Stormpath is pleased to announce a formal integration with Apache Shiro, a leading Java security framework with over 200,000 downloads.

This integration allows an Apache Shiro-enabled application use the Stormpath cloud Identity Management service for all authentication and access control needs. Shiro has been growing exponentially in 2012 and we are excited to provide a useful plugin – for free!

 

 

While working on the redesign for our new Stormpath dashboard, our head of Marketing asked a good question:

Unfortunately, whoever advocated this viewpoint (of not using API keys) probably didn't manage a secure system (possibly because they didnt need to?).   So I thought I would share my thoughts on why Stormpath secures our API with API Keys (and so do others, like Amazon Web Services, and you should too). I also included some best practices for how we handle API keys.

Wow, first LinkedIn, and now Yahoo!.

Yahoo! News has reported that its own service has been hacked, resulting in 450,000 compromised passwords.  The attack was an SQL Injection Attack, much like the same attack that compromised over 1 million Sony Pictures accounts.

Various sources reported today that LinkedIn suffered a major security breach: allegedly, 6.5 million hashed passwords were leaked by a Russian hacker.

But this naturally raises big concerns for web developers: if one of the largest social networks, with all of their engineers, could have a password security breach,

How do I keep user passwords secure?

If you're already using Spring to build your application, and you need to serve a ReST API, Spring MVC can be a good choice to write your REST endpoints.

However, representing errors or problems cleanly in a RESTful way may not be immediately obvious since Spring MVC is so often referenced for building user interfaces. Because there is no direct UI concept in REST APIs, how then do you use Spring MVC to represent errors or problems in a clean and intuitive way?

Apache Shiro 1.2.0 was released on Tuesday, January 24 2012 with a lot of new features and improvements that most of the community will find useful. Thanks to everyone who contributed to this release; it was a significant undertaking and reflects a big step forward for the project.

In my first post on Strong Password Hashing, we discussed that the solution for the most common way to secure passwords, even with the possibility of brute force attacks, was to incorporate a computation time component.  This technique essentially makes the password hashing process computationally expensive such that an attacker using brute force would have to spend a relatively enormous amount of time attacking the passwords.

This article discusses how security policies are managed using the concept of Roles and how the predominant role-based mechanism for securing applications is largely insufficient.  I discuss what I believe is a much better way of securing applications.

A few days ago on the Apache Shiro mailing list, one of our users expressed concern about the points surfaced in this blog article. They wanted to know if Shiro could address these concerns (answer: it can, and has always been able to do so - keep reading for how).