Application Security With Apache Shiro : Java security framework
The Hacker News

Are you frustrated when you try to secure your applications? Do you feel existing Java security solutions are difficult to use and only confuse you further? Les Hazlewood is the Apache Shiro PMC Chair and co-founder and CTO of Katasoft, a start-up focusing on application security products and Apache Shiro professional support. Apache Shiro, a Java security framework that provides a simple but powerful approach to application security.

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management and can be used to secure any application - from the command line applications, mobile applications to the largest web and enterprise applications. Shiro provides the application security API to perform the following aspects :
  • Authentication - proving user identity, often called user 'login'.
  • Authorization - access control
  • Cryptography - protecting or hiding data from prying eyes
  • Session Management - per-user time-sensitive state
Shiro also supports some auxiliary features, such as web application security, unit testing, and multithreading support, but these exist to reinforce the above four primary concerns.

The framework landscape has changed quite a bit since 2003, so there should still be a compelling reason to use Shiro today. There are quite a few reasons actually. Apache Shiro is:
  • Easy To Use - Ease of use is the project's ultimate goal. Application security can be extremely confusing and frustrating and thought of as a 'necessary evil'. If you make it so easy to use that novice programmers can start using it, it doesn't have to be painful anymore.
  • Comprehensive - There is no other security framework with the breadth of scope that Apache Shiro claims, so it can likely be your 'one stop shop' for your security needs.
  • Flexible - Apache Shiro can work in any application environment. While it works in web, EJB, and IoC environments it does not require them. Nor does Shiro mandate any specification or even have many dependencies.
  • Web Capable - Apache Shiro has fantastic web application support, allowing you to create flexible security policies based on application URLs and web protocols (e.g. REST), while also providing a set of JSP libraries to control page output.
  • Pluggable - Shiro's clean API and design patterns make it easy to integrate with many other frameworks and applications. You'll see Shiro integrated seamlessly with frameworks like Spring, Grails, Wicket, Tapestry, Mule, Apache Camel, Vaadin, and many others.
  • Supported - Apache Shiro is part of the Apache Software Foundation, an organization proven to act in the best interest of its community. The project development and user groups have friendly citizens ready to help.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.