You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Avner Cohen <Av...@fundtech.co.il> on 2011/03/13 20:10:42 UTC

Shiro and CSRF

Greetings all,

 

I'm considering adding Shiro as the security framework in an existing
application with an existing proprietary security code.

 

My main problem is CSRF, shiro's session seems to be based on JSESSION
which is the root of many Web related attacks, In our existing code, we
pass the session ID as part of the BODY of each request so CSRF is fully
protected and session cannot be hijacked.

 

Is it possible to somehow integrate Shiro into an existing session
creation and management system?

 

For instance, I'm looking for a hook method so that when
currentUser.isAuthenticated() is called, my existing logic will be
called (that is, looking for a session ID in a rational database) and
when currentUser.login(token) is called, it will allow me to override
existing implementation and create my session id and add this to the
Database.

 

Thanks,

    Avner.

Re: Shiro and CSRF

Posted by Jared Bunting <ja...@digitalreasoning.com>.

On 03/13/2011 02:10 PM, Avner Cohen wrote:
> Greetings all,
> 
>  
> 
> I’m considering adding Shiro as the security framework in an existing
> application with an existing proprietary security code.
> 
>  
> 
> My main problem is CSRF, shiro’s session seems to be based on JSESSION
> which is the root of many Web related attacks, In our existing code, we
> pass the session ID as part of the BODY of each request so CSRF is fully
> protected and session cannot be hijacked.
> 
>  
> 
> Is it possible to somehow integrate Shiro into an existing session
> creation and management system?
> 
Certainly.  Check out the SessionManager interface.  Basically implement
a SessionManager adapter for your session management system.  The
SessionContext and SessionKey will give you access to the ServletRequest
and you can pull your information from there.

Any SecurityManager that extends SessionsSecurityManager allows you to
set the SessionManager - or if you're using shiro.ini, it can be done in
there.
>  
> 
> For instance, I’m looking for a hook method so that when
> /currentUser.isAuthenticated() /is called, my existing logic will be
> called (that is, looking for a session ID in a rational database) and
> when /currentUser.login(token) /is called, it will allow me to override
> existing implementation and create my session id and add this to the
> Database.
> 
>  
> 
> Thanks,
> 
>     Avner.
> 
>  
>