Please note that this article is not going to cover all the aspects of Apache Shiro or even all the features. This can be used as a “Quick Glance at Apache Shiro for Java Programmers” or as a quick catch up.
What is Apache Shiro?
- Shiro is a Java security framework which is intended to be used in client applications which can be web application or even stand alone application.
- Shiro APIs implements JAAS (Java Authentication and Authorization Service) features and enhance the usage.It enables authentication, authorization, cryptography, and session management within an application.
- Shiro does not provide SSO service out of the box at the moment.
Though this can be used in both Java web applications and alone applications, I am going to brief following Topics with considering only usage in Java web applications.
- Framework Basics
- Security Implementation
- Framework Limitations
1.Framework Basics
There are 3 key concepts you have to think about if you are using Apache Shiro
- Subject
- Security Manager
- Realm
Subject <=> the currently executing user
- Shiro is entirely built around Subject. And all functionality of an application is represented and secured based on a per-user basis. i.e Subject.
- Subjects can be maintained across threads (Threading and Concurrency).
- Developer can access ‘Subject’ anywhere in code which allows security operations to occur anywhere.
import org.apache.shiro.subject.Subject;
import org.apache.shiro.SecurityUtils;
…
Subject currentUser = SecurityUtils.getSubject();
Security Manager
- Counterpart of subject: actually handles security behind the scene.
- ‘Shiro Servlet’ Filter can be specified in web.xml of a web application and that will set up the SecurityManager instance.
- This instance would be a singleton for an application. By default configured via an ini(can be configured with POJO-compatible configuration mechanisms).
Example Filter
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>
org.apache.shiro.web.servlet.IniShiroFilter
</filter-class>
<!– no init-param means load the INI config from classpath:shiro.ini –></filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Descriptive shiro.ini
# =======================
# Shiro INI configuration
# =======================
[main]
# Objects and their properties are defined here,
# Such as the securityManager, Realms and anything
# else needed to build the SecurityManager[users]
# The ‘users’ section is for simple deployments
# when you only need a small number of statically-defined
# set of User accounts.[roles]
# The ‘roles’ section is for simple deployments
# when you only need a small number of statically-defined
# roles.[urls]
# The ‘urls’ section is used for url-based security
# in web applications. We’ll discuss this section in the
# Web documentation
Realms
- bridge between Shiro and application’s security data. Such as user accounts (LDAP or User Data Base) to perform authentication and authorization.
- One or more realms can be configured for an application.
Example LDAP configuration defined in shiro.ini
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = uid={0},ou=users,dc=yourdc,dc=com
ldapRealm.contextFactory.url = ldap://ldapHost:389
ldapRealm.contextFactory.authenticationMechanism = DIGEST-MD5
2.Security Implementation
Authentication Handling
AuthenticationToken token = new UsernamePasswordToken(username, password);//Acquire submitted principals and credentials
Subject currentUser = SecurityUtils.getSubject();//Get the current Subject
//Login
currentUser.login(token);//Login
Access Control
if ( subject.hasRole(“administrator”) ) //check role
if ( subject.isPermitted(“user:create”) ) //check permission
if ( subject.isPermitted(“user:delete:jsmith”) ) //check instance permission
Session Handling
- Capable of handling both Usual Http Sessions and Shiro’s native sessions which are capable of Shiro features.
Session session = subject.getSession();
session.getAttribute(“key”, someValue);
Date start = session.getStartTimestamp();
Date timestamp = session.getLastAccessTime();
session.setTimeout(millis);
Content Filtering in JSP
- There is a set of Shiro specific tag set
<shiro:hasRole name=”admin”> | <a href=”admin/index.jsp” >Admin Area</a></shiro:hasRole>
3.Framework limitations
- Does not deal with Virtual Machine level security.
- No Realm Write Operations.(i.e cannot create new accounts)
Here are some useful links if you want to get in to Apache Shiro.
- Integrate Apache Shiro with JavaEE6 Step by Step http://czetsuya-tech.blogspot.com/2012/10/how-to-integrate-apache-shiro-with.html#.UtK5E_gu5es
- Integrating Apache Shiro with CAS SSO server http://shiro.apache.org/cas.html
- Article Library on Official Site http://shiro.apache.org/articles.html
- On Architecture http://shiro.apache.org/architecture.html