tricks and TechniquesAndroid UI Tips, Tricks and Techniques
Android UI Tips, Tricks and TechniquesMarakana Inc.
 
2010 07-18.wa.rails tdd-6
2010 07-18.wa.rails tdd-62010 07-18.wa.rails tdd-6
2010 07-18.wa.rails tdd-6Marakana Inc.
 
Efficient Rails Test-Driven Development - Week 6
Efficient Rails Test-Driven Development - Week 6Efficient Rails Test-Driven Development - Week 6
Efficient Rails Test-Driven Development - Week 6Marakana Inc.
 
Graphicsand animations devoxx2010 (1)
Graphicsand animations devoxx2010 (1)Graphicsand animations devoxx2010 (1)
Graphicsand animations devoxx2010 (1)Marakana Inc.
 
What's this jQuery? Where it came from, and how it will drive innovation
What's this jQuery? Where it came from, and how it will drive innovationWhat's this jQuery? Where it came from, and how it will drive innovation
What's this jQuery? Where it came from, and how it will drive innovationMarakana Inc.
 
jQuery State of the Union - Yehuda Katz
jQuery State of the Union - Yehuda KatzjQuery State of the Union - Yehuda Katz
jQuery State of the Union - Yehuda KatzMarakana Inc.
 
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...Marakana Inc.
 
Efficient Rails Test Driven Development (class 4) by Wolfram Arnold
Efficient Rails Test Driven Development (class 4) by Wolfram ArnoldEfficient Rails Test Driven Development (class 4) by Wolfram Arnold
Efficient Rails Test Driven Development (class 4) by Wolfram ArnoldMarakana Inc.
 
Efficient Rails Test Driven Development (class 3) by Wolfram Arnold
Efficient Rails Test Driven Development (class 3) by Wolfram ArnoldEfficient Rails Test Driven Development (class 3) by Wolfram Arnold
Efficient Rails Test Driven Development (class 3) by Wolfram ArnoldMarakana Inc.
 
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas EneboLearn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas EneboMarakana Inc.
 
Replacing Java Incrementally
Replacing Java IncrementallyReplacing Java Incrementally
Replacing Java IncrementallyMarakana Inc.
 
Learn to Build like you Code with Apache Buildr
Learn to Build like you Code with Apache BuildrLearn to Build like you Code with Apache Buildr
Learn to Build like you Code with Apache BuildrMarakana Inc.
 

More from Marakana Inc. (20)

Android Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar GargentaAndroid Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar Gargenta
 
JRuby at Square
JRuby at SquareJRuby at Square
JRuby at Square
 
Behavior Driven Development
Behavior Driven DevelopmentBehavior Driven Development
Behavior Driven Development
 
Martin Odersky: What's next for Scala
Martin Odersky: What's next for ScalaMartin Odersky: What's next for Scala
Martin Odersky: What's next for Scala
 
Why Java Needs Hierarchical Data
Why Java Needs Hierarchical DataWhy Java Needs Hierarchical Data
Why Java Needs Hierarchical Data
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Pictures from "Learn about RenderScript" meetup at SF Android User Group
Pictures from "Learn about RenderScript" meetup at SF Android User GroupPictures from "Learn about RenderScript" meetup at SF Android User Group
Pictures from "Learn about RenderScript" meetup at SF Android User Group
 
Android UI Tips, Tricks and Techniques
Android UI Tips, Tricks and TechniquesAndroid UI Tips, Tricks and Techniques
Android UI Tips, Tricks and Techniques
 
2010 07-18.wa.rails tdd-6
2010 07-18.wa.rails tdd-62010 07-18.wa.rails tdd-6
2010 07-18.wa.rails tdd-6
 
Efficient Rails Test-Driven Development - Week 6
Efficient Rails Test-Driven Development - Week 6Efficient Rails Test-Driven Development - Week 6
Efficient Rails Test-Driven Development - Week 6
 
Graphicsand animations devoxx2010 (1)
Graphicsand animations devoxx2010 (1)Graphicsand animations devoxx2010 (1)
Graphicsand animations devoxx2010 (1)
 
What's this jQuery? Where it came from, and how it will drive innovation
What's this jQuery? Where it came from, and how it will drive innovationWhat's this jQuery? Where it came from, and how it will drive innovation
What's this jQuery? Where it came from, and how it will drive innovation
 
jQuery State of the Union - Yehuda Katz
jQuery State of the Union - Yehuda KatzjQuery State of the Union - Yehuda Katz
jQuery State of the Union - Yehuda Katz
 
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
Pics from: "James Gosling on Apple, Apache, Google, Oracle and the Future of ...
 
Efficient Rails Test Driven Development (class 4) by Wolfram Arnold
Efficient Rails Test Driven Development (class 4) by Wolfram ArnoldEfficient Rails Test Driven Development (class 4) by Wolfram Arnold
Efficient Rails Test Driven Development (class 4) by Wolfram Arnold
 
Efficient Rails Test Driven Development (class 3) by Wolfram Arnold
Efficient Rails Test Driven Development (class 3) by Wolfram ArnoldEfficient Rails Test Driven Development (class 3) by Wolfram Arnold
Efficient Rails Test Driven Development (class 3) by Wolfram Arnold
 
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas EneboLearn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
Learn about JRuby Internals from one of the JRuby Lead Developers, Thomas Enebo
 
Replacing Java Incrementally
Replacing Java IncrementallyReplacing Java Incrementally
Replacing Java Incrementally
 
Learn to Build like you Code with Apache Buildr
Learn to Build like you Code with Apache BuildrLearn to Build like you Code with Apache Buildr
Learn to Build like you Code with Apache Buildr
 

Recently uploaded

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Recently uploaded (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Super simple application security with Apache Shiro

  • 1. Simple Application Security Les Hazlewood Apache Shiro Project Chair
  • 2. About Me Les Hazlewood Apache Shiro Project Chair JSecurity Founder Katasoft Founder & CTO
  • 3. What is Apache Shiro? • Application security library • Quick and easy • Simplifies security concepts
  • 4. About Shiro • Started in 2003, JSecurity in 2004 • Simplify or replace JAAS • Dynamic changes at runtime • Sessions - Heterogeneous Clients • Reduce Design Flaws • ‘One stop shop’ • Apache Top Level, September
  • 7. Agenda Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 8. Quick Terminology • Subject – Security-specific user ‘view’ • Principals – Subject’s identifying attributes • Credentials – Secret values that verify identity • Realm – Security-specific DAO
  • 9. Authentication Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 11. Shiro Authentication Features • Subject-based (current user) • Single method call • Rich Exception Hierarchy • ‘Remember Me’ built in
  • 12. How to Authenticate with Shiro Steps 1. Collect principals & credentials 2. Submit to Authentication System 3. Allow, retry, or block access
  • 13. Step 1: Collecting Principals & Credentials //Example using most common scenario: //String username and password. Acquire in //system-specific manner (HTTP request, GUI, etc) UsernamePasswordToken token = new UsernamePasswordToken( username, password ); //”Remember Me” built-in, just do this: token.setRememberMe(true);
  • 14. Step 2: Submission Subject currentUser = SecurityUtils.getSubject(); currentUser.login(token);
  • 15. Step 3: Grant Access or Handle Failure try { currentUser.login(token); } catch ( UnknownAccountException uae ) { ... } catch ( IncorrectCredentialsException ice ) { .. } catch ( LockedAccountException lae ) { ... } catch ( ExcessiveAttemptsException eae ) { ... } ... catch your own ... } catch ( AuthenticationException ae ) { //unexpected error? } //No problems, show authenticated view…
  • 16. “Remember Me” support • subject.isRemembered() • subject.isAuthenticated() • remembered != authenticated
  • 17. Authorization Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 18. Authorization Defined Process of determining Access Control “who can do what” Elements of Authorization • Permissions • Roles • Users
  • 19. Permissions Defined • The “what” of an application • Most atomic security element • Describes resource types and their behavior • Does not define “who”
  • 20. Roles Defined • Implicit or Explicit construct • Implicit: Name only • Explicit: A named collection of Permissions Allows behavior aggregation Enables dynamic (runtime) alteration of user abilities.
  • 21. Users Defined • The “who” of the application • What each user can do is defined by their association with Roles or Permissions Example: User’s roles imply PrinterPermission
  • 22. Authorization Features • Subject-centric (current user) • Checks based on roles or permissions • Powerful out-of-the-box WildcardPermission • Any data model – Realms decide
  • 23. How to Authorize with Shiro Multiple means of checking access control: • Programmatically • JDK 1.5 annotations • JSP/GSP TagLibs (web support)
  • 24. Programmatic Authorization Role Check //get the current Subject Subject currentUser = SecurityUtils.getSubject(); if (currentUser.hasRole(“administrator”)) { //do one thing (show a special button?)‫‏‬ } else { //don‟t show the button?)‫‏‬ }
  • 25. Programmatic Authorization Permission Check Subject currentUser = SecurityUtils.getSubject(); Permission printPermission = new PrinterPermission(“laserjet3000n”,“print”); If (currentUser.isPermitted(printPermission)) { //do one thing (show the print button?)‫‏‬ } else { //don‟t show the button? }
  • 26. Programmatic Authorization Permission Check (String-based) String perm = “printer:print:laserjet4400n”; if(currentUser.isPermitted(perm)){ //show the print button? } else { //don‟t show the button? }
  • 27. Annotation Authorization Role Check //Throws an AuthorizationException if the caller //doesn‟t have the „teller‟ role: @RequiresRoles( “teller” ) public void openAccount( Account acct ) { //do something in here that only a teller //should do }
  • 28. Annotation Authorization Permission Check //Will throw an AuthorizationException if none //of the caller‟s roles imply the Account //'create' permission @RequiresPermissions(“account:create”)‫‏‬ public void openAccount( Account acct ) { //create the account }
  • 29. Enterprise Session Management Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 30. Session Management Defined Managing the lifecycle of Subject-specific temporal data context
  • 31. Session Management Features • Heterogeneous client access • POJO/J2SE based (IoC friendly) • Event listeners • Host address retention • Inactivity/expiration support (touch()) • Transparent web use - HttpSession • Can be used for SSO
  • 32. Acquiring and Creating Sessions Subject currentUser = SecurityUtils.getSubject() //guarantee a session Session session = subject.getSession(); //get a session if it exists subject.getSession(false);
  • 34. Cryptography Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 35. Cryptography Defined Protecting information from undesired access by hiding it or converting it into nonsense. Elements of Cryptography • Ciphers • Hashes
  • 36. Ciphers Defined Encryption and decryption data based on public/private keys. • Symmetric Cipher - same key for encryption and decryption. • Asymmetric Cipher - different keys for encryption and decryption
  • 37. Hashes Defined A one-way, irreversible conversion of an input source (a.k.a. Message Digest) Used for: • Credentials transformation • Data with underlying byte array Files, Streams, etc
  • 38. Cryptography Features Simplicity • Simplified wrapper over JCE infrastructure. • Easier to understand API • “Object Orientifies” cryptography concepts • Interface-driven, POJO based
  • 39. Cipher Features • OO Hierarchy JcaCipherService, AbstractSymmetricCipherService, DefaultBlockCipherService, etc • Just instantiate a class No “Transformation String”/Factory methods • More secure default settings Initialization Vectors, et. al.
  • 40. Shiro’s CipherService Interface public interface CipherService { ByteSource encrypt( byte[] raw, byte[] key); void encrypt(InputStream in, OutputStream out, byte[] key); ByteSource decrypt( byte[] cipherText, byte[] key); void decrypt(InputStream in, OutputStream out, byte[] key); }
  • 41. Hash Features • Default interface implementations MD5, SHA1, SHA-256, et. al. • Built in Hex & Base64 conversion • Built-in support for Salts and repeated hashing
  • 42. Shiro’s Hash Interface public interface Hash { byte[] getBytes(); String toHex(); String toBase64(); }
  • 43. Intuitive OO Hash API //some examples: new Md5Hash(“foo”).toHex(); //File MD5 Hash value for checksum: new MD5Hash( aFile ).toHex(); //store a password, but not raw: new Sha256(aPassword, salt, 1024).toBase64();
  • 44. Web Support Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 45. Web Support Features • Simple ShiroFilter web.xml definition • Protects all URLs • Innovative Filtering (URL-specific chains) • JSP Tag support • Transparent HttpSession support
  • 46. web.xml <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter- class> <init-param><param-name>config</param-name><param-value> [main] realm = com.my.custom.realm.Implementation securityManager.realm = $realm [urls] /account/** = authc /remoting/** = authc, roles[b2bClient], ... </param-value></init-param> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
  • 47. JSP TagLib Authorization <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <html> <body> <shiro:hasRole name=“administrator”> <a href=“manageUsers.jsp”> Click here to manage users </a> </shiro:hasRole> <shiro:lacksRole name=“administrator”> No user admin for you! </shiro:hasRole> </body> </html>
  • 48. JSP TagLibs <%@ taglib prefix=“shiro” uri=http://shiro.apache.org/tags %> <!-- Other tags: --> <shiro:guest/> <shiro:user/> <shiro:principal/> <shiro:hasRole/> <shiro:lacksRole/> <shiro:hasAnyRoles/> <shiro:hasPermission/> <shiro:lacksPermission/> <shiro:authenticated/> <shiro:notAuthenticated/>
  • 49. Threading & Concurrency Authentication Authorization Session Cryptography Management Web Support Threading & Concurrency
  • 50. Threading & Concurrency Features • Subject retained on multiple threads • Automatic thread cleanup • Transparent Executor/ExecutorService support
  • 51. ThreadLocal • Currently-executing Subject is thread-bound via a ThreadContext • Executing logic in the current thread is fine. What about other threads? • Runnable & Callable support • ExecutorService support
  • 52. Subject Thread Association Can associate a Subject with a Callable or Runnable intended to run on another thread: Callable myCallable = //create or acquire Subject currentUser = SecurityUtils.getSubject(); Callable associated = currentUser.associateWith(myCallable); associated.call(); //current thread //or another thread: anExecutorService.execute(associated);
  • 53. Transparent Association Subject ‘Aware’ Executor implementations transparently retain Subject: SubjectAwareExecutor, SubjectAwareExecutorService, SubjectAwareScheduledExecutorService //Look mom! No Shiro API imports! Callable myCallable = //create or acquire anExecutorService.execute(myCallable);
  • 55. “Run As” Support • “Run As” allows a Subject to assume the identity of another • Useful for administrative interfaces • Identity retained until relinquished
  • 56. “Run As” Support //assume current user is the „admin‟ user: Subject currentUser = SecurityUtils.getSubject(); PrincipalCollection newIdentity = new SimplePrincipalCollection(“jsmith”, “jdbcRealm”); currentUser.runAs(newIdentity); //behave as the „jsmith‟ user here currentuser.isRunAs(); //true = assumed identity currentUser.getPreviousPrincipals();//prev. identity //return back to the admin user: currentUser.releaseRunAs();
  • 57. Unit Testing • Subject.Builder creates ad-hoc Subjects • Use with subject.execute for easy testing: Subject testSubject = Subject.Builder(securityManager) .principals(“jsmith”).buildSubject() testSubject.execute( new Runnable() { public void run() { callTestMethod(); } });
  • 58. Logging Out One method: user out, relinquishes account //Logs the //data, and invalidates any Session SecurityUtils.getSubject().logout(); App-specific log-out logic: Before/After the call Listen for Authentication or StoppedSession events.
  • 60. Thank You! • les@katasoft.com • http://www.katasoft.com • Seeking engineering talent • Seeking product feedback