Have you seen Apache Shiro yet? Security may not be the sexiest thing on the block, but this little framework is quite nice. It provides a very robust, yet easy to use security mechanism out of the box. Why yet another security framework? There are two reasons that it appealed to me:
- It is the only security framework out there that I’ve seen that actually has a nice generic permissions framework. In addition to working with the basic role/permission model, it also includes support for wildcard and object permissions, allowing you to lock down your application at a fine grained level.
- It is extremely easy to understand and use. No complex magic, just a few important concepts which are clearly outlined in the documentation.
I took a stab at writing integrating it with Mule recently and the result is up on github.
Using Shiro with Mule
Using it is pretty simple. First off, you need to declare your basic Shrio security setup:
There are a couple items that should be explained here:
- The Shiro realm – Realms in Shiro map to databases/property files/etc where your users are stored. Shiro contains out of the box support for JDBC, LDAP, and text files. I’ve created my users in the XML file (very handy for testing) using the TextDefinitionRealm. The userDefinitions proeprty contains a list of users with their password and role. The roleDefinitions property contains a list of roles and the permissions that they imply.
- The Shiro SecurityManager – this is what instantiates Shiro and holds all the realms with which Shiro can do authentication.
- The Mule security manager definition – we’re simply telling Mule to use the Shrio SecurityManager here.
- The Shiro bean post processor – this inits/destroys all the Shiro beans properly.
Next up, you can implement authentication or authorization using security filters:
The basic-security-filter will perform authentication against your Shiro realm using HTTP Basic authentication. If the authentication fails, you’ll get an HTTP 401 reponse code. The second authorization-filter interceptor will check that the user has the specified permissions (“write” in this case). If the authorization fails you’ll get an HTTP 405 response code.
And now you have easy authentication and authorization in your Mule configuration! Enjoy the module and looking forward to your feedback!
NOTE: During the implementation of this, I made some changes to make authorization much cleaner inside Mule. These changes didn’t make it into the about to be announced 3.1.0 release. As a result, if you’re going to use the Shiro integration, you’ll need to use Mule 3.2.0-SNAPSHOT for the time being. (Scroll to the bottom of the Mule ESB download page for the Mule 3.2.0 SNAPSHOT)