Quick Introduction to Apache Shiro

Please note that this article is not going to cover all the aspects of Apache Shiro or even all the features. This can be used as a “Quick Glance at Apache Shiro for Java Programmers” or as a quick catch up.

What is Apache Shiro?

  • Shiro is a Java security framework which is intended to be used in client applications which can be web application or even stand alone application.
  • Shiro APIs implements JAAS (Java Authentication and Authorization Service) features and enhance the usage.It enables authentication, authorization, cryptography, and session management within an application.
  • Shiro does not provide SSO service out of the box at the moment.

Though this can be used in both Java web applications and alone applications, I am going to brief following Topics with considering only usage in Java web applications.

  1. Framework Basics
  2. Security Implementation
  3. Framework Limitations

1.Framework Basics

There are 3 key concepts you have to think about if you are using Apache Shiro

  • Subject
  • Security Manager
  • Realm

Subject <=> the currently executing user

  • Shiro is entirely built around Subject. And all functionality of an application is represented and secured based on a per-user basis. i.e Subject.
  • Subjects can be maintained across threads (Threading and Concurrency).
  • Developer can access ‘Subject’ anywhere in code which allows security operations to occur anywhere.

import org.apache.shiro.subject.Subject;
import org.apache.shiro.SecurityUtils;

Subject currentUser = SecurityUtils.getSubject();

Security Manager

  • Counterpart of subject: actually handles security behind the scene.
  • ‘Shiro Servlet’ Filter can be specified in web.xml of a web application and that will set up the SecurityManager instance.
  • This instance would be a singleton for an application. By default configured via an ini(can be configured with POJO-compatible configuration mechanisms).

Example Filter

<!– no init-param means load the INI config from classpath:shiro.ini –>


Descriptive shiro.ini

# =======================
# Shiro INI configuration
# =======================
# Objects and their properties are defined here,
# Such as the securityManager, Realms and anything
# else needed to build the SecurityManager

# The ‘users’ section is for simple deployments
# when you only need a small number of statically-defined
# set of User accounts.

# The ‘roles’ section is for simple deployments
# when you only need a small number of statically-defined
# roles.

# The ‘urls’ section is used for url-based security
# in web applications. We’ll discuss this section in the
# Web documentation


  • bridge between Shiro and application’s security data. Such as user accounts (LDAP or User Data Base) to perform authentication and authorization.
  • One or more realms can be configured for an application.

Example LDAP configuration defined in shiro.ini

ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = uid={0},ou=users,dc=yourdc,dc=com
ldapRealm.contextFactory.url = ldap://ldapHost:389
ldapRealm.contextFactory.authenticationMechanism = DIGEST-MD5


2.Security Implementation

Authentication Handling

AuthenticationToken token = new UsernamePasswordToken(username, password);//Acquire submitted principals and credentials

Subject currentUser = SecurityUtils.getSubject();//Get the current Subject


Access Control

if ( subject.hasRole(“administrator”) ) //check role
if ( subject.isPermitted(“user:create”) ) //check permission
if ( subject.isPermitted(“user:delete:jsmith”) ) //check instance permission

Session Handling

  • Capable of handling both Usual Http Sessions and Shiro’s native sessions which are capable of Shiro features.

Session session = subject.getSession();
session.getAttribute(“key”, someValue);
Date start = session.getStartTimestamp();
Date timestamp = session.getLastAccessTime();

Content Filtering in JSP

  • There is a set of Shiro specific tag set

<shiro:hasRole name=”admin”> | <a href=”admin/index.jsp” >Admin Area</a></shiro:hasRole>

3.Framework limitations

  • Does not deal with Virtual Machine level security.
  • No Realm Write Operations.(i.e cannot create new accounts)

Here are some useful links if you want to get in to Apache Shiro.

How did I fix Ubuntu + McAfee Issue

Let me start with the story, Before couple of months back this issue was noticed in my office in which there is a hybrid environment with vulnerable Windows and Ubuntu. IT policies wanted an an anti-virus on Ubuntu and they had already purchased McAfee. After installing McAfee on Ubuntu we noticed that if we install, uninstall or reconfigure other software using apt-* ,synaptic or software center which crashes the machine ; it will not not open any program and if you reboot at that time it will unusable at all.
At that time I was not in the scene and my fellow engineers and McAfee had identified why machine was crashing. It is because McAfee installs some loaders in to /lib folder which loaders abuse soname conversions like this.

ishan@iambanwela:~$ ls -l /lib | grep ld-
lrwxrwxrwx  1 root root     25 Feb 20 12:16 ld-linux.so.2 -> i386-linux-gnu/ld-2.15.so
lrwxrwxrwx  1 root root     41 Feb 15 17:13 ld-mfert.so.2 -> /opt/McAfee/runtime/2.0/lib/ld-linux.so.2
lrwxrwxrwx  1 root root     41 Feb 15 17:05 ld-mfert.so.2.old -> /opt/McAfee/runtime/2.0/lib/ld-linux.so.2
lrwxrwxrwx  1 root root     38 Feb 15 17:06 ld-nails.so.2 -> /opt/NAI/LinuxShield/lib/ld-linux.so.2

if you use synaptic, software center, apt-get or apt-* machine will be crashed and will not boot again. In the same way if you manually run ldconfig this happens. For to explain the issue I installed some software. So that I boot the machine with a live CD,mount the HDD and it was like this

ubuntu@ubuntu:~$ cd /media/bde36629-6bdf-402e-9d2b-eec66e76b672/lib
ubuntu@ubuntu:/media/bde36629-6bdf-402e-9d2b-eec66e76b672/lib$ ls -l |grep ld-
lrwxrwxrwx  1 root root     13 Feb 20 16:26 ld-linux.so.2 -> ld-nails.so.2
lrwxrwxrwx  1 root root     41 Feb 15 17:13 ld-mfert.so.2 -> /opt/McAfee/runtime/2.0/lib/ld-linux.so.2
lrwxrwxrwx  1 root root     41 Feb 15 17:05 ld-mfert.so.2.old -> /opt/McAfee/runtime/2.0/lib/ld-linux.so.2
lrwxrwxrwx  1 root root     38 Feb 15 17:06 ld-nails.so.2 -> /opt/NAI/LinuxShield/lib/ld-linux.so.2

probably you might understood the problem now and you can simply fix this using

$sudo ln -snf i386-linux-gnu/ld-2.15.so ld-linux.so.2

since this is occurred after run ldconfig I looked in to ldconfig script as well as where does it come from. ldconfig comes with libc-bin package and libc-bin comes with glibc and it is compiled from eglibc package which I downloaded here for Ubuntu 12.04.

Inside eglibc_2.15.orig.tar.gz package in eglibc-2.15/elf folder ldconfig.c can be found. In ldconfig.c file I found that dynamic linker is also considered as shared library and which looks for “ld-” and load.

/* Does this file look like a shared library or is it a hwcap
subdirectory?  The dynamic linker is also considered as
shared library.  */
if (((strncmp (direntry->d_name, “lib”, 3) != 0
&& strncmp (direntry->d_name, “ld-“, 3) != 0)
|| strstr (direntry->d_name, “.so”) == NULL)
&& (
direntry->d_type == DT_REG ||
!is_hwcap_platform (direntry->d_name)))

size_t len = strlen (direntry->d_name);

now I know the logic of dynamic linker. In this stage I got 2 paths to solve this
1.Change ldconfig.c and recompile and install(but obviously we will break conventions and this might disable future updates of ld-2.15.so )
2.Change ldconfig script which executes ldonfig.real

so I tried 2nd option first.
The last line of /sbin/ldconfig script was

exec /sbin/ldconfig.real “$@”

so that I removed exec and put a line to create the broken link so that it was like this

/sbin/ldconfig.real “$@”
cd /sbin/
sudo ln -snf i386-linux-gnu/ld-2.15.so ld-linux.so.2

This worked for me and I tried 1st option also.
I edited (direntry->d_name, “ld-“, 3) != 0 to look for not only “ld-” but also for “ld-2” like this (direntry->d_name, “ld-2”, 4) != 0 and compiled.

Compilation was little bit tricky, it took some time to fix dependencies with configure script, make and make install. In READ ME of eglibc warned; this might make your machine very unstable…!
But after some time I installed it and worked still that machine did not crash.

For my company I recommended to edit ldconfig script.

Here McAfee has stated the issue


and here in Launchpad, Ubuntu(Canonical) has rejected the bug


Deep Dive into Apache Cordova (PhoneGap) with Android

In this Blog post I will talk about how Apache Cordova works in detail with respect to android. This is for curious minds who like to know how it works and how is it implemented. Apache Cordova is an application framework that enables you to build natively installed mobile apps using HTML and JavaScript. This is the only free open source framework which supports 7 mobile platforms.

In this post I will give you an introduction with brief history and discuss about technique used in Cordova, implementation in Android in deep with code.

This was first started as PhoneGap in an iPhoneDevCamp, San Francisco in August 2008.(Originally this was only available for iOS) The entire development was carried out by a company named Nitobi. In October 2011, Nitobi was purchased by Adobe and the source code was donated to Apache. Since initial name given in Apache Software Foundation, ‘Callback’ was too generic, and then it was changed to Cordova.

Basically Cordova generates a hybrid app (i.e. which contains native component as well as non-native component with respect to each platform) in which

  • all UI is rendered using browser
  • functions are written in JavaScript
  • using Cordova framework access device native capabilities

let’s move to the technique of Cordova

  1. Instantiate chrome less browser instance
  2. implement “cordova.exec” bridge with JavaScript to send massages to native side
  3. implement native plugin code to push data back to JavaScript side
  4. Implement JavaScript API by wrapping cordova.exec()

You will write the entire program in index.html file and with in that file you will call JavaScript functions which are introduced by Cordova. Then those functions may call cordova.exec() bridge function which contains

  • {Function} success The success callback
  • {Function} fail The fail callback
  • {String} service The name of the service to use
  • {String} action Action to be run in cordova
  • {String[]} [args] Zero or more arguments to pass to the method (which is implemented in native code)

Let’s move to Android implementation in detail. It starts with instantiating chrome less browser and it is android webview. You can download Cordova source code from official web site or download Learn Cordova project here, open with eclipse and search through DroidGap Class.

import android.webkit.* //done in DroidGap Class

With Google excellence Android has got keen well defined interfaces and their implementations. So that WebView has several customization points

  • WebViewClient
  • ChromeViewClient
  • WebSettings
  • addJavaScriptInterface(Object, String)

And Cordova developers have exploited them in a nice way.


This class is called when something that might impact a browser UI happens. for instance, progress updates and JavaScript alerts are sent here. In our case this handles JavaScripts and implementation is CorvovaChromeClient


This is called when thing happens that impact the rendering of the content and intercept URL loading. Cordova overrides shouldOverrideUrlLoading() method and implementation is CordovaWebViewClient (here when overriding cordova lets WebViewClient to handle some browser API features itself)

enable JavaScripts in webView can be done through WebSetting

You may think “addJavaScriptInterface(Object, String)” is a wonderful method to implement entire Cordova functionality. But it is not…! (It was until android 2.3 cookies was used to communicate between WebClient and native code. some bug occurred in “addJavaScriptInterface()” and Cordova was forced to change the path.

At this point an out of box solution was needed. And it was overriding the prompt (download Learn Cordova project here, open with eclipse and search through CordovaChromeClient Class) With in CordovaChromeClient pluginManager.exec() is called (not to be confused with cordova.exec() )

When pluginManager receives a request for an execution, it finds the appropriate Java class and calls for the execute method. After the request is executed, it returns the PluginResult to pluginManager.

Here comes another challenge (don’t forget pluginManager is a native piece of code) put results back in the browser instance.

The obvious way is loadURL() but it has some issues. If you create web content and load to browser instance user will experience loss of focus in user interface. No matter how fast the loading there is no way to overcome. (If user was typing it would be lost and next it will focus on another input)

Next Option is CallBackServer provides a way for Java (native) to run JavaScript in the web page that has loaded Cordova.(please find in the code com.cordova.CallBackServer.java) The CallbackServer class implements

  • an XHR server (XMLHttpReuest)
  • a polling server

with a list of JavaScript statements that are to be executed on the web page(index.html)

For the completeness of the post I will brief how XHR works.

  1. JavaScript makes an async XHR call
  2. The server holds the connection open until data is available
  3. The server writes the data to the client and closes the connection
  4. The server immediately starts listening for the next XHR call
  5. The client receives this XHR response, processes it
  6. The client sends a new async XHR request

In addition if the device has a proxy set, then XHR cannot be used directly, so polling must be used instead. (Polling is actively sampling/monitoring the status of an external device by a client program as a synchronous activity)

Polling works like this, first the client calls CallbackServer.getJavascript() to retrieve next statement, if statement available, then client processes it and again the client repeats. This is how Cordova pushes native data to JavaScript.

Thats all for this post and I will talk more about Cordova in future.