Securing Your Applications with Apache Shiro
It’s a great talk given by the founder and lead of the project, Les Hazlewood, who relocated to Bay area not long ago for starting his company katasoft. The presentation ran over for one hour but still got most people seated.
Lost VMs or Containers? Too Many Consoles? Too Slow GUI? Time to learn how to "Google" and manage your VMware and clouds in a fast and secure HTML5 App.
Les introduced four parts of application security: authentication, authorization, enterprise session management and cryptograph. Concept wise, there is nothing new. Interestingly, the authorization model is very much similar to the one in vSphere as we discussed before with user/role/permission elements. Implementation wise, I can see a big simplification, based on samples, over other security frameworks like Sun’s security implementation which got most people confused. One of Shiro’s secret source is to object orientify the old frameworks.
In the end, Les demoed two web based applications: one integrated with Spring framework, and the other as a simple Java Servlet.
Now, what’s in it for YOU? Well, you can use it as an alternative to JAAS or Spring Security. It’s more than Web applications, and you can use it in standalone, mobile applications as well.
BTW, one new term I heard today is the salts for cryptographic hashing. Normally we just supply a string like password as input to a hashing algorithm. While using salts, we need an additional string (salts, only server knows) as input so that the hashed result is more random than otherwise. The other alternative is to repeat the hashing algorithm for multiple times. All these can make hacking code harder to guess out password.