Class EnvironmentLoader

  • Direct Known Subclasses:

    public class EnvironmentLoader
    extends Object
    An EnvironmentLoader is responsible for loading a web application's Shiro WebEnvironment (which includes the web app's WebSecurityManager) into the ServletContext at application startup.

    In Shiro 1.1 and earlier, the Shiro ServletFilter was responsible for creating the WebSecurityManager and any additional objects (security filters, etc). However, any component not filtered by the Shiro Filter (such as other context listeners) was not able to easily acquire the these objects to perform security operations.

    Due to this, in Shiro 1.2 and later, this EnvironmentLoader (or more likely, the EnvironmentLoaderListener subclass) is the preferred mechanism to initialize a Shiro environment. The Shiro Filter, while still required for request filtering, will not perform this initialization at startup if the EnvironmentLoader (or listener) runs first.


    This implementation will look for two servlet context context-params in web.xml: shiroEnvironmentClass and shiroConfigLocations that customize how the WebEnvironment instance will be initialized.


    The shiroEnvironmentClass context-param, if it exists, allows you to specify the fully-qualified implementation class name of the WebEnvironment to instantiate. For example:
    If not specified, the default value is the IniWebEnvironment class, which assumes Shiro's default INI configuration format


    The shiroConfigLocations context-param, if it exists, allows you to specify the config location(s) (resource path(s)) that will be relayed to the instantiated WebEnvironment. For example:
    The WebEnvironment implementation must implement the ResourceConfigurable interface if it is to acquire the shiroConfigLocations value.

    If this context-param is not specified, the WebEnvironment instance determines default resource lookup behavior. For example, the IniWebEnvironment will check the following two locations for INI config by default (in order):

    1. /WEB-INF/shiro.ini
    2. classpath:shiro.ini

    Web Security Enforcement

    Using this loader will only initialize Shiro's environment in a web application - it will not filter web requests or perform web-specific security operations. To do this, you must ensure that you have also configured the ShiroFilter in web.xml.

    Finally, it should be noted that this implementation was based on ideas in Spring 3's org.springframework.web.context.ContextLoader implementation - no need to reinvent the wheel for this common behavior.

    See Also:
    EnvironmentLoaderListener, ShiroFilter