Apache Shiro Logo Simple. Java. Security. Apache Software Foundation Event Banner
As of February 28, 2024, Shiro v1 was superseded by v2.
This page covers the ways to integrate Shiro into Spring-based applications.
Include the Shiro Spring dependency in you application classpath (we recommend using a tool such as Apache Maven or Gradle to manage this).
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>2.2.1</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
</dependency>
compile 'org.apache.shiro:shiro-spring:2.2.1'
compile 'org.springframework:spring-context:${spring.version}'
libraryDependencies += "org.apache.shiro" % "shiro-spring" % "2.2.1"
libraryDependencies += "org.springframework" % "spring-context" % "${spring.version}"
<dependency org="org.apache.shiro" name="shiro-spring" rev="2.2.1"/>
<dependency org="org.springframework" name="spring-context" rev="${spring.version}"/>
[org.apache.shiro/shiro-spring "2.2.1"]
[org.springframework/spring-context "${spring.version}"]
'org.apache.shiro:shiro-spring:jar:2.2.1'
'org.springframework:spring-context:jar:${spring.version}'
Import the Shiro Spring configurations:
@Configuration
@Import({ShiroBeanConfiguration.class,
ShiroConfiguration.class,
ShiroAnnotationProcessorConfiguration.class})
public class CliAppConfig {
...
}
The above configurations do the following:
| Configuration Class | Description |
|---|---|
org.apache.shiro.spring.config.ShiroBeanConfiguration |
Configures Shiro’s lifecycle and events |
org.apache.shiro.spring.config.ShiroConfiguration |
Configures Shiro Beans (SecurityManager, SessionManager, etc) |
org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration |
Enables Shiro’s annotation processing |
The only thing that is left is to configure a realm:
@Bean
public Realm realm() {
...
}
The easiest way to set up Shiro, so that all SecurityUtils.* methods work in all cases, is to make the SecurityManager bean a static singleton.
DO NOT do this in web applications - see the Web Applications section below instead.
@Autowired
private SecurityManager securityManager;
@PostConstruct
private void initStaticSecurityManager() {
SecurityUtils.setSecurityManager(securityManager);
}
That is it, now you can get the current Subject using:
SecurityUtils.getSubject();
You can see a full example in our samples on GitHub.
Shiro has first-class support for Spring web applications. In a web application, all Shiro-accessible web requests must go through a main Shiro Filter. This filter itself is extremely powerful, allowing for ad-hoc custom filter chains to be executed based on any URL path expression.
Include the Shiro Spring web dependencies in you application classpath (we recommend using a tool such as Apache Maven or Gradle to manage this).
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>2.2.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>2.2.1</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
compile 'org.apache.shiro:shiro-spring:2.2.1'
compile 'org.apache.shiro:shiro-web:2.2.1'
compile 'org.springframework:spring-webmvc:${spring.version}'
libraryDependencies += "org.apache.shiro" % "shiro-spring" % "2.2.1"
libraryDependencies += "org.apache.shiro" % "shiro-web" % "2.2.1"
libraryDependencies += "org.springframework" % "spring-webmvc" % "${spring.version}"
<dependency org="org.apache.shiro" name="shiro-spring" rev="2.2.1"/>
<dependency org="org.apache.shiro" name="shiro-web" rev="2.2.1"/>
<dependency org="org.springframework" name="spring-webmvc" rev="${spring.version}"/>
[org.apache.shiro/shiro-spring "2.2.1"]
[org.apache.shiro/shiro-web "2.2.1"]
[org.springframework/spring-webmvc "${spring.version}"]
'org.apache.shiro:shiro-spring:jar:2.2.1'
'org.apache.shiro:shiro-web:jar:2.2.1'
'org.springframework:spring-webmvc:jar:${spring.version}'
Import the Shiro Spring configurations:
@Configuration
@Import({ShiroBeanConfiguration.class,
ShiroAnnotationProcessorConfiguration.class,
ShiroWebConfiguration.class,
ShiroWebFilterConfiguration.class,
ShiroRequestMappingConfig.class})
public class ApplicationConfig {
...
}
The above configurations do the following:
| Configuration Class | Description |
|---|---|
org.apache.shiro.spring.config.ShiroBeanConfiguration |
Configures Shiro’s lifecycle and events |
org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration |
Enables Shiro’s annotation processing |
org.apache.shiro.spring.web.config.ShiroWebConfiguration |
Configures Shiro Beans for web usage (SecurityManager, SessionManager, etc) |
org.apache.shiro.spring.web.config.ShiroWebFilterConfiguration |
Configures Shiro’s web filter |
org.apache.shiro.spring.web.config.ShiroRequestMappingConfig |
Configures Spring with Shiro’s |
Provide a Realm implementation:
@Bean
public Realm realm() {
...
}
And finally a ShiroFilterChainDefinition which will map any application specific paths to a given filter, in order to allow different paths different levels of access.
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
// logged in users with the 'admin' role
chainDefinition.addPathDefinition("/admin/**", "authc, roles[admin]");
// logged in users with the 'document:read' permission
chainDefinition.addPathDefinition("/docs/**", "authc, perms[document:read]");
// all other paths require a logged in user
chainDefinition.addPathDefinition("/**", "authc");
return chainDefinition;
}
If you are using Shiro’s annotations see the annotation section below.
You can see a full example in our samples on GitHub.
In both standalone and web applications, you might want to use Shiro’s Annotations for security checks (for example, @RequiresRoles, @RequiresPermissions, etc.) These annotations are enabled by importing the ShiroAnnotationProcessorConfiguration Spring configuration in both sections above.
Simply annotate your methods in order to use them:
@RequiresPermissions("document:read")
public void readDocument() {
...
}
Shiro annotations are fully supported for use in @Controller classes, for example:
@Controller
public class AccountInfoController {
@RequiresRoles("admin")
@RequestMapping("/admin/config")
public String adminConfig(Model model) {
return "view";
}
}
A ShiroFilterChainDefinition bean with at least one definition is still required for this to work, either configure all paths to be accessible via the anon filter or a filter in 'permissive' mode, for example: authcBasic[permissive].
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
chainDefinition.addPathDefinition("/**", "anon"); // all paths are managed via annotations
// or allow basic authentication, but NOT require it.
// chainDefinition.addPathDefinition("/**", "authcBasic[permissive]");
return chainDefinition;
}
Enabling caching is as simple as providing a CacheManager bean:
@Bean
protected CacheManager cacheManager() {
return new MemoryConstrainedCacheManager();
}
| Key | Default Value | Description |
|---|---|---|
shiro.sessionManager.deleteInvalidSessions |
|
Remove invalid session from session storage |
shiro.sessionManager.sessionIdCookieEnabled |
|
Enable session ID to cookie, for session tracking |
shiro.sessionManager.sessionIdUrlRewritingEnabled |
|
Enable session URL rewriting support |
shiro.userNativeSessionManager |
|
If enabled Shiro will manage the HTTP sessions instead of the container |
shiro.sessionManager.cookie.name |
|
Session cookie name |
shiro.sessionManager.cookie.maxAge |
|
Session cookie max age |
shiro.sessionManager.cookie.domain |
null |
Session cookie domain |
shiro.sessionManager.cookie.path |
null |
Session cookie path |
shiro.sessionManager.cookie.secure |
|
Session cookie secure flag |
shiro.rememberMeManager.cookie.name |
|
RememberMe cookie name |
shiro.rememberMeManager.cookie.maxAge |
one year |
RememberMe cookie max age |
shiro.rememberMeManager.cookie.domain |
null |
RememberMe cookie domain |
shiro.rememberMeManager.cookie.path |
ROOT_PATH |
RememberMe cookie path |
shiro.rememberMeManager.cookie.secure |
|
RememberMe cookie secure flag |
shiro.loginUrl |
|
Login URL used when unauthenticated users are redirected to login page |
shiro.successUrl |
|
Default landing page after a user logs in (if alternative cannot be found in the current session) |
shiro.unauthorizedUrl |
null |
Page to redirect user to if they are unauthorized (403 page) |
shiro.caseInsensitive |
|
Enable case-insensitive path matching. Can be set to true in 2.x. Defaults to true in 3.x. |
shiro.allowAccessByDefault |
|
Allow access when no filter chain matches. Defaults to true in 2.x and false in 3.x. |