Apache Shiro – Features and Terminologies
Have you ever thought about how to secure your application with features like authentication of users, authorizing them to allow/restrict to access some features or to quickly secure your data by cryptography and session creation. It might be difficult for you to write code for all these things and include them in your application. So here’s the powerful and easy to use solution which gives you opportunity to add all such features in few minutes without wasting your time on developing everything from scratch.
Apache Shiro is a Security framework which offers key features like Authentication, Authorization, Cryptography, and Session management. It has easy to use APIs, which can be used quickly and easily by you to secure any type of application, be a web application, mobile application, or an enterprise application.
Before jumping into anything we should know the common terms used in Shiro, which will help us in using it in our projects.
Shiro’s Terminologies :
A Subject is the user/system/process/application/etc. which access our system using an identity. It’s a security specific common term for accessing party. A Subject does not always reflect a human being, it can be an external process calling your application, or a daemon process which executes some cron job on your application. It is basically a representation of any entity that is doing something with the application.
A Principal is any identifying attribute of an application user (Subject). An ‘identifying attribute’ can be anything that makes sense to your application – a username, a surname, a given name, a social security number, a user ID, etc. That’s it – nothing crazy. There is only one principal for users (Subjects) in an application.
Credential is that information which identifies a Subject. One (or more) credentials are submitted along with Principal(s) during an authentication attempt to verify that the user/Subject submitting them is actually the associated user. Credentials are set of username and password or biometric data, etc., which is a secret.
The idea is that for a principal, only one person would know the correct credential to ‘pair’ with that principal. If the current user/Subject provides the correct credential matching the one stored in the system, then the system can assume and trust that the current user/Subject is really who they say they are. The degree of trust increases with more secure credential types (e.g. biometric signature > password).
Authentication is the process of verifying a Subject’s identity. It validates the Subject’s credentials and then application can trust the Subject’s identity, that accessing party is the same as expected.
Role is defined as the functionalities offered to the Subject, or the allowed access to a Subject on the application defined by the security policies. Shiro interpret the Role as the names collection of Permissions. This is a more concrete definition than the implicit one used by many applications. If you choose to have your data model reflect Shiro’s assumption, you’ll find you will have much more power in controlling security policies.
A Permission, at least as Shiro interprets it, is a statement that describes raw functionality in an application and nothing more. Permissions are the lowest-level constructs in security policies. They define only “What” the application can do. They do not describe “Who” is able to perform the actions. A Permission is only a statement of behavior, nothing more.
Authorization is the process of determining a Subject’s permission to access the specific functionality of the application. It is an interpretation of inspection of roles and permissions of Subject, and giving them access to resource or functionality.
A Realm is a component that can access application-specific security data such as users, roles, and permissions. It can be thought of as a security-specific DAO (Data Access Object). The Realm translates this application-specific data into a format that Shiro understands so Shiro can in turn provide a single easy-to-understand Subject programming API no matter how many data sources exist or how application-specific your data might be.
Realms usually have a 1-to-1 correlation with a data source such as a relational database, LDAP directory, file system, or other similar resource. As such, implementations of the Realm interface use data source-specific APIs to discover authorization data (roles, permissions, etc.), such as JDBC, File IO, Hibernate or JPA, or any other Data Access API.
- Credential Matcher
Credential Matcher as name suggests is that feature of Shiro which matches the credentials provided by Subject and credentials fetched by the realm from the data source. It returns the state of credential matching to the Shiro’s environment.
A Session is a stateful data context associated with a single user/Subject who interacts with a software system over a period of time. Data can be added/read/removed from the Session while the subject uses the application and the application can use this data later where necessary. Sessions are terminated when the user/Subject logs out of the application or when it times out due to inactivity. For those familiar with the HttpSession, a Shiro Session serves the same purpose, except Shiro sessions can be used in any environment even if there is no Servlet container or EJB container available.
A cipher is an algorithm for performing encryption or decryption. The algorithm generally relies on a piece of information called a key. And the encryption varies based on the key so decryption is extremely difficult without it. Ciphers come in different variations. Block Ciphers work on blocks of symbols usually of a fixed size while Stream Ciphers work on a continuous stream of symbols. Symmetric Ciphers use the same key for encryption and decryption while Asymmetric Ciphers use different keys. And if a key in an asymmetric cipher cannot be derived from the other, then one can be shared publicly creating public/private key pairs.
Cryptography is the practice of protecting information from undesired access by hiding it or converting it into nonsense so no one else can read it. Shiro focuses on two core elements of Cryptography: ciphers that encrypt data like email using a public or private key, and hashes (aka message digests) that irreversibly encrypt data like passwords.
A Hash function is a one-way, irreversible conversion of an input source, sometimes called the message, into an encoded hash value, sometimes called the message digest. It is often used for passwords, digital fingerprints, or data with an underlying byte array.
Remember above terminologies as these are the terms which you will come against again and again while using it in your application. Following are the features offered by the Shiro, which makes it comfortable,robust and preferred to be used on first hand.
Features of Shiro:
- Easy to Use and Comprehensive: It has easiest Java Security API than any other security framework and gives ready to use jars and settings which can get you started in few minutes.
- Flexible: Can be used in any environment – web, EJB, mobile apps etc. and can be made available with a Single Sign On(SSO) feature for clustered and distributed environments, so all the application can share single session data.
- Web Capable: It can secure a web application from any angle from REST to JSPs. It gives URL chain filtering support and JSP tags for the dynamic web pages. You can use Shiro’s native session support so that you can enhance the session support with cache for improved performance. Also it will make your web application independent of the containers session feature.
- Pluggable: Shiro is extremely flexible. It can be easily integrated with other frameworks like Spring, Grails, Wicket, Tapestry, Mule, Apache Camel, Vaadin, etc. Also it’s very easy to plug data source to the Shiro’s environment for authentication. It supports different data sources (LDAP, JDBC, Active Directory, etc.).
- Cryptography: It provides APIs to secure your data by hashing it. Gives interfaces to implementations like MD5, SHA1, SHA-256. It has built in Hex and Base64 conversion APIs, which helps you to encode data without getting troubled. Other than this it supports built in Salt and repeated Hashing.
I hope this post will help you to understand what Shiro is and what all you can get by using it. In our coming Posts about Shiro we will bring how to jump start with Shiro and use it in your Project without any major efforts.
Please feel free to comment and ask your queries 🙂 .