Securing Your Applications with Apache Shiro

Security is a very important aspect of application development. Tonight I learned a new security framework called Apache Shiro, the successor to the JSecurity project.

It’s a great talk given by the founder and lead of the project, Les Hazlewood, who relocated to Bay area not long ago for starting his company katasoft. The presentation ran over for one hour but still got most people seated.

Lost VMs or Containers? Too Many Consoles? Too Slow GUI? Time to learn how to "Google" and manage your VMware and clouds in a fast and secure HTML5 App.

Les introduced four parts of application security: authentication, authorization, enterprise session management and cryptograph. Concept wise, there is nothing new. Interestingly, the authorization model is very much similar to the one in vSphere as we discussed before with user/role/permission elements. Implementation wise, I can see a big simplification, based on samples, over other security frameworks like Sun’s security implementation which got most people confused. One of Shiro’s secret source is to object orientify the old frameworks.

In the end, Les demoed two web based applications: one integrated with Spring framework, and the other as a simple Java Servlet.

Now, what’s in it for YOU? Well, you can use it as an alternative to JAAS or Spring Security. It’s more than Web applications, and you can use it in standalone, mobile applications as well.

BTW, one new term I heard today is the salts for cryptographic hashing. Normally we just supply a string like password as input to a hashing algorithm. While using salts, we need an additional string (salts, only server knows) as input so that the hashed result is more random than otherwise. The other alternative is to repeat the hashing algorithm for multiple times. All these can make hacking code harder to guess out password.

This entry was posted in Software Development and tagged , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


    My company has created products like vSearch ("Super vCenter"), vijavaNG APIs, EAM APIs, ICE tool. We also help clients with virtualization and cloud computing on customized development, training. Should you, or someone you know, need these products and services, please feel free to contact me: steve __AT__

    Me: Steve Jin, VMware vExpert who authored the VMware VI and vSphere SDK by Prentice Hall, and created the de factor open source vSphere Java API while working at VMware engineering. Companies like Cisco, EMC, NetApp, HP, Dell, VMware, are among the users of the API and other tools I developed for their products, internal IT orchestration, and test automation.