Hi Razvan, Typically people use the CipherService for this type of work. I've thought of putting together a 'Cryptor' component that is stateful though - where it will hold the key(s) used to interact with a wrapped CipherService, so you don't need to pass the key(s) for each method call.
In any event, this seems to have worked for most people thus far. I'm certainly open to looking into supporting what you talk about though if it simplifies things even further and helps people write more secure (and less!) code. Please open a Jira issue if you feel this should be an added feature. Also, patches are always welcome if you'd like to contribute an initial implementation or idea! Thanks, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com On Sat, May 28, 2011 at 4:25 PM, Razvan Dragut <[email protected]> wrote: > Hi everyone, > > I have been following this project since it was called JSecurity, Ki etc. > I noticed that it has now cryptography features and I wonder if there's > any plan to feature object serialisation security ( > SignedObject, SealedObject, etc ). This has long been in the Java API ( i > guess 1.4.2 ) and I think it's one of the very useful-underrated-missed java > API that can be a good solution to many security scenarios like keeping the > financial information in a database signed, sealed and serialised. > > One can argue that this is beyond the scope of Shiro as it already > provides the cryptography service to use for signing and sealing an object, > but the important bit is the best practice in writing safe code : E.g : sign > than seal, etc. > > Any thoughts on this ? > > Thanks very much, > > Best, > > Razvan
