[Owasp-germany] Apache Shiro

Junker, Holger holger.junker at bsi.bund.de
Tue Jul 16 12:10:10 UTC 2013


Hallo zusammen,
ich habe Shiro in Auszügen schon mal angeschaut. Eventuell werde ich im 
nächsten Jahr eine Sicherheitsanalyse hiervon machen, um eine belastbare 
Aussage zur Qualität und zum Sicherheitsniveau treffen zu können. Wenn hieran 
auch bei OWASP Interesse besteht wäre ich für entsprechende Rückmeldungen 
dankbar.

Gruß,
Holger


__________ ursprüngliche Nachricht __________

Von:	owasp-germany-request at lists.owasp.org
Datum:	Dienstag, 16. Juli 2013, 14:00:04
An:	owasp-germany at lists.owasp.org
Kopie:	
Betr.:	Owasp-germany Digest, Vol 67, Issue 6

> Send Owasp-germany mailing list submissions to
> 	owasp-germany at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.owasp.org/mailman/listinfo/owasp-germany
> or, via email, send a message with subject or body 'help' to
> 	owasp-germany-request at lists.owasp.org
>
> You can reach the person managing the list at
> 	owasp-germany-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-germany digest..."
>
>
> Today's Topics:
>
>    1. Apache Shiro (Dirk Wetter)
>    2. Re: Apache Shiro (Torsten Gigler)
>    3. Re: Apache Shiro (Dirk Wetter)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 16 Jul 2013 10:36:44 +0200
> From: Dirk Wetter <dirk.wetter at owasp.org>
> To: OWASP Germany <owasp-germany at lists.owasp.org>
> Subject: [Owasp-germany] Apache Shiro
> Message-ID: <51E5061C.9030705 at owasp.org>
> Content-Type: text/plain; charset=ISO-8859-15
>
>
> Moin *,
>
> Kann jemand was zu Apache Shiro sagen, taucht das was, ist das interessant?
>
>
> Besten Gru?,
>
> Dirk Wetter
>
>
> --
> German OWASP Board, Conference Chair AppSec EU 2013
> http://appsec.eu/       |                 @appseceu
> skype://drwetter.de     |      tel:+49-40-2442035-1
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 16 Jul 2013 11:33:23 +0200
> From: Torsten Gigler <torsten.gigler at owasp.org>
> To: Dirk Wetter <dirk.wetter at owasp.org>
> Cc: OWASP Germany <owasp-germany at lists.owasp.org>
> Subject: Re: [Owasp-germany] Apache Shiro
> Message-ID:
> 	<CA+M5M1cEoyLuucHt_mEKH6vC4oezJaiOMTqoo0=Lt3a6-ekkrQ at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hallo Dirk,
>
> frag mal Jim (vgl Mail)
>
> Ciao
> Torsten
>
> ---------- Forwarded message ----------
> From: Jim Manico <jim.manico at owasp.org>
> Date: 2013/3/28
> Subject: Re: [Owasp-leaders] Fwd: Getting in touch with the leader ?
> To: Samantha Groves <samantha.groves at owasp.org>
> Cc: Owasp leaders <owasp-leaders at lists.owasp.org>
>
> One core requirement for "project health" is how well it is maintained.
>
> Because ESAPI has not been updated since July 2012 and there exists a
> number of significant bugs, I no longer recommend ESAPI nor do I consider
> it a flagship project (at all). This is just my personal opinion as a
> volunteer, not official board communication.
>
> For Java, I recommend a combination of:
>
> 1) Apache Shiro (for AuthN/AuthZ)
> 2) OWASP Java Encoder (XSS Defense)
> 3) OWASP HTML Sanitizer (AntiSamy like functionality)
> 4) OWASP JSON Sanitizer (Safe JSON Parsing and Sanitization)
>
> All of these are high performance and well maintained (ie: bugs get fixed
> fast).
>
> My 2 cents,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
>
>
>
> 2013/7/16 Dirk Wetter <dirk.wetter at owasp.org>
>
> > Moin *,
> >
> > Kann jemand was zu Apache Shiro sagen, taucht das was, ist das
> > interessant?
> >
> >
> > Besten Gru?,
> >
> > Dirk Wetter
> >
> >
> > --
> > German OWASP Board, Conference Chair AppSec EU 2013
> > http://appsec.eu/       |                 @appseceu
> > skype://drwetter.de     |      tel:+49-40-2442035-1
> > _______________________________________________
> > Owasp-germany mailing list
> > Owasp-germany at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-germany
>
> ------------------------------
>
> Message: 3
> Date: Tue, 16 Jul 2013 12:21:58 +0200
> From: Dirk Wetter <dirk.wetter at owasp.org>
> To: Torsten Gigler <torsten.gigler at owasp.org>
> Cc: OWASP Germany <owasp-germany at lists.owasp.org>
> Subject: Re: [Owasp-germany] Apache Shiro
> Message-ID: <51E51EC6.2070206 at owasp.org>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi Torsten,
>
> danke f?r den Hinweis.
>
> Aber: Hab ich ja. Und nun antwortet er nicht.... wahrscheinlich weil er im
> Flugzeug keine Mails liest. ;-)
>
> Mal in die Runde gefragt: Wenn Apache Shiro auf irgendwo gezeigt werden
> w?rde, w?rde das ein Grund sein, dort hinzukommen? Entweder f?r jemanden
> von Euch oder f?r andere (e.g. Entwickler mit weniger Sicherheit im
> "Kopf")?
>
> Bitte um ehrliche, nachdenkliche Antwort und nicht ein wie XSS sofort
> reflektives "Ja". ;-)
>
> BG, Dirk
>
> Am 07/16/2013 11:33 AM, schrieb Torsten Gigler:
> > Hallo Dirk,
> >
> > frag mal Jim (vgl Mail)
> >
> > Ciao
> > Torsten
> >
> > ---------- Forwarded message ----------
> > From: Jim Manico <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
> > Date: 2013/3/28
> > Subject: Re: [Owasp-leaders] Fwd: Getting in touch with the leader ?
> > To: Samantha Groves <samantha.groves at owasp.org
> > <mailto:samantha.groves at owasp.org>> Cc: Owasp leaders
> > <owasp-leaders at lists.owasp.org <mailto:owasp-leaders at lists.owasp.org>>
> >
> > One core requirement for "project health" is how well it is maintained.
> >
> > Because ESAPI has not been updated since July 2012 and there exists a
> > number of significant bugs, I no longer recommend ESAPI nor do I consider
> > it a flagship project (at all). This is just my personal opinion as a
> > volunteer, not official board communication.
> >
> > For Java, I recommend a combination of:
> >
> > 1) Apache Shiro (for AuthN/AuthZ)
> > 2) OWASP Java Encoder (XSS Defense)
> > 3) OWASP HTML Sanitizer (AntiSamy like functionality)
> > 4) OWASP JSON Sanitizer (Safe JSON Parsing and Sanitization)
> >
> > All of these are high performance and well maintained (ie: bugs get fixed
> > fast).
> >
> > My 2 cents,
> > --
> > Jim Manico
> > @Manicode
> > (808) 652-3805
> >
> >
> >
> >
> > 2013/7/16 Dirk Wetter <dirk.wetter at owasp.org
> > <mailto:dirk.wetter at owasp.org>>
> >
> >
> >     Moin *,
> >
> >     Kann jemand was zu Apache Shiro sagen, taucht das was, ist das
> > interessant?
> >
> >
> >     Besten Gru?,
> >
> >     Dirk Wetter
> >
> >
> >     --
> >     German OWASP Board, Conference Chair AppSec EU 2013
> >     http://appsec.eu/       |                 @appseceu
> >     skype://drwetter.de <http://drwetter.de>     |     
> > tel:+49-40-2442035-1 _______________________________________________
> >     Owasp-germany mailing list
> >     Owasp-germany at lists.owasp.org <mailto:Owasp-germany at lists.owasp.org>
> >     https://lists.owasp.org/mailman/listinfo/owasp-germany


More information about the Owasp-germany mailing list