You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

This page contains topics supporting ongoing discussion at dev@syncope.apache.org.

Tracked as SYNCOPE-699.

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

 

In the following an integration proposal with Shiro, for improved authentication and authorization handling, is outlined.

References are provided against master branch in GIT, with version currently set to upcoming 2.0.0.

Current implementation

The current implementation relies directly on Spring Security and configuration is defined in securityContext.xml and parametrized by security.properties.

core

Authentication

By default, basic authentication with no session is defined.

The credentials verification is essentially implemented by SyncopeAuthenticationProvider (and related), based on the passed domain, username and password:

  1. check for special username values is performed ("admin" and "anonymous" get different handling)
  2. for non-special users, password value is encrypted according to the cipher algorithm selected for the given user and then compared with the stored value
  3. if password verification succeeds, authenticating user is given the subset of defined entitlements, according to owned roles (see details of the new security model)

Authorization

All public methods belonging to classes of the business logic layer are annotated via Spring Security's @PreAuthorize with several expression language built-ins.

console

Authentication and authorization are built around wicket-auth-roles's AuthenticatedWebApplication in SyncopeConsoleApplication (and related).

In particular, fine-grained conditions are set on individual components based on the entitlements owned by current user.

Integration proposal

The idea is to empower Shiro for enhancing several aspects:

  • introduce session management
    • avoid checking the internal storage for each and every operation
    • make the upgrade from basic to digest authentication cost-effective
    • bonus 1: clustering support is there
    • bonus 2: separate session store concept is available, for scaling
  • keep annotation-based authorization
  • design better integration between core (currently session-less) and console (where session is defined instead), especially with the perspective of having more clients (CLI and end-user)
  • prepare for OAuth 2.0 provider implementation
  • No labels

Questions? Just send an e-mail to user@syncope.apache.org