This page contains topics supporting ongoing discussion at firstname.lastname@example.org.
Tracked as SYNCOPE-699.
Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.
In the following an integration proposal with Shiro, for improved authentication and authorization handling, is outlined.
References are provided against master branch in GIT, with version currently set to upcoming 2.0.0.
By default, basic authentication with no session is defined.
The credentials verification is essentially implemented by SyncopeAuthenticationProvider (and related), based on the passed domain, username and password:
- check for special username values is performed ("admin" and "anonymous" get different handling)
- for non-special users, password value is encrypted according to the cipher algorithm selected for the given user and then compared with the stored value
- if password verification succeeds, authenticating user is given the subset of defined entitlements, according to owned roles (see details of the new security model)
Authentication and authorization are built around
wicket-auth-roles's AuthenticatedWebApplication in SyncopeConsoleApplication (and related).
In particular, fine-grained conditions are set on individual components based on the entitlements owned by current user.
The idea is to empower Shiro for enhancing several aspects:
- introduce session management
- avoid checking the internal storage for each and every operation
- make the upgrade from basic to digest authentication cost-effective
- bonus 1: clustering support is there
- bonus 2: separate session store concept is available, for scaling
- keep annotation-based authorization
- design better integration between core (currently session-less) and console (where session is defined instead), especially with the perspective of having more clients (CLI and end-user)
- leverage the "Run As" feature for implementing delegation (SYNCOPE-129)
- prepare for OAuth 2.0 provider implementation