Apache Shiro is an application security framework that provides application developers very clean and simple ways of supporting four cornerstones of security in their applications: authentication, authorization, enterprise session management and cryptography.
Apache Shiro, like most useful tools, was created out of necessity. About 20% of clients I worked with needed to support a dynamic security model, where an administrator could assign users to groups and roles, and assign permissions to roles, and change all of this during runtime in a nice gui and/or web page.
Standard JAAS and EJB security models couldn’t cut it - they required static definitions that only programmers could change, requiring the application to re-deployed all over again. And although those 20% of clients required dynamic functionality, there were many more that would have liked that capability, even though it wasn’t a pure requirement for their applications. I quickly realized how useful something like this was and tried to see how I could achieve what many people wanted.
Like most of the Java community, I looked into JAAS to see if it could do what I wanted. After all, it was really the only security technology out there widely accessible to Java developers at the time. I did a lot of research, looking for ways that I might be able to coerce JAAS into doing what I wanted. Sometimes it came close. JAAS Authentication could meet my needs with a decent amount of effort, but JAAS Authorization didn’t even come close.
JAAS is tied too heavily tied to virtual machine-level concerns. As an application architect, I usually didn’t care one bit about whether or not a Class could execute inside the virtual machine. What I really wanted to control is whether or not the current user could execute a given method, often based on the method’s arguments. So, I hobbled a bit, creating some functionality to piggy-back JAAS and custom-coded the rest. The result was only usable on a few applications and wasn’t nearly as robust as I wanted.
Then I came to work on a really great application that pushed the limits of application security. This application was written for government organizations and needed extremely powerful yet flexible security support. The client required the following:
I looked at all of these requirements, and although a little extreme for most applications, I knew that there were a lot of other developers out there that could benefit from a framework that could do all of these things, even if they didn’t use them all.
I knew I would need to use this functionality again in some capacity or another, so I founded Apache Shiro’s predecessor project, named ‘JSecurity’ in 2004 to solve all of these issues. This time though, the project team began to build an incredibly clean Object-Oriented architecture from scratch, keeping change and flexibility in mind. Nearly every facet of Authentication, Authorization, transparent Session Management and Cryptography are customizable and pluggable. After moving to the Apache Software Foundation, we renamed the project to Apache Shiro.
Perhaps best of all, Apache Shiro is POJO and interface based. You can use it in any pojo container, servlet container, J2EE application server, or standalone application out of the box. And, we currently have some projects in the works to make integration into the most popular containers and servers as easy as possible.
Well, that’s how the JSecurity project and then Apache Shiro was started. We’re always looking to improve. Since Shiro is open-source, please think about joining the project or helping out, even if you just offer suggestions. Anything is appreciated!