Apache Shiro Security Model

The application code invoking Shiro APIs is trusted.

Configuration files (INI, properties, Spring beans, etc.) are controlled by trusted administrators.

The JVM and underlying operating system are secure.

Any Realm implementations and their backing data sources are trustworthy.

Properly sanitize and validate any user input before passing it to Shiro APIs.

Protect sensitive configuration values from exposure.

Implement proper transport-layer security (TLS/SSL) for credential transmission.

Credential Matching: Shiro verifies submitted credentials against stored credentials using configurable CredentialsMatcher implementations.

Realm Coordination: When multiple Realms are configured, the AuthenticationStrategy determines success/failure criteria.

Subject Identity: Upon successful authentication, Shiro establishes a Subject with verified principals.

Remember Me: Optional functionality to recognize returning users without full re-authentication (with weaker security guarantees than full authentication).

Credential Storage: Operators must ensure credentials are stored securely (hashed with appropriate algorithms like bcrypt or Argon2).

Brute-Force Protection: Shiro only includes built-in basic rate limiting for Jakarta EE only, but does not include account lockout. Operators should implement these controls at the application or infrastructure level.

Multi-Factor Authentication: MFA is not built into core Shiro; operators requiring MFA must implement custom Realm or AuthenticationStrategy extensions.

Configure your Realm to throw consistent exceptions regardless of failure reason.

Return generic authentication failure messages to end users.

Permission Resolution: Shiro resolves whether a Subject has specific permissions through configured Realm instances and permission resolvers.

Role Checking: Both implicit role checks (hasRole) and explicit permission-based checks (isPermitted) are supported.

Wildcard Permissions: The WildcardPermission implementation provides flexible, hierarchical permission strings (e.g., printer:print:lp7200).

Annotation Support: Declarative security via @RequiresAuthentication, @RequiresPermissions, @RequiresRoles, and related annotations.

Permission Assignment: Operators must correctly configure permission-to-role and role-to-user mappings in their data model.

Least Privilege: Shiro enforces permissions as configured; designing an appropriate permission model is the operator’s responsibility.

Realm Security: Authorization data sources (LDAP, databases, etc.) must be secured appropriately.

Container-Independent Sessions: Shiro can manage sessions without a Servlet container or EJB.

Session Validation: Configurable session timeout and validation scheduling.

Session Persistence: Pluggable SessionDAO for persisting sessions to any data store.

Session Fixation Prevention: Shiro can regenerate session IDs upon authentication when properly configured.

Session ID Exposure: Session identifiers should be treated as sensitive credentials. Transmit only over secure channels.

Session Storage: If using persistent sessions (e.g., database-backed SessionDAO), secure the backing store appropriately.

Clustering: In clustered deployments, ensure session serialization and shared storage are configured securely.

Hashing: Simplified APIs for cryptographic hashing (SHA-256, SHA-512, MD5, etc.) with salt and iteration support.

Encryption/Decryption: CipherService implementations for symmetric encryption (AES, Blowfish, etc.).

Password Hashing: PasswordService for secure credential hashing with configurable algorithms (Argon2, BCrypt).

Shiro’s cryptographic utilities are wrappers around standard Java cryptography (JCA/JCE) and BouncyCastle libraries.

Algorithm Selection: Operators must choose appropriate algorithms. Avoid deprecated algorithms (MD5, SHA-1 for security purposes). Avoid weak algorithms for passwords (use Argon2 or BCrypt with appropriate work factors).

Key Management: Shiro does not provide key management infrastructure. Secure key storage and rotation is the operator’s responsibility.

Filter Chain: URL-based security through configurable filter chains.

CSRF Protection: Not built-in; operators should implement CSRF tokens in their applications.

Path Matching: Shiro matches request paths against configured patterns using Ant-style path matching by default.

Ensure consistent path interpretation between Shiro and your web framework.

Review Security Reports for historical path traversal issues and mitigations.

Keep Shiro updated to receive security fixes.

Implement network-level access controls.

Use Web Application Firewalls (WAF) for additional request filtering.

Employ rate limiting and brute-force protection at the infrastructure level.

Conduct regular security assessments and penetration testing.

Submit arbitrary authentication credentials, session identifiers, and request data.

Observe authentication error responses (including timing).

Attempt session fixation, privilege escalation, and authorization bypass.

Run code in the application’s JVM process.

Read or modify application configuration files.

Tamper with Realm implementations or their backing data sources.

Application Code: As stated in Application-Level Trust, Shiro trusts the code that invokes its APIs. An attacker who can execute arbitrary code in the application’s JVM has already won at Shiro’s layer.

Administrators with Configuration Access: An attacker controlling INI files, Spring beans, or other configuration sources can disable security controls. Shiro relies on operators to secure these.

Local Shell Access / Co-Tenants: An attacker with shell access to the host can read process memory, log files, and the keystore. Shiro does not defend against this; isolate Shiro-secured applications appropriately.

Compromised Realms: An attacker controlling the LDAP server, database, or other Realm backing data can grant arbitrary access. Realm data sources are part of the trust boundary.