Fork me on GitHub

Apache Shiro Logo Simple. Java. Security. Apache Software Foundation Event Banner

Handy Hint
Shiro v1 version notice

As of February 28, 2024, Shiro v1 was superseded by v2.

Although Apache Shiro is designed to be used to secure any JVM-based application, it is most commonly used to secure a web application. It greatly simplifies how you secure web applications base on simple URL pattern matching and filter chain definitions. In addition to Shiro’s API, Shiro’s web support includes a rich JSP and Jakarta Faces tag library to control page output.


  • Simple ShiroFilter web.xml definition You can enable Shiro for a web application with one simple filter definition in web.xml. (Optional with Jakarta EE module)

  • Protects all URLs Shiro can protect any type of web request that comes into your system. For example, dynamically generated pages, REST request, etc.

  • Innovative Filtering (URL-specific chains) Defining URL specific filter chains is much easier and more intuitive than using web.xml because, in Shiro, you can explicitly specify which filters you want to execute for each path and in what order. And with Shiro you can have path-specific configuration for each filter in that chain.

  • JSP and Jakarta Faces Tag support The tags allow you to easily control page output based on the current user’s state and access rights.

  • Transparent HttpSession support If you are using Shiro’s native sessions, we have implemented HTTP Session API and the Servlet 2.5+ API, so you don’t have to change any of your existing web code to use Shiro.