You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Les Hazlewood <lh...@apache.org> on 2011/06/03 03:42:28 UTC

Re: Object serialisation security

Hi Razvan,

Typically people use the CipherService for this type of work.  I've
thought of putting together a 'Cryptor' component that is stateful
though - where it will hold the key(s) used to interact with a wrapped
CipherService, so you don't need to pass the key(s) for each method
call.

In any event, this seems to have worked for most people thus far.  I'm
certainly open to looking into supporting what you talk about though
if it simplifies things even further and helps people write more
secure (and less!) code.

Please open a Jira issue if you feel this should be an added feature.
Also, patches are always welcome if you'd like to contribute an
initial implementation or idea!

Thanks,

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com

On Sat, May 28, 2011 at 4:25 PM, Razvan Dragut <ra...@gmail.com> wrote:
> Hi everyone,
>
> I have been following this project since it was called JSecurity, Ki etc.
> I noticed that it has now cryptography features and I wonder if there's
> any plan to feature object serialisation security (
> SignedObject, SealedObject, etc ). This has long been in the Java API ( i
> guess 1.4.2 ) and I think it's one of the very useful-underrated-missed java
> API that can be a good solution to many security scenarios like keeping the
> financial information in a database signed, sealed and serialised.
>
> One can argue that this is beyond the scope of Shiro as it already
> provides the cryptography service to use for signing and sealing an object,
> but the important bit is the best practice in writing safe code : E.g : sign
> than seal, etc.
>
> Any thoughts on this ?
>
> Thanks very much,
>
> Best,
>
> Razvan

Re: Object serialisation security

Posted by Les Hazlewood <lh...@apache.org>.

Sounds good - these are great ideas that should be captured in a Jira
issue at least.

Thanks!

-- 
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

Re: Object serialisation security

Posted by Razvan Dragut <ra...@gmail.com>.

Hi Les,

As a first thought, i was thinking this could be part of CipherService like
:

(skipped the keys parameters)

SignedObject CipherService.sign(Object o);
boolean CipherService.checkSignature(SignedObject so);
SealedObject CipherService.seal(Object o);
Object CipherService.unseal(SealedObject so); <-- this could automatically
check for signature if the unsealed object is of type SignedObject
SealedObject CipherService.signAndSeal(Object o);

Anyway, I haven't had the chance to look at the CipherService sources, yet,
and I don't know whether it would fit there or not, nor I don't know if from
a user perspective the action/semantic of signing something would make sense
to sit in a class that encrypts/decrypts.

Will try to look at the sources and see if and where this would eventually
fit. Meanwhile, I'll open a Jira issue and see what people think.

Best,

Razvan

On Fri, Jun 3, 2011 at 2:42 AM, Les Hazlewood <lh...@apache.org> wrote:

> Hi Razvan,
>
> Typically people use the CipherService for this type of work.  I've
> thought of putting together a 'Cryptor' component that is stateful
> though - where it will hold the key(s) used to interact with a wrapped
> CipherService, so you don't need to pass the key(s) for each method
> call.
>
> In any event, this seems to have worked for most people thus far.  I'm
> certainly open to looking into supporting what you talk about though
> if it simplifies things even further and helps people write more
> secure (and less!) code.
>
> Please open a Jira issue if you feel this should be an added feature.
> Also, patches are always welcome if you'd like to contribute an
> initial implementation or idea!
>
> Thanks,
>
> --
> Les Hazlewood
> Founder, Katasoft, Inc.
> Application Security Products & Professional Apache Shiro Support and
> Training:
> http://www.katasoft.com
>
> On Sat, May 28, 2011 at 4:25 PM, Razvan Dragut <ra...@gmail.com>
> wrote:
> > Hi everyone,
> >
> > I have been following this project since it was called JSecurity, Ki etc.
> > I noticed that it has now cryptography features and I wonder if there's
> > any plan to feature object serialisation security (
> > SignedObject, SealedObject, etc ). This has long been in the Java API ( i
> > guess 1.4.2 ) and I think it's one of the very useful-underrated-missed
> java
> > API that can be a good solution to many security scenarios like keeping
> the
> > financial information in a database signed, sealed and serialised.
> >
> > One can argue that this is beyond the scope of Shiro as it already
> > provides the cryptography service to use for signing and sealing an
> object,
> > but the important bit is the best practice in writing safe code : E.g :
> sign
> > than seal, etc.
> >
> > Any thoughts on this ?
> >
> > Thanks very much,
> >
> > Best,
> >
> > Razvan
>