Apache Shiro Logo Simple. Java. Security. Apache Software Foundation Event Banner
As of February 28, 2024, Shiro v1 was superseded by v2.
Managing Apache Shiro dependencies in Jakarta EE projects can be simplified using the FlowLogix Dependency Chains. This approach provides a cleaner alternative to managing the BOM (Bill of Materials) directly, reducing configuration complexity and common errors.
This guide is intended for Jakarta EE projects using Apache Shiro for security.
Dependency chains are not suitable for Spring or SpringBoot projects
For Spring / SpringBoot projects, you need to use a traditional BOM approach
FlowLogix provides pre-configured Maven dependency chains that bundle related dependencies together. For Apache Shiro with Jakarta EE, the shiro-jakarta module includes all necessary Shiro components with the correct Jakarta classifier, eliminating the need to declare each dependency individually.
Traditional BOM usage requires importing the BOM in <dependencyManagement> and then declaring each individual dependency. This approach can lead to:
Forgetting to include required transitive dependencies
Inconsistent versions when mixing dependencies
Verbose configuration with multiple dependency declarations
Missing the jakarta classifier on artifacts
The dependency chain approach bundles everything you need in a single dependency, automatically including:
shiro-core (jakarta classifier)
shiro-web (jakarta classifier)
shiro-jakarta-ee (jakarta classifier)
shiro-cdi (jakarta classifier)
shiro-jaxrs (jakarta classifier)
commons-configuration2
omnifaces
Add a single dependency to include all Shiro Jakarta EE components:
<dependencies>
<dependency>
<groupId>com.flowlogix.depchain</groupId>
<artifactId>shiro-jakarta</artifactId>
<!-- replace LATEST with a version number -->
<version>LATEST</version>
</dependency>
</dependencies>
For reference, the traditional BOM approach requires significantly more configuration:
<!-- Traditional BOM Approach (more verbose) -->
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-bom</artifactId>
<version>2.2.1</version>
<scope>import</scope>
<type>pom</type>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-jakarta-ee</artifactId>
<classifier>jakarta</classifier>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-cdi</artifactId>
<classifier>jakarta</classifier>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<classifier>jakarta</classifier>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<classifier>jakarta</classifier>
</dependency>
<dependency>
<groupId>org.omnifaces</groupId>
<artifactId>omnifaces</artifactId>
<version>LATEST</version>
</dependency>
</dependencies>
dependencies {
// replace LATEST with a version number
implementation platform('com.flowlogix.depchain:shiro-jakarta:LATEST')
}
For Kotlin DSL:
dependencies {
// replace LATEST with a version number
implementation(platform("com.flowlogix.depchain:shiro-jakarta:LATEST"))
}
You can create a complete, testable project using the FlowLogix Starter that supports Shiro with Jakarta EE, Jakarta Faces, PrimeFaces, and Omnifaces.
Here is a minimal pom.xml for a Jakarta EE web application with Shiro security:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>shiro-jakarta-demo</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>war</packaging>
<properties>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<!-- Jakarta EE API -->
<dependency>
<groupId>jakarta.platform</groupId>
<artifactId>jakarta.jakartaee-api</artifactId>
<version>11.0.0</version>
<scope>provided</scope>
</dependency>
<!-- Shiro Jakarta EE - All-in-one dependency -->
<dependency>
<groupId>com.flowlogix.depchain</groupId>
<artifactId>shiro-jakarta</artifactId>
<!-- replace with latest version -->
<version>106</version>
</dependency>
</dependencies>
</project>
To migrate an existing project from the traditional BOM approach:
Remove the shiro-bom import from <dependencyManagement>
Remove individual Shiro dependency declarations
Add the single shiro-jakarta dependency chain
Remove any manually specified jakarta classifiers
The dependency chain automatically handles classifier configuration and ensures all required components are included with compatible versions.