tessl/maven-org-apache-shiro--shiro-core
A powerful and flexible open-source Java security framework providing authentication, authorization, session management, and cryptographic services
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-apache-shiro--shiro-core@2.0.0index.mddocs/
Apache Shiro Core
Apache Shiro Core is the foundational module of the Apache Shiro security framework, providing essential security services for Java applications. It implements a comprehensive authentication and authorization system with support for multiple realms, role-based and permission-based access control, and pluggable authentication mechanisms.
Package Information
- Package Name: org.apache.shiro:shiro-core
- Package Type: maven
- Language: Java
- Installation:
<dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>2.0.5</version> </dependency>
Core Imports
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.mgt.SecurityManager;For authentication:
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.AuthenticationException;For authorization:
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.permission.WildcardPermission;Basic Usage
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.AuthenticationException;
// Get the current user (Subject)
Subject currentUser = SecurityUtils.getSubject();
// Authenticate the user
if (!currentUser.isAuthenticated()) {
UsernamePasswordToken token = new UsernamePasswordToken("username", "password");
try {
currentUser.login(token);
System.out.println("User authenticated successfully");
} catch (AuthenticationException e) {
System.out.println("Authentication failed: " + e.getMessage());
}
}
// Check authorization
if (currentUser.hasRole("admin")) {
System.out.println("User has admin role");
}
if (currentUser.isPermitted("user:create")) {
System.out.println("User can create users");
}
// Logout
currentUser.logout();Architecture
Apache Shiro Core is built around several key components working together:
- Subject: The current user/security context - primary interface for all security operations
- SecurityManager: The central security coordinator managing authentication, authorization, and sessions
- Realms: Data source abstractions that connect to your security data (databases, LDAP, files, etc.)
- Authentication: Identity verification with support for multiple authentication mechanisms
- Authorization: Permission and role-based access control with fine-grained permissions
- Sessions: Security-aware session management independent of web containers
- Cryptography: Password hashing, encryption, and secure random number generation
This design provides a clean separation of concerns while maintaining flexibility for different deployment scenarios, from standalone applications to enterprise web applications.
Capabilities
Core Subject Operations
Primary interface for interacting with the current user's security context. The Subject represents the security-specific user view and provides all essential security operations.
public interface Subject {
// Authentication operations
void login(AuthenticationToken token) throws AuthenticationException;
boolean isAuthenticated();
boolean isRemembered();
void logout();
// Principal access
Object getPrincipal();
PrincipalCollection getPrincipals();
// Permission checking
boolean isPermitted(String permission);
boolean isPermitted(Permission permission);
boolean[] isPermitted(String... permissions);
boolean[] isPermitted(List<Permission> permissions);
boolean isPermittedAll(String... permissions);
boolean isPermittedAll(Collection<Permission> permissions);
void checkPermission(String permission) throws AuthorizationException;
void checkPermission(Permission permission) throws AuthorizationException;
void checkPermissions(String... permissions) throws AuthorizationException;
void checkPermissions(Collection<Permission> permissions) throws AuthorizationException;
// Role checking
boolean hasRole(String roleIdentifier);
boolean[] hasRoles(List<String> roleIdentifiers);
boolean hasAllRoles(Collection<String> roleIdentifiers);
void checkRole(String roleIdentifier) throws AuthorizationException;
void checkRoles(Collection<String> roleIdentifiers) throws AuthorizationException;
void checkRoles(String... roleIdentifiers) throws AuthorizationException;
// Session operations
Session getSession();
Session getSession(boolean create);
// Execution context operations
<V> V execute(Callable<V> callable) throws ExecutionException;
void execute(Runnable runnable);
<V> Callable<V> associateWith(Callable<V> callable);
Runnable associateWith(Runnable runnable);
// RunAs operations
boolean isRunAs();
PrincipalCollection getPreviousPrincipals();
PrincipalCollection releaseRunAs();
}Types
public interface PrincipalCollection extends Iterable, Serializable {
Object getPrimaryPrincipal();
List asList();
Set asSet();
Collection fromRealm(String realmName);
Set<String> getRealmNames();
boolean isEmpty();
}Security Manager
Central coordinator for all security operations, managing the interaction between subjects, realms, sessions, and caches. The SecurityManager is the heart of Shiro's architecture.
public interface SecurityManager extends Authenticator, Authorizer, SessionManager {
Subject createSubject(SubjectContext context);
Subject login(Subject subject, AuthenticationToken authenticationToken) throws AuthenticationException;
void logout(Subject subject);
}
public class DefaultSecurityManager implements SecurityManager {
public DefaultSecurityManager();
public DefaultSecurityManager(Realm singleRealm);
public DefaultSecurityManager(Collection<Realm> realms);
public void setRealms(Collection<Realm> realms);
public void setAuthenticator(Authenticator authenticator);
public void setAuthorizer(Authorizer authorizer);
}Authentication Framework
Comprehensive authentication system supporting multiple authentication mechanisms, credential matching, and multi-realm authentication strategies.
public interface AuthenticationToken {
Object getPrincipal();
Object getCredentials();
}
public interface RememberMeAuthenticationToken extends AuthenticationToken {
boolean isRememberMe();
}
public interface HostAuthenticationToken extends AuthenticationToken {
String getHost();
}
public class UsernamePasswordToken implements AuthenticationToken,
RememberMeAuthenticationToken, HostAuthenticationToken {
public UsernamePasswordToken();
public UsernamePasswordToken(String username, char[] password);
public UsernamePasswordToken(String username, String password);
public UsernamePasswordToken(String username, char[] password, String host);
public UsernamePasswordToken(String username, String password, String host);
public UsernamePasswordToken(String username, char[] password, boolean rememberMe);
public UsernamePasswordToken(String username, String password, boolean rememberMe);
public UsernamePasswordToken(String username, char[] password, boolean rememberMe, String host);
public UsernamePasswordToken(String username, String password, boolean rememberMe, String host);
public String getUsername();
public char[] getPassword();
public String getHost();
public boolean isRememberMe();
public void setRememberMe(boolean rememberMe);
public void clear();
}
public interface Authenticator {
AuthenticationInfo authenticate(AuthenticationToken authenticationToken)
throws AuthenticationException;
}Authorization Framework
Role-based and permission-based access control with support for wildcard permissions, annotation-driven security, and flexible authorization policies.
public interface Authorizer {
boolean isPermitted(PrincipalCollection principals, String permission);
boolean hasRole(PrincipalCollection principals, String roleIdentifier);
void checkPermission(PrincipalCollection principals, String permission)
throws AuthorizationException;
}
public class WildcardPermission implements Permission, Serializable {
public WildcardPermission(String wildcardString);
public WildcardPermission(String wildcardString, boolean caseSensitive);
public boolean implies(Permission p);
public String toString();
public boolean equals(Object o);
public int hashCode();
}Realm Framework
Data source abstractions that connect Shiro to your security data sources like databases, LDAP directories, or configuration files. Realms handle both authentication and authorization data retrieval.
public interface Realm {
boolean supports(AuthenticationToken token);
AuthenticationInfo getAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException;
}
public abstract class AuthorizingRealm extends AuthenticatingRealm {
protected abstract AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals);
protected abstract AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException;
}Session Management
Security-aware session management that works independently of web containers, providing consistent session handling across different deployment environments.
public interface Session {
Serializable getId();
Date getStartTimestamp();
Date getLastAccessTime();
long getTimeout() throws InvalidSessionException;
void setTimeout(long maxIdleTimeInMillis) throws InvalidSessionException;
String getHost();
void touch() throws InvalidSessionException;
void stop() throws InvalidSessionException;
Collection<Object> getAttributeKeys() throws InvalidSessionException;
Object getAttribute(Object key) throws InvalidSessionException;
void setAttribute(Object key, Object value) throws InvalidSessionException;
Object removeAttribute(Object key) throws InvalidSessionException;
}
public interface SessionManager {
Session start(SessionContext context);
Session getSession(SessionKey key);
}Security Annotations
Method-level security annotations for declarative authorization and authentication requirements, enabling aspect-oriented security.
@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface RequiresAuthentication {
}
@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface RequiresRoles {
String[] value();
Logical logical() default Logical.AND;
}
@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface RequiresPermissions {
String[] value();
Logical logical() default Logical.AND;
}Utilities and Configuration
Essential utilities for initialization, configuration, thread context management, and integration with various environments and frameworks.
public abstract class SecurityUtils {
public static Subject getSubject();
public static SecurityManager getSecurityManager();
public static void setSecurityManager(SecurityManager securityManager);
}
public abstract class ThreadContext {
public static SecurityManager getSecurityManager();
public static void bind(SecurityManager securityManager);
public static SecurityManager unbindSecurityManager();
public static Subject getSubject();
public static void bind(Subject subject);
public static Subject unbindSubject();
public static void remove();
}Exception Hierarchy
public class ShiroException extends RuntimeException {
public ShiroException(String message);
public ShiroException(Throwable cause);
}
public class AuthenticationException extends ShiroException {
public AuthenticationException(String message);
}
public class AuthorizationException extends ShiroException {
public AuthorizationException(String message);
}
public class SessionException extends ShiroException {
public SessionException(String message);
}