A demonstration of Apache Shiro running on Google App Engine with Mozilla Persona
App Engine comes with a very good identity solution (the User
Service), based on Google Login. The API is very simple and it
solves the authentication and authorization problem for a lot of
applications elegantly.
There are two problems with the User Service.
- It is restricted to users with Google accounts. A significant number of potential users may not wish to register for a Google Account just to use a single application. OpenID logins are available, but this is not a general solution at present.
- The authorization model, having users and admins and allowing access to selected resources only to admins is too restrictive for many applications.
We are providing an identity and authorization solution for Java on
App Engine which is as easy to code with as the User
Service but which allows anyone with an Email account to log in
to applications, and which provides a more sophisticated authorization
model. The solution makes use of [http://shiro.apache.org](Shiro
security) and
Mozilla Persona.
How does it work?
You include some JavaScript code on the client side. This is described https://developer.mozilla.org/en-US/docs/Persona. The user is asked for Email address (and possibly password) on the client side, and when logged in a token is provided which you send to the server and verify with a call to a secure address. The verification step returns an Email which you use as the identity of the User.
Our interface requires you to make one call which looks like this:
PersonaAuthenticationToken personaToken
= new PersonaAuthenticationToken(token, <host:port>, true);
personaLogin.login(personaToken);
where host and port are the hard-coded host name and port of your server.
Once this is done Shiro takes care of everything. To find the current user for example just use the following code anywhere:
Subject subject = SecurityUtils.getSubject();
String emailAddress = (String)subject.getPrincipal();
The simplest way to configure Shiro is to create a shiro.ini file. Our micro demo provides a simple example.
[main]
shiro.loginUrl = /login
personaRealm = com.cilogi.shiro.microdemo.MicroPersonaRealm
securityManager.realms = $personaRealm
[users]
tim.niblett@cilogi.com = password, admin
[roles]
admin = *
[urls]
/login = authc
/sensitive.html = authc
/onlyadmin.html = authc, roles[admin]
/logout = logout
In the [main] section the line shiro.loginUrl = /login defines the URL to which
unauthorised requests (and other login requests) are redirected. The
line defining personaRealm says that we're Persona to
authenticate. The next line installs the PersonaRealmas the security
realm.
The [urls] section is similar to the security constraints used by the
User Service as defined in web.xml. The authc filter says
that a user must be authenticated in this session to access the
resource. A laxer filter is user which also allows a user who has
is remembered via a cookie in the browser.
The [users] and [roles] section together state that only
tim.niblett@cilogi.com can access admin level resources of which
onlyadmin.html is the example shown here.
These capabilities duplicate those of the built-in User Service but allow for any email address and for more sophisticated authorization if you so desire.
Setting up the demo
Once you've downloaded the demo you can use maven to set it
up. There are 3 modules: persona-shiro is the library which
interfaces Persona with Shiro; gae-demo shows how perona-shiro can
be integrated App Engine, and includes some basic user handling
Please give feedback
This solution isn't ready for prime time yet as Persona is still in beta, and has a long way to go. For those who us who'd like to integrate a lighweight identity and authorization system without the nightmare of dealing with user and password management it looks like a good bet. Certainly the more of us that use it the better.