Versions Compared

Old Version 7

changes.mady.by.user Claus Ibsen

Saved on

compared with

New Version Current

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Maven users will need to add the following dependency to their pom.xml for this component:

Code Block
xml
xml

<dependency>
    <groupId>org.apache.camel</groupId>
    <artifactId>camel-shiro</artifactId>
    <version>x.x.x</version>
    <!-- use the same version as your Camel core version -->
</dependency>

...

Configuration details are provided to the ShiroSecurityPolicy using an Ini file (properties file) or an Ini object. The Ini file is a standard Shiro configuration file containing user/role details as shown below

Code Block

[users]
# user 'ringo' with password 'starr' and the 'sec-level1' role
ringo = starr, sec-level1
george = harrison, sec-level2
john = lennon, sec-level3
paul = mccartney, sec-level3

[roles]
# 'sec-level3' role has all permissions, indicated by the 
# wildcard '*'
sec-level3 = *

# The 'sec-level2' role can do anything with access of permission 
# readonly (*) to help
sec-level2 = zone1:*

# The 'sec-level1' role can do anything with access of permission 
# readonly   
sec-level1 = zone1:readonly:*

...

A ShiroSecurityPolicy object is instantiated as follows

Code Block

        private final String iniResourcePath = "classpath:shiro.ini";
        private final byte[] passPhrase = {
            (byte) 0x08, (byte) 0x09, (byte) 0x0A, (byte) 0x0B,
            (byte) 0x0C, (byte) 0x0D, (byte) 0x0E, (byte) 0x0F,
            (byte) 0x10, (byte) 0x11, (byte) 0x12, (byte) 0x13,
            (byte) 0x14, (byte) 0x15, (byte) 0x16, (byte) 0x17};
        List<permission> permissionsList = new ArrayList<permission>();
        Permission permission = new WildcardPermission("zone1:readwrite:*");
        permissionsList.add(permission);

        final ShiroSecurityPolicy securityPolicy = 
            new ShiroSecurityPolicy(iniResourcePath, passPhrase, true, permissionsList);

ShiroSecurityPolicy Options

Div
classconfluenceTableSmall

Name

Default Value

Type

Description

iniResourcePath or ini

none

Resource String or Ini Object

A mandatory Resource String for the iniResourcePath or an instance of an Ini object must be passed to the security policy. Resources can be acquired from the file system, classpath, or URLs when prefixed with "file:, classpath:, or url:" respectively. For e.g "classpath:shiro.ini"

passPhrase

An AES 128 based key

byte[]

A passPhrase to decrypt ShiroSecurityToken(s) sent along with Message Exchanges

alwaysReauthenticate

true

boolean

Setting to ensure re-authentication on every individual request. If set to false, the user is authenticated and locked such than only requests from the same user going forward are authenticated.

permissionsList

none

List<Permission>

A List of permissions required in order for an authenticated user to be authorized to perform further action i.e continue further on the route. If no Permissions list or Roles List (see below) is provided to the ShiroSecurityPolicy object, then authorization is deemed as not required. Note that the default is that authorization is granted if any of the Permission Objects in the list are applicable.

rolesList

none

List<String>

Camel 2.13: A List of roles required in order for an authenticated user to be authorized to perform further action i.e continue further on the route. If no roles list or permissions list (see above) is provided to the ShiroSecurityPolicy object, then authorization is deemed as not required. Note that the default is that authorization is granted if any of the roles in the list are applicable.

cipherService

AES

org.apache.shiro.crypto.CipherService

Shiro ships with AES & Blowfish based CipherServices. You may use one these or pass in your own Cipher implementation

base64

false

boolean

Camel 2.12: To use base64 encoding for the security token header, which allows transferring the header over JMS etc. This option must also be set on ShiroSecurityTokenInjector as well.

allPermissionsRequired

false

boolean

Camel 2.13: The default is that authorization is granted if any of the Permission Objects in the permissionsList parameter are applicable. Set this to true to require all of the Permissions to be met.

allRolesRequired

false

boolean

Camel 2.13: The default is that authorization is granted if any of the roles in the rolesList parameter are applicable. Set this to true to require all of the roles to be met.

Wiki Markup
{div:class=confluenceTableSmall} || Name || Default Value || Type || Description || | {{iniResourcePath or ini}} | {{none}} | Resource String or Ini Object | A mandatory Resource String for the iniResourcePath or an instance of an Ini object must be passed to the security policy. Resources can be acquired from the file system, classpath, or URLs when prefixed with "file:, classpath:, or url:" respectively. For e.g "classpath:shiro.ini" | | {{passPhrase}} | {{An AES 128 based key}} | byte[] | A passPhrase to decrypt ShiroSecurityToken(s) sent along with Message Exchanges | | {{alwaysReauthenticate}} | {{true}} | boolean | Setting to ensure re-authentication on every individual request. If set to false, the user is authenticated and locked such than only requests from the same user going forward are authenticated. | | {{permissionsList}} | {{none}} | List<Permission> | A List of permissions required in order for an authenticated user to be authorized to perform further action i.e continue further on the route. If no Permissions list is provided to the ShiroSecurityPolicy object, then authorization is deemed as not required | | {{cipherService}} | {{AES}} | org.apache.shiro.crypto.CipherService | Shiro ships with AES & Blowfish based CipherServices. You may use one these or pass in your own Cipher implementation | | {{base64}} | {{false}} | {{boolean}} | *Camel 2.12:* To use base64 encoding for the security token header, which allows transferring the header over [JMS] etc. This option must also be set on {{ShiroSecurityTokenInjector}} as well. | {div}

Applying Shiro Authentication on a Camel Route

The ShiroSecurityPolicy, tests and permits incoming message exchanges containing a encrypted SecurityToken in the Message Header to proceed further following proper authentication. The SecurityToken object contains a Username/Password details that are used to determine where the user is a valid user.

Code Block

    protected RouteBuilder createRouteBuilder() throws Exception {
        final ShiroSecurityPolicy securityPolicy = 
            new ShiroSecurityPolicy("classpath:shiro.ini", passPhrase);
        
        return new RouteBuilder() {
            public void configure() {
                onException(UnknownAccountException.class).
                    to("mock:authenticationException");
                onException(IncorrectCredentialsException.class).
                    to("mock:authenticationException");
                onException(LockedAccountException.class).
                    to("mock:authenticationException");
                onException(AuthenticationException.class).
                    to("mock:authenticationException");
                
                from("direct:secureEndpoint").
                    to("log:incoming payload").
                    policy(securityPolicy).
                    to("mock:success");
            }
        };
    }

...

Authorization can be applied on a camel route by associating a Permissions List with the ShiroSecurityPolicy. The Permissions List specifies the permissions necessary for the user to proceed with the execution of the route segment. If the user does not have the proper permission set, the request is not authorized to continue any further.

Code Block

    protected RouteBuilder createRouteBuilder() throws Exception {
        final ShiroSecurityPolicy securityPolicy = 
            new ShiroSecurityPolicy("./src/test/resources/securityconfig.ini", passPhrase);
        
        return new RouteBuilder() {
            public void configure() {
                onException(UnknownAccountException.class).
                    to("mock:authenticationException");
                onException(IncorrectCredentialsException.class).
                    to("mock:authenticationException");
                onException(LockedAccountException.class).
                    to("mock:authenticationException");
                onException(AuthenticationException.class).
                    to("mock:authenticationException");
                
                from("direct:secureEndpoint").
                    to("log:incoming payload").
                    policy(securityPolicy).
                    to("mock:success");
            }
        };
    }

...

A ShiroSecurityToken object may be created and injected into a Message Exchange using a Shiro Processor called ShiroSecurityTokenInjector. An example of injecting a ShiroSecurityToken using a ShiroSecurityTokenInjector in the client is shown below

Code Block

    ShiroSecurityToken shiroSecurityToken = new ShiroSecurityToken("ringo", "starr");
    ShiroSecurityTokenInjector shiroSecurityTokenInjector = 
        new ShiroSecurityTokenInjector(shiroSecurityToken, passPhrase);

    from("direct:client").
        process(shiroSecurityTokenInjector).
        to("direct:secureEndpoint");

...

You can send a message to a Camel route with a header of key ShiroSecurityConstants.SHIRO_SECURITY_TOKEN of the type org.apache.camel.component.shiro.security.ShiroSecurityToken that contains the username and password. For example:

Code Block

        ShiroSecurityToken shiroSecurityToken = new ShiroSecurityToken("ringo", "starr");

        template.sendBodyAndHeader("direct:secureEndpoint", "Beatle Mania", ShiroSecurityConstants.SHIRO_SECURITY_TOKEN, shiroSecurityToken);

You can also provide the username and password in two different headers as shown below:

Code Block

        Map<String, Object> headers = new HashMap<String, Object>();
        headers.put(ShiroSecurityConstants.SHIRO_SECURITY_USERNAME, "ringo");
        headers.put(ShiroSecurityConstants.SHIRO_SECURITY_PASSWORD, "starr");
        template.sendBodyAndHeaders("direct:secureEndpoint", "Beatle Mania", headers);

When you use the username and password headers, then the ShiroSecurityPolicy in the Camel route will automatic transform those into a single header with key ShiroSecurityConstants.SHIRO_SECURITY_TOKEN with the token. Then token is either a ShiroSecurityToken instance, of or a base64 representation as a String (the latter is when you have set base64=true).