tessl/maven-org-apache-shiro--shiro-spring-boot-web-starter
Spring Boot starter providing auto-configuration for Apache Shiro security framework in web applications
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-apache-shiro--shiro-spring-boot-web-starter@2.0.0index.mddocs/
Apache Shiro Spring Boot Web Starter
Apache Shiro Spring Boot Web Starter provides seamless auto-configuration integration for Apache Shiro security framework in Spring Boot web applications. This starter extends the base shiro-spring-boot-starter by adding web-specific dependencies and configurations, enabling authentication, authorization, cryptography, and session management with minimal manual setup.
Package Information
- Package Name: shiro-spring-boot-web-starter
- Group ID: org.apache.shiro
- Language: Java
- Package Type: Maven Spring Boot Starter
- Installation: Add dependency to pom.xml or build.gradle
Maven Dependency
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-web-starter</artifactId>
<version>2.0.5</version>
</dependency>Gradle Dependency
implementation 'org.apache.shiro:shiro-spring-boot-web-starter:2.0.5'Core Imports
// Basic Spring Boot application setup
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
// For custom realm configuration
import org.apache.shiro.realm.Realm;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
// For filter chain configuration
import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
// For security annotations
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.authz.annotation.RequiresPermissions;
// For environment processing (internal use)
import org.springframework.boot.env.EnvironmentPostProcessor;
import org.springframework.core.env.ConfigurableEnvironment;Basic Usage
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class MyWebApplication {
public static void main(String[] args) {
SpringApplication.run(MyWebApplication.class, args);
}
// Shiro auto-configuration will automatically configure security components
// No additional configuration required for basic setup
}Configuration with Custom Realm
import org.apache.shiro.realm.Realm;
import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class ShiroConfig {
@Bean
public Realm myRealm() {
// Custom realm implementation
return new MyCustomRealm();
}
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition chainDefinition =
new DefaultShiroFilterChainDefinition();
chainDefinition.addPathDefinition("/login", "anon");
chainDefinition.addPathDefinition("/admin/**", "authc, roles[admin]");
chainDefinition.addPathDefinition("/**", "authc");
return chainDefinition;
}
}Configuration Properties
Configure Shiro through application.properties or application.yml:
# Core Shiro configuration
shiro.enabled=true
shiro.web.enabled=true
shiro.annotations.enabled=true
# URL configuration
shiro.loginUrl=/login.jsp
shiro.successUrl=/
shiro.unauthorizedUrl=/unauthorized
# Session management
shiro.sessionManager.sessionIdCookieEnabled=true
shiro.sessionManager.sessionIdUrlRewritingEnabled=false
shiro.sessionManager.deleteInvalidSessions=true
shiro.userNativeSessionManager=false
# Session cookie configuration
shiro.sessionManager.cookie.name=JSESSIONID
shiro.sessionManager.cookie.maxAge=-1
shiro.sessionManager.cookie.domain=
shiro.sessionManager.cookie.path=
shiro.sessionManager.cookie.secure=false
shiro.sessionManager.cookie.sameSite=LAX
# Remember me cookie configuration
shiro.rememberMeManager.cookie.name=rememberMe
shiro.rememberMeManager.cookie.maxAge=31536000
shiro.rememberMeManager.cookie.domain=
shiro.rememberMeManager.cookie.path=
shiro.rememberMeManager.cookie.secure=false
shiro.rememberMeManager.cookie.sameSite=LAXCapabilities
Auto-Configuration Beans
The starter automatically configures essential Shiro components as Spring beans when they are not already defined.
// Core security components
@Bean AuthenticationStrategy authenticationStrategy()
@Bean Authenticator authenticator()
@Bean Authorizer authorizer()
@Bean SessionsSecurityManager securityManager(List<Realm> realms)
// Subject and session management
@Bean SubjectDAO subjectDAO()
@Bean SessionStorageEvaluator sessionStorageEvaluator()
@Bean SubjectFactory subjectFactory()
@Bean SessionFactory sessionFactory()
@Bean SessionDAO sessionDAO()
@Bean SessionManager sessionManager()
// Web-specific components
@Bean Cookie sessionCookieTemplate()
@Bean RememberMeManager rememberMeManager()
@Bean Cookie rememberMeCookieTemplate()
@Bean ShiroFilterChainDefinition shiroFilterChainDefinition()
@Bean ShiroUrlPathHelper shiroUrlPathHelper()
// Filter configuration
@Bean ShiroFilterFactoryBean shiroFilterFactoryBean()
@Bean FilterRegistrationBean<AbstractShiroFilter> filterShiroFilterRegistrationBean()
@Bean List<String> globalFilters()
// Bean lifecycle management
@Bean LifecycleBeanPostProcessor lifecycleBeanPostProcessor()
@Bean EventBus eventBus()
@Bean ShiroEventBusBeanPostProcessor shiroEventBusAwareBeanPostProcessor()
// Annotation processing
@Bean DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator()
@Bean AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager)
// Spring MVC integration (when RequestMappingHandlerMapping is available)
// Imports ShiroRequestMappingConfig for Spring MVC integration
// Environment processing
// ShiroEnvironmentPostProcessor automatically configures ant path matcher strategyRealm Auto-Discovery
Automatically configures realms from common locations:
// Conditional realm beans - configured if resource exists
@Bean Realm iniClasspathRealm() // when classpath:shiro.ini exists
@Bean Realm iniMetaInfClasspathRealm() // when classpath:META-INF/shiro.ini exists
// Exception handling
@Bean Realm missingRealm() // throws NoRealmBeanConfiguredException if no realm configuredConfiguration Properties API
Properties available for Spring Boot configuration:
// Core enable/disable flags
Boolean shiro.enabled = true; // Global enable/disable flag
Boolean shiro.web.enabled = true; // Web-specific features
Boolean shiro.annotations.enabled = true; // Annotation processing
// URL configuration
String shiro.loginUrl = "/login.jsp"; // Login page URL
String shiro.successUrl = "/"; // Post-login success URL
String shiro.unauthorizedUrl = null; // Unauthorized access URL
// Session management
Boolean shiro.sessionManager.sessionIdCookieEnabled = true; // Session cookies enabled
Boolean shiro.sessionManager.sessionIdUrlRewritingEnabled = false; // URL rewriting for session tracking
Boolean shiro.sessionManager.deleteInvalidSessions = true; // Delete invalid sessions
Boolean shiro.userNativeSessionManager = false; // Use native session manager vs servlet container
// Session cookie configuration
String shiro.sessionManager.cookie.name = "JSESSIONID"; // Session cookie name
Integer shiro.sessionManager.cookie.maxAge = -1; // Session cookie max age (default: session)
String shiro.sessionManager.cookie.domain = null; // Session cookie domain
String shiro.sessionManager.cookie.path = null; // Session cookie path
Boolean shiro.sessionManager.cookie.secure = false; // Session cookie secure flag
String shiro.sessionManager.cookie.sameSite = "LAX"; // Session cookie SameSite policy
// Remember me cookie configuration
String shiro.rememberMeManager.cookie.name = "rememberMe"; // Remember me cookie name
Integer shiro.rememberMeManager.cookie.maxAge = 31536000; // Remember me max age (1 year)
String shiro.rememberMeManager.cookie.domain = null; // Remember me cookie domain
String shiro.rememberMeManager.cookie.path = null; // Remember me cookie path
Boolean shiro.rememberMeManager.cookie.secure = false; // Remember me cookie secure flag
String shiro.rememberMeManager.cookie.sameSite = "LAX"; // Remember me cookie SameSite policyFilter Constants
Constants for filter registration and naming:
// ShiroWebFilterConfiguration constants
String REGISTRATION_BEAN_NAME = "filterShiroFilterRegistrationBean";
String FILTER_NAME = "shiroFilter";Exception Types
Exception classes that may be thrown during configuration:
// Thrown when no realm is configured
class NoRealmBeanConfiguredException extends RuntimeException {
// Constructor and methods inherited from RuntimeException
}Types
// Core Shiro interfaces and classes available through auto-configuration
interface Realm {
// Authentication and authorization interface
}
interface AuthenticationStrategy {
// Strategy for handling multiple realms
}
interface Authenticator {
// Authentication processing interface
}
interface Authorizer {
// Authorization processing interface
}
interface SessionManager {
// Session lifecycle management
}
interface SessionDAO {
// Session persistence interface
}
interface SubjectDAO {
// Subject state persistence interface
}
interface SubjectFactory {
// Subject instance creation interface
}
interface SessionFactory {
// Session instance creation interface
}
interface SessionStorageEvaluator {
// Session storage decision interface
}
interface RememberMeManager {
// Remember me functionality interface
}
class Cookie {
// Cookie configuration for sessions and remember me
}
interface ShiroFilterChainDefinition {
// Filter chain URL pattern definitions
}
class ShiroUrlPathHelper {
// URL path resolution utility
}
class ShiroFilterFactoryBean {
// Factory for creating Shiro filter instances
}
class FilterRegistrationBean<T> {
// Spring Boot filter registration
}
class LifecycleBeanPostProcessor {
// Bean lifecycle management
}
class EventBus {
// Event handling system
}
class ShiroEventBusBeanPostProcessor {
// Event bus integration
}
class DefaultAdvisorAutoProxyCreator {
// AOP proxy creation for annotations
}
class AuthorizationAttributeSourceAdvisor {
// Security annotation processing
}
class ShiroEnvironmentPostProcessor implements EnvironmentPostProcessor {
// Automatically configures Spring MVC path matching strategy to ant_path_matcher
void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application);
}Usage Examples
Basic Web Application Setup
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class SecureWebApp {
public static void main(String[] args) {
SpringApplication.run(SecureWebApp.class, args);
}
}
// application.properties
// shiro.loginUrl=/login
// shiro.successUrl=/dashboard
// shiro.unauthorizedUrl=/unauthorizedCustom Realm Configuration
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.stereotype.Component;
@Component
public class DatabaseRealm extends AuthorizingRealm {
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// Authorization logic
return new SimpleAuthorizationInfo();
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) {
// Authentication logic
return new SimpleAuthenticationInfo();
}
}Security Filter Chain Configuration
import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class ShiroWebConfig {
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition definition =
new DefaultShiroFilterChainDefinition();
// Public endpoints
definition.addPathDefinition("/", "anon");
definition.addPathDefinition("/login", "anon");
definition.addPathDefinition("/css/**", "anon");
definition.addPathDefinition("/js/**", "anon");
// Protected endpoints
definition.addPathDefinition("/admin/**", "authc, roles[admin]");
definition.addPathDefinition("/user/**", "authc");
definition.addPathDefinition("/**", "authc");
return definition;
}
}Using Security Annotations
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;
import java.util.List;
@RestController
public class SecureController {
@RequiresAuthentication
@GetMapping("/profile")
public String getProfile() {
return "User profile";
}
@RequiresRoles("admin")
@GetMapping("/admin/users")
public List<User> getUsers() {
return userService.getAllUsers();
}
@RequiresPermissions("user:create")
@PostMapping("/users")
public User createUser(@RequestBody User user) {
return userService.createUser(user);
}
}Cookie Configuration Example
import org.springframework.context.annotation.Configuration;
import org.springframework.boot.context.properties.ConfigurationProperties;
@Configuration
public class ShiroSecurityConfig {
// Configure secure cookies for production
// application.properties:
/*
shiro.sessionManager.cookie.secure=true
shiro.sessionManager.cookie.sameSite=STRICT
shiro.rememberMeManager.cookie.secure=true
shiro.rememberMeManager.cookie.sameSite=STRICT
shiro.rememberMeManager.cookie.maxAge=604800
*/
}Environment-Specific Configuration
# Development environment (application-dev.properties)
shiro.sessionManager.cookie.secure=false
shiro.sessionManager.cookie.sameSite=LAX
shiro.rememberMeManager.cookie.secure=false
# Production environment (application-prod.properties)
shiro.sessionManager.cookie.secure=true
shiro.sessionManager.cookie.sameSite=STRICT
shiro.rememberMeManager.cookie.secure=true
shiro.sessionManager.cookie.domain=.yourdomain.comNotes
- This starter is a dependency aggregation module that pulls in the base
shiro-spring-boot-starterand adds web-specific dependencies - All auto-configured beans are conditional and can be overridden by defining custom beans
- The starter integrates seamlessly with Spring Boot's auto-configuration system
- Supports both programmatic configuration and properties-based configuration
- Automatically registers the Shiro filter in the Spring Boot servlet container
- Enables Shiro security annotations through AOP integration
- Compatible with Spring Boot 2.x and 3.x (check compatibility matrix for specific versions)