New armour for Java necessity

New version of security framework Apache Shiro

Chris Mayer

Apache Shiro 1.2 adds several new clean and effective security mechanisms for Java applications

More than a year on from the latest tightening, the essential
security framework for Java applications has received a much needed
renovation through the release of Apache Shiro 1.2.

Apache Shiro, the Japanese for ‘castle’  is an application
security framework that provides application developers very clean
and simple ways of supporting four cornerstones of security in
their applications (authentication, authorisation, enterprise
session management and cryptography), through robust features which
give developers a crucial fortifaction for their application.

Beside the bug fixes, there is a raft of new features which
developers can deploy. Amongst these are the following:

  • The ability to disable sessions per filter chain or entirely
    for an application.
  • Servlet Context Listener initialisation in web apps (to
    allow components to utilise Shiro before Filter
  • A command line program to securely hash passwords (or any url,
    file or stream input for that matter).
  • New secure password hash formats that adhere to Modular Crypt
    Format conventions.  These secure password hashes can be
    computed with the above named command line program and saved
    in text config (e.g. shiro.ini) directly.  Plaintext
    passwords should never be stored.  For those familiar
    with the Apache HTTPD passwd program, this achieves the same
  • A new LogoutFilter, as many apps don’t need to show a view
    during logout (just logout and redirect to some known
  • Shiro filters can be enabled or disabled without removing them
    from the filter chain – useful in development (e.g. turn ssl
    requirement off in dev, but keep it on in production).

The team are also keen to state the importance of a new concept,
which makes password hash
storage and 
comparison a
much simpler task in Shiro.
 You can use a PasswordService
in your
application code to hash passwords securely.  You can
configure a PasswordMatcher
on your Realm(s) to use the same 
PasswordService for password comparisons. This is
all documented within the links.

 There is also three
new support modules – lightweight framework Google Guice, Apache
Karaf and Jasig CAS. We’re excited to see the Shiro team bring out
a new version as the community continues to grow under the guidance
of Apache. 

You can see every single improvement in the
. All binaries (.jars) are available in Maven Central
and you can download Apache Shiro 1.2.0 here!


comments powered by Disqus