@Configuration
@Import({ShiroBeanConfiguration.class,
ShiroConfiguration.class,
ShiroAnnotationProcessorConfiguration.class})
public class CliAppConfig {
...
}
Handy Hint
|
Shiro v1 version notice
As of February 28, 2024, Shiro v1 was superseded by v2.
|
This page covers the ways to integrate Shiro into Spring-based applications.
Include the Shiro Spring dependency in you application classpath (we recommend using a tool such as Apache Maven or Gradle to manage this).
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>2.0.1</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
</dependency>
compile 'org.apache.shiro:shiro-spring:2.0.1'
compile 'org.springframework:spring-context:${spring.version}'
libraryDependencies += "org.apache.shiro" % "shiro-spring" % "2.0.1"
libraryDependencies += "org.springframework" % "spring-context" % "${spring.version}"
<dependency org="org.apache.shiro" name="shiro-spring" rev="2.0.1"/>
<dependency org="org.springframework" name="spring-context" rev="${spring.version}"/>
[org.apache.shiro/shiro-spring "2.0.1"]
[org.springframework/spring-context "${spring.version}"]
'org.apache.shiro:shiro-spring:jar:2.0.1'
'org.springframework:spring-context:jar:${spring.version}'
Import the Shiro Spring configurations:
@Configuration
@Import({ShiroBeanConfiguration.class,
ShiroConfiguration.class,
ShiroAnnotationProcessorConfiguration.class})
public class CliAppConfig {
...
}
The above configurations do the following:
Configuration Class | Description |
---|---|
org.apache.shiro.spring.config.ShiroBeanConfiguration |
Configures Shiro’s lifecycle and events |
org.apache.shiro.spring.config.ShiroConfiguration |
Configures Shiro Beans (SecurityManager, SessionManager, etc) |
org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration |
Enables Shiro’s annotation processing |
The only thing that is left is to configure a realm:
@Bean
public Realm realm() {
...
}
The easiest way to set up Shiro, so that all SecurityUtils.* methods work in all cases, is to make the SecurityManager
bean a static singleton.
DO NOT do this in web applications - see the Web Applications section below instead.
@Autowired
private SecurityManager securityManager;
@PostConstruct
private void initStaticSecurityManager() {
SecurityUtils.setSecurityManager(securityManager);
}
That is it, now you can get the current Subject
using:
SecurityUtils.getSubject();
You can see a full example in our samples on GitHub.
Shiro has first-class support for Spring web applications. In a web application, all Shiro-accessible web requests must go through a main Shiro Filter. This filter itself is extremely powerful, allowing for ad-hoc custom filter chains to be executed based on any URL path expression.
Include the Shiro Spring web dependencies in you application classpath (we recommend using a tool such as Apache Maven or Gradle to manage this).
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>2.0.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>2.0.1</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
compile 'org.apache.shiro:shiro-spring:2.0.1'
compile 'org.apache.shiro:shiro-web:2.0.1'
compile 'org.springframework:spring-webmvc:${spring.version}'
libraryDependencies += "org.apache.shiro" % "shiro-spring" % "2.0.1"
libraryDependencies += "org.apache.shiro" % "shiro-web" % "2.0.1"
libraryDependencies += "org.springframework" % "spring-webmvc" % "${spring.version}"
<dependency org="org.apache.shiro" name="shiro-spring" rev="2.0.1"/>
<dependency org="org.apache.shiro" name="shiro-web" rev="2.0.1"/>
<dependency org="org.springframework" name="spring-webmvc" rev="${spring.version}"/>
[org.apache.shiro/shiro-spring "2.0.1"]
[org.apache.shiro/shiro-web "2.0.1"]
[org.springframework/spring-webmvc "${spring.version}"]
'org.apache.shiro:shiro-spring:jar:2.0.1'
'org.apache.shiro:shiro-web:jar:2.0.1'
'org.springframework:spring-webmvc:jar:${spring.version}'
Import the Shiro Spring configurations:
@Configuration
@Import({ShiroBeanConfiguration.class,
ShiroAnnotationProcessorConfiguration.class,
ShiroWebConfiguration.class,
ShiroWebFilterConfiguration.class,
ShiroRequestMappingConfig.class})
public class ApplicationConfig {
...
}
The above configurations do the following:
Configuration Class | Description |
---|---|
org.apache.shiro.spring.config.ShiroBeanConfiguration |
Configures Shiro’s lifecycle and events |
org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration |
Enables Shiro’s annotation processing |
org.apache.shiro.spring.web.config.ShiroWebConfiguration |
Configures Shiro Beans for web usage (SecurityManager, SessionManager, etc) |
org.apache.shiro.spring.web.config.ShiroWebFilterConfiguration |
Configures Shiro’s web filter |
org.apache.shiro.spring.web.config.ShiroRequestMappingConfig |
Configures Spring with Shiro’s |
Provide a Realm implementation:
@Bean
public Realm realm() {
...
}
And finally a ShiroFilterChainDefinition
which will map any application specific paths to a given filter, in order to allow different paths different levels of access.
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
// logged in users with the 'admin' role
chainDefinition.addPathDefinition("/admin/**", "authc, roles[admin]");
// logged in users with the 'document:read' permission
chainDefinition.addPathDefinition("/docs/**", "authc, perms[document:read]");
// all other paths require a logged in user
chainDefinition.addPathDefinition("/**", "authc");
return chainDefinition;
}
If you are using Shiro’s annotations see the annotation section below.
You can see a full example in our samples on GitHub.
In both standalone and web applications, you might want to use Shiro’s Annotations for security checks (for example, @RequiresRoles
, @RequiresPermissions
, etc.) These annotations are enabled by importing the ShiroAnnotationProcessorConfiguration
Spring configuration in both sections above.
Simply annotate your methods in order to use them:
@RequiresPermissions("document:read")
public void readDocument() {
...
}
Shiro annotations are fully supported for use in @Controller
classes, for example:
@Controller
public class AccountInfoController {
@RequiresRoles("admin")
@RequestMapping("/admin/config")
public String adminConfig(Model model) {
return "view";
}
}
A ShiroFilterChainDefinition
bean with at least one definition is still required for this to work, either configure all paths to be accessible via the anon
filter or a filter in 'permissive' mode, for example: authcBasic[permissive]
.
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
chainDefinition.addPathDefinition("/**", "anon"); // all paths are managed via annotations
// or allow basic authentication, but NOT require it.
// chainDefinition.addPathDefinition("/**", "authcBasic[permissive]");
return chainDefinition;
}
Enabling caching is as simple as providing a CacheManager bean:
@Bean
protected CacheManager cacheManager() {
return new MemoryConstrainedCacheManager();
}
Key | Default Value | Description |
---|---|---|
shiro.sessionManager.deleteInvalidSessions |
|
Remove invalid session from session storage |
shiro.sessionManager.sessionIdCookieEnabled |
|
Enable session ID to cookie, for session tracking |
shiro.sessionManager.sessionIdUrlRewritingEnabled |
|
Enable session URL rewriting support |
shiro.userNativeSessionManager |
|
If enabled Shiro will manage the HTTP sessions instead of the container |
shiro.sessionManager.cookie.name |
|
Session cookie name |
shiro.sessionManager.cookie.maxAge |
|
Session cookie max age |
shiro.sessionManager.cookie.domain |
null |
Session cookie domain |
shiro.sessionManager.cookie.path |
null |
Session cookie path |
shiro.sessionManager.cookie.secure |
|
Session cookie secure flag |
shiro.rememberMeManager.cookie.name |
|
RememberMe cookie name |
shiro.rememberMeManager.cookie.maxAge |
one year |
RememberMe cookie max age |
shiro.rememberMeManager.cookie.domain |
null |
RememberMe cookie domain |
shiro.rememberMeManager.cookie.path |
null |
RememberMe cookie path |
shiro.rememberMeManager.cookie.secure |
|
RememberMe cookie secure flag |
shiro.loginUrl |
|
Login URL used when unauthenticated users are redirected to login page |
shiro.successUrl |
|
Default landing page after a user logs in (if alternative cannot be found in the current session) |
shiro.unauthorizedUrl |
null |
Page to redirect user to if they are unauthorized (403 page) |