Nebrass Lamouchi

PAIRING APACHE SHIRO WITH JAVA EE 7

How to consume Shiro’s web services

Our RESTful web services can be consumed using every client that can make HTTP requests:

  • HTML5 pages
  • Swing applications
  • mobile applications on iOS, Android, etc.
  • etc.

For example, we can make an AngularJS single-page application (SPA) as the view layer of our JavaEE7 application:

  • Make the REST calls in the services layer.
  • Manage your Auth2 operations depending on the HTTP response codes.
  • For the authorization, you can use AngularJS authorization plugins (angular-route-authorisation, angular-http-auth, angular-permission, etc.)

You may have to tweak your code to make it coherent with your authorization mechanism.

What can you add to the implementation?

Our implementation of Apache Shiro framework is basic. We did not try concepts such as LDAP, ActiveDirectory, CAS SSO, OAuth, or others.

The community offers many integrations:

  • Pairing Stormpath User Management with Shiro provides a full application-security and user-management system with little to no coding.
  • Grails offers up-to-date Grails/Shiro integration, including Grails 2.0 and Shiro 1.2. The plugin adds easy authentication and access control to Grails applications.
  • OAuth provides source code for an OAuth module for Apache Shiro, based on Scribe.
  • A Google App Engine plugin demonstrates one way to integrate Shiro with Google App Engine and Google Guice, and comes with front-end user registration and password management.
  • Play Shiro Integration simply integrates Apache Shiro and Play 2.0. If you want to play with it, this project could use an update handling statelessness since the Shiro 1.2 release.
  • The 55 Minutes Wicket project is a nifty set of tools and libraries for enhancing productivity with the Apache Wicket Java web framework, including Shiro integration.
  • Lift Shiro integrates Shiro and the Lift Web framework, using Lift’s sitemap locs instead of Shiro’s built-in web.xml resource filters to control access to URLs.

Recommendations

  1. Handle every HTTP error code (404, 400, 500, etc.) and try to have an explicit error message in the HTTP headers of every response.
  2. Ensure that your design covers the maximum use cases and be sure that all resources that get anonymous access are neither vulnerable nor sensitive.
  3. Activate and configure SSL when possible.
  4. Avoid transmitting the JSESSIONID parameter over plain old HTTP.
  5. Avoid using URL parameters for session tracking.
  6. Be sure to define a session-timeout value that is rational for your needs.
  7. Try to build your knowledge of Auth2 mechanisms and strategies. Take a look at OWASP's useful resources:
    1. OWASP Authentication Cheat Sheet
    2. OWASP Guide to Authorization
    3. OWASP REST Security Cheat Sheet
    4. OWASP Session Management Cheat Sheet
  8. Penetration-test your web application to be sure that your security mechanisms are powerful. You can use the OWASP Pentesting Guide.