New version of security framework Apache Shiro
Apache Shiro 1.2 adds several new clean and effective security mechanisms for Java applications
More than a year on from the latest tightening, the essential
security framework for Java applications has received a much needed
renovation through the release of Apache Shiro 1.2.
Apache Shiro, the Japanese for ‘castle’ is an application
security framework that provides application developers very clean
and simple ways of supporting four cornerstones of security in
their applications (authentication, authorisation, enterprise
session management and cryptography), through robust features which
give developers a crucial fortifaction for their application.
Beside the bug fixes, there is a raft of new features which
developers can deploy. Amongst these are the following:
- The ability to disable sessions per filter chain or entirely
for an application.
- Servlet Context Listener initialisation in web apps (to
allow components to utilise Shiro before Filter
- A command line program to securely hash passwords (or any url,
file or stream input for that matter).
- New secure password hash formats that adhere to Modular Crypt
Format conventions. These secure password hashes can be
computed with the above named command line program and saved
in text config (e.g. shiro.ini) directly. Plaintext
passwords should never be stored. For those familiar
with the Apache HTTPD passwd program, this achieves the same
- A new LogoutFilter, as many apps don’t need to show a view
during logout (just logout and redirect to some known
- Shiro filters can be enabled or disabled without removing them
from the filter chain – useful in development (e.g. turn ssl
requirement off in dev, but keep it on in production).
The team are also keen to state the importance of a new concept,
which makes password hash
storage and comparison a
much simpler task in Shiro. You can use a PasswordService
directly in your
application code to hash passwords securely. You can
then configure a PasswordMatcher
on your Realm(s) to use the same PasswordService for password comparisons. This is
all documented within the links.
There is also three
new support modules – lightweight framework Google Guice, Apache
Karaf and Jasig CAS. We’re excited to see the Shiro team bring out
a new version as the community continues to grow under the guidance