Skip to main content

Home/ SoftwareEngineering/ Group items tagged Shiro

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
kuni katsuya

Spring vs Java EE Web Dev: Using Shiro for Authorization via CDI Interceptors then Easi... - 1 views

spring-java-ee.blogspot.ca/...for-authorization-via-cdi.html

security ApacheShiro CDI authorization interceptor Arquillian

shared by kuni katsuya on 08 Aug 12 - No Cached
  • Using Shiro for Authorization via CDI Interceptors then Easily Test with Arquillian Did you know Apache Shiro is an easy-to-use security
  • @Secured @NamedResource("contact")
  • Interceptors will be ignored by CDI container unless it is listed in beans.xml
  • ...2 more annotations...
  • Tells the security interceptor to check the permission using "contact" as the resource name, not "contactmanager" inflected from the class name ContactManager
  • @NamedResource("contact")
kuni katsuya

AllPermission (Apache Shiro 1.2.1 API) - 0 views

shiro.apache.org/...AllPermission.html

security ApacheShiro authorization AllPermission

shared by kuni katsuya on 23 Sep 12 - No Cached
  • AllPermission
  • always implies any other permission
    • kuni katsuya
      kuni katsuya on 23 Sep 12
       
      equivalent to *:*, ie. all actions on all resource types
  • implies method
  • ...2 more annotations...
  • always returns true
  • have the ability to do anything
kuni katsuya

Permission (Apache Shiro 1.2.1 API) - 0 views

shiro.apache.org/...Permission.html

ApacheShiro permission

shared by kuni katsuya on 29 Aug 12 - No Cached
  • A Permission represents the ability to perform an action or access a resource. A Permission is the most granular, or atomic, unit in a system's security policy and is the cornerstone upon which fine-grained security models are built.
  • a Permission instance only represents functionality or access - it does not grant it
  • permissions are immutable and reflect an application's raw functionality
  • ...4 more annotations...
  • because Permissions represent raw functionality and only change when the application's source code changes, they are immutable at runtime - they represent 'what' the system can do
  • by transitive association, the user 'has' the permissions in their roles
  • all Permission checks are relegated to Realm implementations, and only those implementations really determine how a user 'has' a permission or not
  • Realm could use the semantics described here, or it could utilize some other mechanism entirely
kuni katsuya

AuthenticationToken (Apache Shiro 1.2.1 API) - 0 views

shiro.apache.org/...AuthenticationToken.html

ApacheShiro security authentication token AuthenticationToken UsernamePasswordToken

shared by kuni katsuya on 03 Sep 12 - No Cached
  • If your application's authentication process is username/password based (like most), instead of implementing this interface yourself, take a look at the UsernamePasswordToken class, as it is probably sufficient for your needs.
  • kuni katsuya on 03 Sep 12
     
    "If your application's authentication process is username/password based (like most), instead of implementing this interface yourself, take a look at the UsernamePasswordToken class, as it is probably sufficient for your need"
kuni katsuya

UsernamePasswordToken (Apache Shiro 1.2.1 API) - 0 views

shiro.apache.org/...UsernamePasswordToken.html

ApacheShiro security authentication token AuthenticationToken UsernamePasswordToken

shared by kuni katsuya on 03 Sep 12 - No Cached
  • UsernamePasswordToken
  • HostAuthenticationToken interface to retain the host name or IP address location from where the authentication attempt is occuring.
  • A simple username/password authentication token to support the most widely-used authentication mechanism
kuni katsuya

Realm | Apache Shiro - 0 views

shiro.apache.org/realm.html

Shiro Realm

shared by kuni katsuya on 09 Aug 12 - No Cached
  • A Realm is a component that can access application-specific security data such as users, roles, and permissions. The Realm translates this application-specific data into a format that Shiro understands so Shiro can in turn provide a single easy-to-understand Subject programming API no matter how many data sources exist or how application-specific your data might be.
  • A Realm is essentially a security-specific DAO
kuni katsuya

Cryptography Features | Apache Shiro - 0 views

shiro.apache.org/cryptography-features.html

Shiro cryptography features

shared by kuni katsuya on 09 Aug 12 - No Cached
  • Hash Features
  • Deault interface implementations - Shiro provides default Hash (aka Message Digests in the JDK) implementations out-of-the-box, such as MD5, SHA1, SHA-256
  • Built-in Hex and Base64 conversion - Shiro Hash instances can automatically provide Hex and Base-64 encoding of hashed data via their toHex() and toBase64() methods
  • ...1 more annotation...
  • Built-in Salt and repeated hashing support
kuni katsuya

Application Security With Apache Shiro - 0 views

www.infoq.com/...apache-shiro

security ApacheShiro

shared by kuni katsuya on 08 Aug 12 - No Cached
  • previously known as the JSecurity project
  • The word Subject is a security term that basically means "the currently executing user"
  • Core Concepts: Subject, SecurityManager, and Realms
  • ...12 more annotations...
  • Subject
  • 'Subject' can mean a human being, but also a 3rd party process, daemon account, or anything similar. It simply means 'the thing that is currently interacting with the software'
  • Subject currentUser = SecurityUtils.getSubject();
  • SecurityManager
  • SecurityManager manages security operations for all users
  • Realms
  • Realm acts as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. That is, when it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.
  • Realm is essentially a security-specific DAO
  • Shiro provides out-of-the-box Realms to connect to a number of security data sources (aka directories) such as LDAP, relational databases (JDBC), text configuration sources like INI and properties files, and more
  • Authorization
  • A permission is a raw statement of functionality, for example ‘open a door’, ‘create a blog entry’, ‘delete the ‘jsmith’ user’, etc. By having permissions reflect your application’s raw functionality, you only need to change permission checks when you change your application’s functionality. In turn, you can assign permissions to roles or to users as necessary at runtime.
  • “Run As” support for assuming the identity of another Subject
kuni katsuya

Subject | Apache Shiro - 0 views

shiro.apache.org/subject.html

security ApacheShiro subject documentation

shared by kuni katsuya on 23 Sep 12 - No Cached
  • Understanding Subjects in Apache Shiro
  • 'Subject'
  • is just a security term that means a
  • ...8 more annotations...
  • security-specific 'view'
  • of an application user
  • Subject instance represents both security state and operations for
  • a single application user
  • in the security world, the term 'Subject' is actually the recognized nomenclature
  • Subject currentUser = SecurityUtils.getSubject();
  • obtain the currently executing Subject by using org.apache.shiro.SecurityUtils:
  • Subject based on user data associated with current thread or incoming request.
kuni katsuya

Session Management | Apache Shiro - 0 views

shiro.apache.org/session-management.html

java security authentication authorization ApacheShiro SessionManagement session

shared by kuni katsuya on 04 Oct 12 - No Cached
  • available in any application,
  • regardless of container.
  • even if you deploy your application in a Servlet or EJB container, there are still compelling reasons to use Shiro's Session support instead of the container's
  • ...40 more annotations...
  • Easy Custom Session Storage
  • POJO/J2SE based (IoC friendly)
  • Container-Independent Clustering!
  • Heterogeneous Client Access
  • Event Listeners
  • listen to lifecycle events during a session's lifetime
  • Host Address Retention
  • retain the IP address or host name of the host from where the session was initiated
  • Inactivity/Expiration Support
  • can be prolonged via a touch() method to keep them 'alive' if desired
  • Transparent Web Use
  • can use Shiro sessions in existing web applications and you
  • don't need to change any of your existing web cod
  • Can be used for SSO
  • easily stored in any data source
  • can be
  • 'shared'
  • across applications if needed
  • 'poor man's SSO'
  • simple sign-on experience since the shared session can retain authentication state
  • interface-based and implemented with POJOs
  • allows you to easily configure all session components with any JavaBeans-compatible configuration format, like JSON, YAML
  • easily extend
  • customize session management functionality
  • session data can be easily stored in any number of data sources
  • easily clustered using any of the readily-available networked caching products
  • no matter what container you deploy to, your sessions will be clustered the same way
  • No need for container-specific configuration!
  • Shiro sessions can be 'shared' across various client technologies
  • listen for these events and react to them for custom application behavior
  • SecurityUtils.getSubject()
  • currentUser.getSession()
  • If the Subject already has a Session, the boolean argument is ignored and the Session is returned immediately
  • If the Subject does not yet have a Session and the create boolean argument is true,
  • a new session will be created
  • and returned.
  • If the Subject does not yet have a Session and the create boolean argument is false, a new session will not be created and null is returned.
  • Suject.getSession(boolean create)
  • method functions the same way as the
  • HttpServletRequest.getSession(boolean create) method:
    • kuni katsuya
      kuni katsuya on 04 Oct 12
kuni katsuya

Web Features | Apache Shiro - 0 views

shiro.apache.org/web-features.html

Shiro web features

shared by kuni katsuya on 09 Aug 12 - No Cached
  • Apache Shiro Web Features
kuni katsuya

Java Authorization Guide | Apache Shiro - 0 views

shiro.apache.org/java-authorization-guide.html

Shiro authorization documentation

shared by kuni katsuya on 09 Aug 12 - No Cached
  • Java Authorization Guide with Apache Shiro
  • Levels of permission granularity
  • specify an actions (open, read, delete, etc)
  • ...18 more annotations...
  • resource (door, file, customer record, etc)
  • define a permission to any depth
  • Resource Level
  • Instance Level
  • Attribute Level
  • instance of a resource
  • attribute of an instance or resource
  • Permissions Defined
  • Permissions represent what can be done in your application
  • A well formed permission describes a resource types and what actions are possible when you interact with those resources
  • Roles Defined
  • Roles are effectively a collection of permissions
  • Explicit Roles
  • An explicit role has permissions explicitly assigned to it and therefore is an explicit collection of permissions
  • Implicit Roles
    • kuni katsuya
      kuni katsuya on 24 Aug 12
       
      do not use!!!
  • Annotation Authorization
  • @RequiresPermissions(“account:create”)‏
  • Permission Check
kuni katsuya

Apache Camel: Shiro Security - 0 views

camel.apache.org/shiro-security.html

security ApacheShiro ApacheCamel

shared by kuni katsuya on 03 Jun 13 - No Cached
  • Shiro Security Component
  • Available as of Camel 2.5
kuni katsuya

Terminology | Apache Shiro - 0 views

shiro.apache.org/terminology.html

ApacheShiro shiro security terminology

shared by kuni katsuya on 24 Aug 12 - No Cached
  • . Role
  • Role as simply a named collection of Permissions
  • This is a more concrete definition than the implicit one used by many applications
  • ...4 more annotations...
  • Permission
  • A Permission is only a statement of behavior, nothing more.
  • a statement that describes raw functionality in an application and nothing more
  • define only "What" the application can do
kuni katsuya

DomainPermission (Apache Shiro 1.2.1 API) - 0 views

shiro.apache.org/...DomainPermission.html

ApacheShiro DomainPermission JPA

shared by kuni katsuya on 29 Aug 12 - No Cached
  • used as a base class for JPA/Hibernate persisted permissions that wish to store the parts of the permission string in separate columns (e.g. 'domain', 'actions' and 'targets' columns)
kuni katsuya

How to get EntityManager in a Apache Shiro Realm | OpenShift by Red Hat - 0 views

openshift.redhat.com/...anager-in-a-apache-shiro-realm

ApacheShiro EntityManager Realm PersistenceContext

shared by kuni katsuya on 29 Aug 12 - No Cached
kuni katsuya

Shiro Developer - Role "Nesting" or "Inheriting" and RolePermissionResolvers - 0 views

shiro-developer.582600.n2.nabble.com/issionResolvers-td5858003.html

ApacheShiro security permission inheritance

shared by kuni katsuya on 29 Aug 12 - No Cached
  • Shiro support the concept of role inheritance ­ roleA inherits permissions from roleB
  • A given realm knows only its roles, but my application understands the mapping of roles to permissions (or nested roles).  I have a single RolePermissionResolver that ties permissions to roles
  • Example: My security Manager: https://github.com/sonatype/security/blob/master/security-system/src/main/java/org/sonatype/security/DefaultRealmSecurityManager.java#L63
  • ...1 more annotation...
  • My RolePermissionResolver https://github.com/sonatype/security/blob/master/security-realms/security-xml-realm/src/main/java/org/sonatype/security/realms/XmlRolePermissionResolver.java#L47
‹ Previous 21 - 40 of 78 Next › Last »
Showing 20 items per page