Beranda / Shiro Pull Request 951

Shiro Pull Request 951

https stash.corp.netflix.com projects cme repos shiro pull-requests 951
https stash.corp.netflix.com projects cme repos shiro pull-requests 951

Integrating SSO with Shiro Framework

Overview

This article guides you through the procedure of integrating solitary sign-on (SSO) using Shiro Framework, a popular Java authorization framework. SSO permits users to gain access to multiple applications with a single sign in. This integration allows secure authentication and even authorization for numerous applications within some sort of single domain or maybe across multiple fields.

Prerequisites

  • Java Development Kit (JDK) 8 or after
  • Apache Maven 3. zero or later
  • Shiro Platform 1. 4 or maybe later
  • Servlet container (e. g., Tomcat, Jetty)

Setup

  1. Create a New Maven Venture: 
 mvn archetype: generate -DgroupId=com. example -DartifactId=shiro-sso -DarchetypeArtifactId=maven-archetype-quickstart
  1. Increase Shiro Dependency:

Add the Shiro dependency to your current project's pom. xml file: 

 < dependency> < groupId> org. apache. shiro< /groupId> < artifactId> shiro-core< /artifactId> < version> 1. four. 0< /version> < /dependency>
  1. Configure Shiro:

Create a fresh file named shiro. terkait inside the src/main/resources directory. This document contains the Shiro configuration: 

 [main] securityManager. realm = com. example. shiro. MyRealm
  1. Create a Custom Realm:

Inside src/main/java/com/example/shiro , create the custom realm that extends ShiroRealm and overrides this doGetAuthenticationInfo plus doGetAuthorizationInfo strategies: 

 import org. indien. shiro. realm. Realm; import org. apache. shiro. realm. SimpleAccountRealm; public class MyRealm extends SimpleAccountRealm tools Realm // Override doGetAuthenticationInfo to perform custom user authentication @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException // Perform username and password based authentication String username = (String) token.getPrincipal(); String password = new String((char[]) token.getCredentials()); // Retrieve user from database or LDAP User user = getUser(username, password); // Return AuthenticationInfo if user is valid if (user != null) return new SimpleAuthenticationInfo(username, password, getName()); // Throw exception if user is not valid throw new UnknownAccountException("User not found"); // Override doGetAuthorizationInfo to perform custom user authorization @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) // Retrieve user roles and permissions from database or LDAP String username = principals.getPrimaryPrincipal().toString(); Set<String> roles = getUserRoles(username); Set<String> permissions = getUserPermissions(username); // Return AuthorizationInfo return new SimpleAuthorizationInfo(roles, permissions);

Integrating with SSO

  1. Add Servlet Filter:

In src/main/java/com/example/shiro , generate a servlet filtration that intercepts newly arriving requests and executes SSO authentication: 

 transfer javax. servlet. *; import javax. servlet. http. HttpServletRequest; importance javax. servlet. http. HttpServletResponse; import org. apache. shiro. SecurityUtils; import org. indien. shiro. subject. Subject; public class SSOServletFilter implements Filter @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException Subject subject = SecurityUtils.getSubject(); // Check if user is already authenticated if (subject.isAuthenticated()) chain.doFilter(request, response); return; // Redirect to SSO login page HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletResponse httpResponse = (HttpServletResponse) response; httpResponse.sendRedirect("https://sso.example.com/login?redirect=" + httpRequest.getRequestURL());
  1. Enroll Servlet Filter:

Configure the servlet filter in web. xml : 

 < filter> < filter-name> SSOServletFilter< /filter-name> < filter-class> com. example. shiro. SSOServletFilter< /filter-class> < /filter> < filter-mapping> < filter-name> SSOServletFilter< /filter-name> < url-pattern> /*< /url-pattern> < /filter-mapping>

Extra Considerations

  • SSL Configuration: Ensure that will communication between this SSO provider plus your application is encrypted using SSL.
  • Logout Handling: Implement a new logout handler in order to remove the customer session when they log out through the SSO company.
  • Cross-Site Request Forgery (CSRF) Protection: Enable CSRF protection in your own Shiro configuration to prevent malicious asks for from outside your application.

Bottom line

Integrating SSO together with Shiro Framework supplies a secure in addition to convenient way in order to manage user authentication and authorization over multiple applications. Simply by following the ways outlined in this specific article, you could effectively enhance typically the security and customer experience of your current web applications.