ApacheCon North America 2014

The ability to secure a web service is an essential part of a developer's armory. However, the developer must consider the complex and sometimes confusing topics of message confidentiality and integrity, as well as client authentication and authorization, against a wide range of potential adversaries.

In this talk, Dr. Colm Ó hÉigeartaigh will provide an overview of recent security advisories against a number of Apache projects that are used in web services, such as Apache Santuario and CXF. As part of this overview, we will discuss how an Apache project can best handle security vulnerabilities, and how to analyse existing security flaws to prevent possible future vulnerabilities.

In addition, the talk will distill security best practices for the developer that have emerged via fixing various security advisories.

Over 100,000 organizations have seen Apache Shiro's simplicity and power as as security framework for authentication and authorization. But did you know that Shiro's Enterprise Session Management enables easy session clustering for any application? If you need to support concurrent user sessions in the thousands or millions, you won't want to miss this!

This presentation will cover:
-Shiro’s enterprise session management capabilities
-How it can be used across any application (not just web or JEE applications)
-How to use Cassandra as Shiro's session store, enabling a distributed session cluster supporting hundreds of thousands or even millions of concurrent sessions.

As a working example, Les will show how to set up a session cluster in under 10 minutes using Cassandra. If you need to scale user session load, you won’t want to miss this!

Apache CXF is a mature and heavily used web services stack that supports a wide range of protocols, transports and bindings. Naturally, securing web services is an important topic, and CXF implements a large number of security protocols. However, applying security is notorious for exacting a performance penalty, both in terms of CPU and memory requirements.

This talk will focus on new features of Apache CXF 3.0 to improve performance for various security protocols. CXF 3.0 ships with a new streaming (as opposed to in-memory) WS-Security implementation for securing JAX-WS web services, that delivers dramatic memory improvements for large requests. Improving security performance for signed attachments, as well as for XML-based RESTful services will also be covered. Finally, empirical data will be provided to demonstrate performance improvements.

Apache Shiro is one of the largest open-source application security frameworks available, and with the release of Shiro 1.2, over 10,000 new instances launch every month. Shiro supports the four cornerstones of application security: authentication, authorization, enterprise session management, and cryptography.

Apache Shiro PMC Chair and Stormpath Founder/CTO, Les Hazlewood, will give a code-heavy overview of the framework, including...
-How to enable all four cornerstones for any application (standalone, mobile phone, web based, etc)
-An overview of how Shiro leverages OAuth, SAML, and Tapestry
-Why you might want to use Shiro instead of alternatives like JAAS or Spring Security
-An overview of Shiro’s innovative web support module and security filtering capabilities
-The core architectural concepts of the framework
-What's new in Shiro 1.2