SoftwareEngineering

Known Causes:

First Steps:

dreaded errno 150:

The two key fields type and/or size is not an exact match

One of the key field that you are trying to reference does not have an index and/or is not a primary key

One or both of your tables is a MyISAM table

You have specified a cascade ON DELETE SET NULL, but the relevant key field is set to NOT NULL

Make sure that the Charset and Collate options are the same both at the table level as well as individual field level for the key columns

You have a default value (ie default=0) on your foreign key column

You have a syntax error in your ALTER statement or you have mistyped one of the field names in the relationship

The name of your foreign key exceeds the

max length of 64 chars

which assumes Shiro's

String format.

Authorization Sequence

what happens inside Shiro whenever an authorization call is made.

invokes any of the Subject hasRole*, checkRole*, isPermitted*, or checkPermission*

securityManager implements the org.apache.shiro.authz.Authorizer interface

delegates to the application's SecurityManager by calling the securityManager's nearly identical respective hasRole*, checkRole*, isPermitted*, or checkPermission* method variants

relays/delegates to its internal org.apache.shiro.authz.Authorizer instance by calling the authorizer's respective hasRole*, checkRole*, isPermitted*, or checkPermission* method

Realm's own respective hasRole*, checkRole*, isPermitted*, or checkPermission* method is called

Authorization Sequence

implies a set of behaviors (i.e. permissions) based on a role name only

named collection of actual permission statements

your realm is what will tell Shiro whether or not roles or permissions exist

Each Realm interaction functions as follows:

key difference with a RolePermissionResolver however is that the input String is a role name, and not a permission string.

Configuring a global RolePermissionResolver

RolePermissionResolver has the ability to represent Permission instances needed by a Realm to perform permission checks.

translate a role name into a concrete set of Permission instances

globalRolePermissionResolver = com.foo.bar.authz.MyPermissionResolver ... securityManager.authorizer.rolePermissionResolver = $globalRolePermissionResolver

shiro.ini

have the ability to do anything

eing performed

boolean implies(Permission p)

Returns true if this current instance

false otherwise

current instance must be exactly equal to or a superset of the functionalty and/or resource access described by the given Permission argument

role name to resolve

Collection of Permissions

High-Level Overview

essentially a security specific 'view' of the the currently executing user

instances are all bound to (and require) a

When you interact with a Subject, those interactions translate to subject-specific interactions with the SecurityManager

'umbrella’ object that coordinates its internal security components that together form an object graph

‘connector’ between Shiro and your

Shiro looks up many of these things from one or more Realms configured for an application

component responsible determining users' access control in the application

if a user is allowed to do something or not

knows how to create and manage user

lifecycles

Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available

Shiro will use

if available, (e.g. Servlet Container)

if there isn't one, such as in a standalone application or non-web environment, it will use its

exists to allow any datasource to be used to

performs Session persistence (CRUD) operations on behalf of the SessionManager

allows any data store to be plugged in to the Session Management infrastructure

creates and manages Cache instance lifecycles used by other Shiro components

improve performance while using these data source

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

is security-specific view of the

and that Subject instances are always bound to a thread to ensure we know who is executing logic at any time during the thread's execution

Subject instance must be created

Subject instance must be bound to the currently executing thread

Subject must be unbound to ensure that the thread remains 'clean' in any thread-pooled environment

Shiro has architectural components that perform this bind/unbind logic automatically

root Shiro Filter performs this logic when filtering a request

after creating a Subject instance, it must be bound to thread

Test Setup

'setup' and 'teardown'

can be used in both unit testing and integration testing

AbstractShiroTest

abstract class AbstractShiroTest

@Asynchronous

@Asynchronous

simple to use

as a return type and to receive a result asynchronously

do not at all describe "who" is able to perform the action(s)

Multiple Parts

Wildcard Permissions support the concept of multiple levels or parts. For example, you could restructure the previous simple example by granting a user the permission printer:query

Multiple Values Each part can contain multiple values. So instead of granting the user both the "printer:print" and "printer:query" permissions, you could simply grant them one: printer:print,query

All Values What if you wanted to grant a user all values in a particular part? It would be more convenient to do this than to have to manually list every value. Again, based on the wildcard character, we can do this. If the printer domain had 3 possible actions (query, print, and manage), this: printer:query,print,manage

simply becomes this: printer:*

Using the wildcard in this way scales better than explicitly listing actions since, if you added a new action to the application later, you don't need to update the permissions that use the wildcard character in that part.

Finally, it is also possible to use the wildcard token in any part of a wildcard permission string. For example, if you wanted to grant a user the "view" action across all domains (not just printers), you could grant this: *:view Then any permission check for "foo:view" would return true

Instance-Level Access Control

instance-level Access Control Lists

Checking Permissions

SecurityUtils.getSubject().isPermitted("printer:print:lp7200")

printer:*:*

all actions on a single printer

printer:*:lp7200

missing parts imply that the user has access to all values corresponding to that part

printer:print is equivalent to printer:print:*

Missing Parts

rule of thumb is to

when performing permission checks

first part is the

that is being operated on (printer)

second part is the

(query) being performed

three parts - the first is the

the second is the

third is the

allow access to

can only leave off parts from the end of the string

Performance Considerations

runtime implication logic must execute for

implicitly using Shiro's default

which executes the necessary implication logic

When using permission strings like the ones shown above, you're

Shiro's default behavior for Realm

for every permission check

need to be checked individually for implication

as the number of permissions assigned to a user or their roles or groups increase, the time to perform the check will necessarily increase

If a Realm implementor has a

more efficient way of checking permissions and performing this implication logic

should implement that as part of their

implies

user:*:12345

user:update:12345

printer

implies

printer:print

Implication, not Equality

permission

are evaluated by

logic - not equality checks

the former implies the latter

superset of functionality

implication logic can be executed at runtime

Entity Beans in combination with an EntityManager

use CDI to inject the EntityManager into my JpaRealm

JpaRealm is not container managed but is instantiated by Shiro

delegate your JpaRealm into @Stateless EJB, which can @Inject EntityManager

JpaRealm

@PersistenceContext   private EntityManager entityManager;

EnvironmentLoaderListener

found the cause

Instead of configuring the ShiroFilter in my web.xml I had the IniShiroFilter configured. The IniShiroFilter creates a new SecurityManager from the ini file. This new SecurityManager didn't know about the realm I've added in my EnvironmentLoader, so it didn't have any realms.

I replaced it with the ShiroFilter in my web.xml and all seems to be working now with my CdiEnvironmentLoaderListener.

asks the user for multiple pieces of hard data that should have been

send the password reset information to some

such as a (possibly different) email address or an SMS text number, etc. to be used in Step 3.

Step 2) Verify Security Questions

application verifies that each piece of data is correct for the given username

If anything is incorrect, or if the username is not recognized, the second page displays a generic error message such as “Sorry, invalid data”. If all submitted data is correct, Step 2 should display at least two of the user’s pre-established personal security questions, along with input fields for the answers.

Avoid sending the username as a parameter

Do not provide a drop-down list

server-side session

user's email account may have already been compromised

"strong" password policy

Secure Password Recovery Mechanism

Require re-authentication for Sensitive Features

Authentication and Error Messages

can be used for the purposes of user ID and password enumeration

Incorrectly implemented error messages

generic manner

respond with a generic error message regardless if the user ID or password was incorrect

give no indication to the status of an existing account

Authentication responses

Invalid user ID or password"

does not indicate if the user ID or password is the incorrect parameter

Transmit Passwords Only Over TLS

must be exclusively accessed over TLS

unencrypted session ID

credentials

Implement Account Lockout

lock out an account if more than a preset number of unsuccessful login attempts are made

can produce a result that locks out entire blocks of application users accounts

is to lockout accounts for a number of hours

Session Management General Guidelines

a) stop writing dynamic queries

b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query

Primary Defenses:

Option #1: Use of Prepared Statements (Parameterized Queries)

Option #3: Escaping all User Supplied Input

Additional Defenses:

Perform: White List Input Validation

Primary Defenses

Defense Option 1: Prepared Statements (Parameterized Queries)

attacker is not able to

of a query, even if SQL commands are inserted by an attacker

allows the database to

distinguish

between

Defense Option 3: Escaping All User Supplied Input