This page contains topics supporting ongoing discussion at dev@syncope.apache.org.
Tracked as SYNCOPE-699.
Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.
In the following an integration proposal with Shiro, for improved authentication and authorization handling, is outlined.
References are provided against master branch in GIT, with version currently set to upcoming 2.0.0.
Current implementation
The current implementation relies directly on Spring Security and configuration is defined in securityContext.xml and parametrized by security.properties.
core
Authentication
By default, basic authentication with no session is defined.
The credentials verification is essentially implemented by SyncopeAuthenticationProvider (and related), based on the passed domain, username and password:
- check for special username values is performed ("admin" and "anonymous" get different handling)
- for non-special users, password value is encrypted according to the cipher algorithm selected for the given user and then compared with the stored value
- if password verification succeeds, authenticating user is given the subset of defined entitlements, according to owned roles (see details of the new security model)
Authorization
All public methods belonging to classes of the business logic layer are annotated via Spring Security's @PreAuthorize with several expression language built-ins.
console
Authentication and authorization are built around wicket-auth-roles's AuthenticatedWebApplication in SyncopeConsoleApplication (and related).
In particular, fine-grained conditions are set on individual components based on the entitlements owned by current user.
Integration proposal
The idea is to empower Shiro for enhancing several aspects:
- introduce session management
- avoid checking the internal storage for each and every operation
- make the upgrade from basic to digest authentication cost-effective
- bonus 1: clustering support is there
- bonus 2: separate session store concept is available, for scaling
- keep annotation-based authorization
- design better integration between core (currently session-less) and console (where session is defined instead), especially with the perspective of having more clients (CLI and end-user)
- leverage the "Run As" feature for implementing delegation (SYNCOPE-129)
- prepare for OAuth 2.0 provider implementation
4 Comments
Francesco Chicchiriccò
I am actually not sure if Shiro is the right choice to implement what described.
As alternative approach, once can think of enhancing the current Spring Security usage and introducing Spring Session for session management.
Colm O hEigeartaigh
I agree that Shiro is not needed. Do we really need to introduce Spring Session though, won't Spring Security take care of it already, via for example "<sec:session-management session-authentication-strategy-ref="sas"/>"?
Perhaps Apache CXF Fediz could give us some pointers here. It ships with a plugin for Spring Security for WS-Federation, that sets up a session based on parsing a SAML Token received as part of the redirection process involved in WS-Federation SSO:
https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=tree;f=plugins/spring;h=f4f6d060128b96872d3eadff6955897658163443;hb=HEAD
A webapp configuration using this module is here:
https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=blob;f=systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml;h=2f5a518d013c8fedd672b14fc96f21398e523158;hb=HEAD
Francesco Chicchiriccò
I believe we need - for Syncope 2.1 at earliest, anyway - to introduce a proper session store abstraction which will allow to select among different implementations - from simpler (in-memory) to more advanced (LDAP, RDBMS, ...) which can be empowered in HA scenarios.
Does Fediz provide something similar? AFAIU Spring Security's session management does not provide such feature, while Spring Session does.
Colm O hEigeartaigh
I don't know if Spring Security's Session management is done internally or whether it delegates to the underlying J2EE container. If the latter then wouldn't this suffice, as we could rely on container clustering etc.?