Hi Les, As a first thought, i was thinking this could be part of CipherService like :
(skipped the keys parameters) SignedObject CipherService.sign(Object o); boolean CipherService.checkSignature(SignedObject so); SealedObject CipherService.seal(Object o); Object CipherService.unseal(SealedObject so); <-- this could automatically check for signature if the unsealed object is of type SignedObject SealedObject CipherService.signAndSeal(Object o); Anyway, I haven't had the chance to look at the CipherService sources, yet, and I don't know whether it would fit there or not, nor I don't know if from a user perspective the action/semantic of signing something would make sense to sit in a class that encrypts/decrypts. Will try to look at the sources and see if and where this would eventually fit. Meanwhile, I'll open a Jira issue and see what people think. Best, Razvan On Fri, Jun 3, 2011 at 2:42 AM, Les Hazlewood <[email protected]> wrote: > Hi Razvan, > > Typically people use the CipherService for this type of work. I've > thought of putting together a 'Cryptor' component that is stateful > though - where it will hold the key(s) used to interact with a wrapped > CipherService, so you don't need to pass the key(s) for each method > call. > > In any event, this seems to have worked for most people thus far. I'm > certainly open to looking into supporting what you talk about though > if it simplifies things even further and helps people write more > secure (and less!) code. > > Please open a Jira issue if you feel this should be an added feature. > Also, patches are always welcome if you'd like to contribute an > initial implementation or idea! > > Thanks, > > -- > Les Hazlewood > Founder, Katasoft, Inc. > Application Security Products & Professional Apache Shiro Support and > Training: > http://www.katasoft.com > > On Sat, May 28, 2011 at 4:25 PM, Razvan Dragut <[email protected]> > wrote: > > Hi everyone, > > > > I have been following this project since it was called JSecurity, Ki etc. > > I noticed that it has now cryptography features and I wonder if there's > > any plan to feature object serialisation security ( > > SignedObject, SealedObject, etc ). This has long been in the Java API ( i > > guess 1.4.2 ) and I think it's one of the very useful-underrated-missed > java > > API that can be a good solution to many security scenarios like keeping > the > > financial information in a database signed, sealed and serialised. > > > > One can argue that this is beyond the scope of Shiro as it already > > provides the cryptography service to use for signing and sealing an > object, > > but the important bit is the best practice in writing safe code : E.g : > sign > > than seal, etc. > > > > Any thoughts on this ? > > > > Thanks very much, > > > > Best, > > > > Razvan >
