DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

How does AI transform chaos engineering from an experiment into a critical capability? Learn how to effectively operationalize the chaos.

Data quality isn't just a technical issue: It impacts an organization's compliance, operational efficiency, and customer satisfaction.

Are you a front-end or full-stack developer frustrated by front-end distractions? Learn to move forward with tooling and clear boundaries.

Developer Experience: Demand to support engineering teams has risen, and there is a shift from traditional DevOps to workflow improvements.

Related

  • Code Reviews: Building an AI-Powered GitHub Integration
  • Next Evolution in Integration: Architecting With Intent Using Model Context Protocol
  • Integrating Google BigQuery With Amazon SageMaker
  • Optimizing Integration Workflows With Spark Structured Streaming and Cloud Services

Trending

  • Modernizing Financial Systems: The Critical Role of Cloud-Based Microservices Optimization
  • The Missing Infrastructure Layer: Why AI's Next Evolution Requires Distributed Systems Thinking
  • How Node.js Works Behind the Scenes (HTTP, Libuv, and Event Emitters)
  • How to Improve Software Architecture in a Cloud Environment
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. Deployment
  4. How to Integrate Apache Shiro into a Web Application

How to Integrate Apache Shiro into a Web Application

Apache Shiro can be used in a wide range of applications as part of the Java Security Framework.

By 
Hüseyin Akdoğan user avatar
Hüseyin Akdoğan
DZone Core CORE ·
Nov. 04, 13 · Tutorial
Likes (2)
Comment
Save
Tweet
Share
38.9K Views

Join the DZone community and get the full member experience.

Join For Free

Apache Shiro can be used in a wide range of applications from simple command line applications to medium and large scaled institutional web applications, and is a strong Java Security Framework that performs authentication, authorization, cryptography and session management. 

The main point that makes Shiro distinct from the similar security frameworks may be the ease of usage and configuration. With this article I intended to express how to integrate this popular and user friendly security framework into a web application and then use it.  To put it more accurately, I intend to make an introduction to the topic. In this article, I am going to use Shiro version 1.2 and above as base.

The simplest way to integrate Shiro into a web application is creating shiro.ini configuration file and register the listener and filter configuration which reads and handles this file in run-time through web.xml. 

web.xml configuration

<listener>
    <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>

<filter>
    <filter-name>ShiroFilter</filter-name>
    <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>ShiroFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher> 
    <dispatcher>FORWARD</dispatcher> 
    <dispatcher>INCLUDE</dispatcher> 
    <dispatcher>ERROR</dispatcher>
</filter-mapping>


Shiro searches the configuration file shiro.ini as default under the WEB-INF directory or in the classpath directory. EnvironmentLoaderListener, which was registered in web.xml, initializes a Shiro WebEnvironment instance and makes it accessible in the ServletContext. Shiro WebEnvironment contains everything needed in the operation of Shiro, also including the Shiro SecurityManager.

ShiroFilter will use this WebEnvironment in all security operations. I would like to state that Shiro WebEnvironment is customizable when needed. You can register the customized WebEnvironment through shiroEnvironmentClass context parameter.


<context-param>
    <param-name>shiroEnvironmentClass</param-name>
    <param-value>com.kodcu.shiro.MyWebEnvironment</param-value>
</context-param>


If you want to change the location of Shiro configuration file, you must use the shiroConfigLocations context parameter.


<context-param>
    <param-name>shiroConfigLocations</param-name>
    <param-value>MY_RESOURCE_LOCATION_HERE</param-value>
</context-param>


INI Based Configuration File

Shiro configuration file is a text configuration file consisting of key/value pairs under the relevant sections. Shiro ini configuration is designed quite flexible and easy to learn. You can see an example of this below:


[main]
shiro.loginUrl = /login.xhtml

[users]
root  = 12345,admin
guest = 12345,guest

[roles]
admin = *

[urls]
/index.xhtml = authc
/login.xhtml = authc
/info.xhtml  = anon
/logout = logout
/admin/** = authc, roles[admin]


There are 4 sections called main, users, roles and urls in the configuration file, and in these sections you can see assignments of key/value pairs. The MAIN section is where the SecurityManager instance is configured; some instruments (such as encryption) Shiro provided are recorded; special objects are defined. Here you see the system login page is being registered for the authorized user. 

In the users section, users are registered with their user name, password and roles. Please note that each line must be in this format: username = password, roleName. User’s password value must be after the equal (=) operation. Subsequent to password, names of roles assigned to the user can be registered as comma-delimited values optionally. If you don’t want user’s password in plain-text format, you can use algorithms such as MD5, Sha1, and Sha256. To do this, you have to register the relevant encryption tool in Main section. 


[main]
#Sha256 şifrelemesi
sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher


The roles is a section where permissions associated with the users and their roles defined in users section. We see in the admin = * assignment that admin role has all permissions by star (*) as wildcard character. 

Finally, we will examine the url section. In this section, roles which can access the application’s pages and directories are defined with filter chains that are triggered by the incoming requests made to these pages and directories. Specified path information is processed according to the HttpServletRequest.getContextPath () value. With the assignment of /admin/** = authc, roles[admin], Shiro’s FormAuthenticationFilter is associated with the requests made to admin directory and sub-directories. Users who have admin role are authorized to access these directories.

Here is a list of the Shiro’s default filters and their names specified below:

Filter NameClass
anonorg.apache.shiro.web.filter.authc.AnonymousFilter
authcorg.apache.shiro.web.filter.authc.FormAuthenticationFilter
authcBasicorg.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
logoutorg.apache.shiro.web.filter.authc.LogoutFilter
noSessionCreationorg.apache.shiro.web.filter.session.NoSessionCreationFilter
permsorg.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
portorg.apache.shiro.web.filter.authz.PortFilter
restorg.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
rolesorg.apache.shiro.web.filter.authz.RolesAuthorizationFilter
sslorg.apache.shiro.web.filter.authz.SslFilter
userorg.apache.shiro.web.filter.authc.UserFilter


As I said initially, I intended to express with this article how to integrate Shiro into a web application and then use it. It is possible to see the concrete usage of the required library dependencies of Shiro, and the configuration that is expressed here in a web application (JSF Framework is used) in this simple application: Apache Shiro

Web application Apache Shiro Integration

Published at DZone with permission of Hüseyin Akdoğan. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Code Reviews: Building an AI-Powered GitHub Integration
  • Next Evolution in Integration: Architecting With Intent Using Model Context Protocol
  • Integrating Google BigQuery With Amazon SageMaker
  • Optimizing Integration Workflows With Spark Structured Streaming and Cloud Services

Partner Resources

×

Comments

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • [email protected]

Let's be friends: