• Title/Summary/Keyword: Apache Shiro

Search Result 2, Processing Time 0.014 seconds

Comparative Analysis and Validation of CSRF Defense Mechanisms in Spring Security and Apache Shiro (Spring Security와 Apache Shiro의 CSRF 공격 방어 기법 비교 분석 및 검증)

  • Jj-oh Kim;Da-yeon Namgoong;Sanghoon Jeon
    • Convergence Security Journal
    • /
    • v.24 no.2
    • /
    • pp.79-87
    • /
    • 2024
  • This paper addresses the increasing cyber attacks exploiting security vulnerabilities in software due to the rise in web applications. CSRF (Cross-Site Request Forgery) attacks pose a serious threat to web users and developers and must be prevented in advance. CSRF involves performing malicious requests without the user's consent, making protection methods crucial for web applications. This study compares and verifies the CSRF defense performance of two frameworks, Spring Security and Apache Shiro, to propose an effectively applicable framework. The results show that both frameworks successfully defend against CSRF attacks; however, Spring Security processes requests faster, averaging 2.55 seconds compared to Apache Shiro's 5.1 seconds. This performance difference stems from variations in internal processing methods and optimization levels. Both frameworks showed no significant differences in resource usage. Therefore, Spring Security is more suitable for environments requiring high performance and efficient request processing, while Apache Shiro needs improvement. These findings are expected to serve as valuable references for designing web application security architectures

Extended Role-Based Access Control with Context-Based Role Filtering

  • Liu, Gang;Zhang, Runnan;Wan, Bo;Ji, Shaomin;Tian, Yumin
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.14 no.3
    • /
    • pp.1263-1279
    • /
    • 2020
  • Activating appropriate roles for a session in the role-based access control (RBAC) model has become challenging because of the so-called role explosion. In this paper, factors and issues related to user-driven role management are analysed, and a session role activation (SRA) problem based on reasonable assumptions is proposed to describe the problem of such role management. To solve the SRA problem, we propose an extended RBAC model with context-based role filtering. When a session is created, context conditions are used to filter roles that do not need to be activated for the session. This significantly reduces the candidate roles that need to be reviewed by the user, and aids the user in rapidly activating the appropriate roles. Simulations are carried out, and the results show that the extended RBAC model is effective in filtering the roles that are unnecessary for a session by using predefined context conditions. The extended RBAC model is also implemented in the Apache Shiro framework, and the modifications to Shiro are described in detail.