Apache Shiro part 2 – securing a JSF Java EE 7 application

6. May 2017 Sebastian Basner Comments 2 comments

In the first part I described why I chose Apache Shiro as an Authentication framework. In this part I will describe the simplest working solution to secure a Java EE7 application with JSF/Primefaces frontend. To be honest I wont use much of Primefaces in this sample but the application for which I did this research uses it so I added the dependency here and added an Primefaces component to this demo project.

Bootstrapping

I created an empty Java EE project via maven and added the needed Shiro dependencies as well as the Primefaces dependency to

the pom file.

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>de.are_you_ready</groupId>
    <artifactId>shirotest</artifactId>
    <version>1.0-SNAPSHOT</version>
    <packaging>war</packaging>

    <properties>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
        <failOnMissingWebXml>false</failOnMissingWebXml>

        <apache-shiro.version>1.3.2</apache-shiro.version>
        <primefaces.version>6.0</primefaces.version>
        <junit.version>4.12</junit.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>javax</groupId>
            <artifactId>javaee-api</artifactId>
            <version>7.0</version>
            <scope>provided</scope>
        </dependency>

        <!-- Security -->
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-core</artifactId>
            <version>${apache-shiro.version}</version>
        </dependency>

        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-web</artifactId>
            <version>${apache-shiro.version}</version>
        </dependency>

        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-ehcache</artifactId>
            <version>${apache-shiro.version}</version>
        </dependency>

        <!-- PrimeFaces -->
        <dependency>
            <groupId>org.primefaces</groupId>
            <artifactId>primefaces</artifactId>
            <version>${primefaces.version}</version>
        </dependency>

        <!-- Testing -->
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>${junit.version}</version>
            <scope>test</scope>
        </dependency>

        <!-- Logging -->
        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.17</version>
        </dependency>
    </dependencies>

    <build>
        <finalName>shirotest</finalName>
    </build>
</project>

…

Apache Shiro part 1 – selecting a Java security framework

25. January 2017 Sebastian Basner Comments 1 comment

What is Shiro?
Apache Shiro is an open source Java security framework which makes authentication, authorization and cryptography very easy to use with a simple and small configuration. It is very portable because of its independence from the used application frameworks and covers all kinds of scenarios from console over desktop client to web applications.

Why Shiro?
I searched for a security solution (authorization and authentication) which I plan to reuse in multiple “pet projects” without having to think about the same problem over and over again. My actual project is a web project based on Java EE 7 and has at the moment a JSF/Primefaces frontend. I plan to extend the application with a REST interface and an alternative UI technology for personal testing/learning and research purposes. Maybe there will also be an iOS app later on which should use the then existent REST endpoint. With that in mind I need a flexible framework to support securing JAX-RS endpoints as well as my actual JSF UI.
I previously had some experience with the Java EE standard solution JAAS as well as the JBoss project Picketlink. Additional to that I’ve worked in projects using Spring Security (but had not much to do with it) which seems to be the industry standard nowadays but besides that I did a little research about possible alternatives I wasn’t aware of and came up with Apache Shiro and Keycloak.
This four/five tools and frameworks were the solutions I considered and researched which would be the best fit for me. …

Sicheres Surfen auf Facebook [UPDATE]

8. February 2011 Sebastian Basner Comments 0 Comment

Im Zusammenhang mit Facebook über Sicherheit zu reden ist ja so eine Sache, aber wie letztes Jahr (nicht zuletzt durch die Firefox Erweiterung Firesheep) gezeigt wurde ist es ein extremes Sicherheitsrisiko sich vor allem auf Seiten die der privaten Kommunikation dienen ohne eine permanent gesicherte Verbindung zu bewegen da die Gefahr des Identitätsdiebstahles besteht.

Facebook hat heute endlich darauf reagiert und bietet die Möglichkeit der dauerhaften SSL Verschlüsselung an die wirklich jeder einschalten sollte der Facebook nutzt. Zu finden ist die Option unter folgenden Menüpunkten:

Konto => Kontoeinstellungen => Kontosicherheit => Sicheres Durchstöbern

UPDATE:

Wie ich auf heise.de gerade lesen konnte gibt es ein Problem auf das unbedingt geachtet werden sollte. Beim benutzen von dritthersteller facebook Apps wird https deaktiviert da diese damit nicht kompatibel sind. Diese Deaktivierung ist nicht vorübergehend sondern permanent. Die Einstellung sollte also dringend im Anschluss wieder aktiviert werden. So ein Vorgehen seitens facebook zeigt nur mal wieder wie unwichtig denen die Sicherheit eigentlich ist

Are You Ready

a blog by Sebastian Basner

Browsed by
Category: Security