New armour for Java necessity
New version of security framework Apache Shiro
More than a year on from the latest tightening, the essential security framework for Java applications has received a much needed renovation through the release of Apache Shiro 1.2.
Apache Shiro, the Japanese for 'castle' is an application security framework that provides application developers very clean and simple ways of supporting four cornerstones of security in their applications (authentication, authorisation, enterprise session management and cryptography), through robust features which give developers a crucial fortifaction for their application.
Beside the bug fixes, there is a raft of new features which developers can deploy. Amongst these are the following:
- The ability to disable sessions per filter chain or entirely for an application.
- Servlet Context Listener initialisation in web apps (to allow components to utilise Shiro before Filter initialisation)
- A command line program to securely hash passwords (or any url, file or stream input for that matter).
- New secure password hash formats that adhere to Modular Crypt Format conventions. These secure password hashes can be computed with the above named command line program and saved in text config (e.g. shiro.ini) directly. Plaintext passwords should never be stored. For those familiar with the Apache HTTPD passwd program, this achieves the same benefits.
- A new LogoutFilter, as many apps don't need to show a view during logout (just logout and redirect to some known location).
- Shiro filters can be enabled or disabled without removing them from the filter chain - useful in development (e.g. turn ssl requirement off in dev, but keep it on in production).
The team are also keen to state the importance of a new concept, PasswordService, which makes password hash storage and comparison a much simpler task in Shiro. You can use a PasswordService directly in your application code to hash passwords securely. You can then configure a PasswordMatcher on your Realm(s) to use the same PasswordService for password comparisons. This is all documented within the links.
There is also three new support modules - lightweight framework Google Guice, Apache Karaf and Jasig CAS. We're excited to see the Shiro team bring out a new version as the community continues to grow under the guidance of Apache.