This is Stuff

Last time I wrote about cryptography, I outlined Apache Shiro crypto API and shown how to use its two symmetric ciphers. I also wrote that "You do not need more to encrypt and decrypt sensitive data in your applications."

I learned more about cryptography and found out that you need to know more. What I wrote is true to some extend, but unless you are careful your sensitive data may not be secure against all attackers.

Out of the box Shiro provides Blowfish-CBC and AES-CBC encryption methods and I recommended to use them. Both have been designed to protect against passive eavesdropping attacker and are good at it. Unfortunately, real attackers are more sophisticated and may break the system based on them.

Besides securing web pages and managing access rights Apache Shiro does also basic cryptography tasks. The framework is able to:

• encrypt and decrypt data,
• hash data,
• generate random numbers.

Shiro does not implement any cryptography algorithms. All calculations are delegated to Java Cryptography Extension (JCE) API. The main benefit of using Shiro instead of what is already present in Java is ease of use and secure defaults. Shiro crypto module is written in higher abstraction level and by default implements all known best practices.

AppSensor is intrusion detection framework described in an another post. Out of the box version assumes that underlying application supports ESAPI interfaces. In this post, we will take an application secured by Shiro framework which does not support ESAPI and integrate it with AppSensor.

This post is only about integration. It does not show how to add AppSensor to the application, nor what it is, nor how to use it. All that can be found in AppSensor - Intrusion Detection post.

This is second part of series dedicated to Apache Shiro. We started previous part with simple unsecured web application. When we finished, the application had basic authentication and authorization. Users could log in and log out. All web pages and buttons had access rights assigned and enforced. Both authorization and authentication data have been stored in static configuration file.

As we promised in the end of last part, we will move user account data to database. In addition, we will give users an option to authenticate themselves via PGP certificates. As a result, our application will have multiple alternative log in options: log in with user name/password and log in with certificate. We will finish by turning alternative log in options mandatory.

Apache Shiro, originally called JSecurity, is Java security framework. It was accepted and became Apache top level project in 2010. It aims to be powerful and easy to be used.