CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/maven-org-apache-shiro--shiro-spring-boot-web-starter

Spring Boot starter providing auto-configuration for Apache Shiro security framework in web applications

Pending
Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Pending

The risk profile of this skill

Overview
Eval results
Files

index.mddocs/

Apache Shiro Spring Boot Web Starter

Apache Shiro Spring Boot Web Starter provides seamless auto-configuration integration for Apache Shiro security framework in Spring Boot web applications. This starter extends the base shiro-spring-boot-starter by adding web-specific dependencies and configurations, enabling authentication, authorization, cryptography, and session management with minimal manual setup.

Package Information

  • Package Name: shiro-spring-boot-web-starter
  • Group ID: org.apache.shiro
  • Language: Java
  • Package Type: Maven Spring Boot Starter
  • Installation: Add dependency to pom.xml or build.gradle

Maven Dependency

<dependency>
    <groupId>org.apache.shiro</groupId>
    <artifactId>shiro-spring-boot-web-starter</artifactId>
    <version>2.0.5</version>
</dependency>

Gradle Dependency

implementation 'org.apache.shiro:shiro-spring-boot-web-starter:2.0.5'

Core Imports

// Basic Spring Boot application setup
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

// For custom realm configuration
import org.apache.shiro.realm.Realm;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

// For filter chain configuration
import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;

// For security annotations
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.authz.annotation.RequiresPermissions;

// For environment processing (internal use)
import org.springframework.boot.env.EnvironmentPostProcessor;
import org.springframework.core.env.ConfigurableEnvironment;

Basic Usage

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class MyWebApplication {
    public static void main(String[] args) {
        SpringApplication.run(MyWebApplication.class, args);
    }
    
    // Shiro auto-configuration will automatically configure security components
    // No additional configuration required for basic setup
}

Configuration with Custom Realm

import org.apache.shiro.realm.Realm;
import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class ShiroConfig {
    
    @Bean
    public Realm myRealm() {
        // Custom realm implementation
        return new MyCustomRealm();
    }
    
    @Bean
    public ShiroFilterChainDefinition shiroFilterChainDefinition() {
        DefaultShiroFilterChainDefinition chainDefinition = 
            new DefaultShiroFilterChainDefinition();
        
        chainDefinition.addPathDefinition("/login", "anon");
        chainDefinition.addPathDefinition("/admin/**", "authc, roles[admin]");
        chainDefinition.addPathDefinition("/**", "authc");
        
        return chainDefinition;
    }
}

Configuration Properties

Configure Shiro through application.properties or application.yml:

# Core Shiro configuration
shiro.enabled=true
shiro.web.enabled=true
shiro.annotations.enabled=true

# URL configuration
shiro.loginUrl=/login.jsp
shiro.successUrl=/
shiro.unauthorizedUrl=/unauthorized

# Session management
shiro.sessionManager.sessionIdCookieEnabled=true
shiro.sessionManager.sessionIdUrlRewritingEnabled=false
shiro.sessionManager.deleteInvalidSessions=true
shiro.userNativeSessionManager=false

# Session cookie configuration
shiro.sessionManager.cookie.name=JSESSIONID
shiro.sessionManager.cookie.maxAge=-1
shiro.sessionManager.cookie.domain=
shiro.sessionManager.cookie.path=
shiro.sessionManager.cookie.secure=false
shiro.sessionManager.cookie.sameSite=LAX

# Remember me cookie configuration
shiro.rememberMeManager.cookie.name=rememberMe
shiro.rememberMeManager.cookie.maxAge=31536000
shiro.rememberMeManager.cookie.domain=
shiro.rememberMeManager.cookie.path=
shiro.rememberMeManager.cookie.secure=false
shiro.rememberMeManager.cookie.sameSite=LAX

Capabilities

Auto-Configuration Beans

The starter automatically configures essential Shiro components as Spring beans when they are not already defined.

// Core security components
@Bean AuthenticationStrategy authenticationStrategy()
@Bean Authenticator authenticator()
@Bean Authorizer authorizer()
@Bean SessionsSecurityManager securityManager(List<Realm> realms)

// Subject and session management
@Bean SubjectDAO subjectDAO()
@Bean SessionStorageEvaluator sessionStorageEvaluator()
@Bean SubjectFactory subjectFactory()
@Bean SessionFactory sessionFactory()
@Bean SessionDAO sessionDAO()
@Bean SessionManager sessionManager()

// Web-specific components
@Bean Cookie sessionCookieTemplate()
@Bean RememberMeManager rememberMeManager()
@Bean Cookie rememberMeCookieTemplate()
@Bean ShiroFilterChainDefinition shiroFilterChainDefinition()
@Bean ShiroUrlPathHelper shiroUrlPathHelper()

// Filter configuration
@Bean ShiroFilterFactoryBean shiroFilterFactoryBean()
@Bean FilterRegistrationBean<AbstractShiroFilter> filterShiroFilterRegistrationBean()
@Bean List<String> globalFilters()

// Bean lifecycle management
@Bean LifecycleBeanPostProcessor lifecycleBeanPostProcessor()
@Bean EventBus eventBus()
@Bean ShiroEventBusBeanPostProcessor shiroEventBusAwareBeanPostProcessor()

// Annotation processing
@Bean DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator()
@Bean AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager)

// Spring MVC integration (when RequestMappingHandlerMapping is available)
// Imports ShiroRequestMappingConfig for Spring MVC integration

// Environment processing
// ShiroEnvironmentPostProcessor automatically configures ant path matcher strategy

Realm Auto-Discovery

Automatically configures realms from common locations:

// Conditional realm beans - configured if resource exists
@Bean Realm iniClasspathRealm()  // when classpath:shiro.ini exists
@Bean Realm iniMetaInfClasspathRealm()  // when classpath:META-INF/shiro.ini exists

// Exception handling
@Bean Realm missingRealm()  // throws NoRealmBeanConfiguredException if no realm configured

Configuration Properties API

Properties available for Spring Boot configuration:

// Core enable/disable flags
Boolean shiro.enabled = true;  // Global enable/disable flag
Boolean shiro.web.enabled = true;  // Web-specific features
Boolean shiro.annotations.enabled = true;  // Annotation processing

// URL configuration
String shiro.loginUrl = "/login.jsp";  // Login page URL
String shiro.successUrl = "/";  // Post-login success URL
String shiro.unauthorizedUrl = null;  // Unauthorized access URL

// Session management
Boolean shiro.sessionManager.sessionIdCookieEnabled = true;  // Session cookies enabled
Boolean shiro.sessionManager.sessionIdUrlRewritingEnabled = false;  // URL rewriting for session tracking
Boolean shiro.sessionManager.deleteInvalidSessions = true;  // Delete invalid sessions
Boolean shiro.userNativeSessionManager = false;  // Use native session manager vs servlet container

// Session cookie configuration
String shiro.sessionManager.cookie.name = "JSESSIONID";  // Session cookie name
Integer shiro.sessionManager.cookie.maxAge = -1;  // Session cookie max age (default: session)
String shiro.sessionManager.cookie.domain = null;  // Session cookie domain
String shiro.sessionManager.cookie.path = null;  // Session cookie path
Boolean shiro.sessionManager.cookie.secure = false;  // Session cookie secure flag
String shiro.sessionManager.cookie.sameSite = "LAX";  // Session cookie SameSite policy

// Remember me cookie configuration
String shiro.rememberMeManager.cookie.name = "rememberMe";  // Remember me cookie name
Integer shiro.rememberMeManager.cookie.maxAge = 31536000;  // Remember me max age (1 year)
String shiro.rememberMeManager.cookie.domain = null;  // Remember me cookie domain
String shiro.rememberMeManager.cookie.path = null;  // Remember me cookie path
Boolean shiro.rememberMeManager.cookie.secure = false;  // Remember me cookie secure flag
String shiro.rememberMeManager.cookie.sameSite = "LAX";  // Remember me cookie SameSite policy

Filter Constants

Constants for filter registration and naming:

// ShiroWebFilterConfiguration constants
String REGISTRATION_BEAN_NAME = "filterShiroFilterRegistrationBean";
String FILTER_NAME = "shiroFilter";

Exception Types

Exception classes that may be thrown during configuration:

// Thrown when no realm is configured
class NoRealmBeanConfiguredException extends RuntimeException {
    // Constructor and methods inherited from RuntimeException
}

Types

// Core Shiro interfaces and classes available through auto-configuration
interface Realm {
    // Authentication and authorization interface
}

interface AuthenticationStrategy {
    // Strategy for handling multiple realms
}

interface Authenticator {
    // Authentication processing interface
}

interface Authorizer {
    // Authorization processing interface
}

interface SessionManager {
    // Session lifecycle management
}

interface SessionDAO {
    // Session persistence interface
}

interface SubjectDAO {
    // Subject state persistence interface
}

interface SubjectFactory {
    // Subject instance creation interface
}

interface SessionFactory {
    // Session instance creation interface
}

interface SessionStorageEvaluator {
    // Session storage decision interface
}

interface RememberMeManager {
    // Remember me functionality interface
}

class Cookie {
    // Cookie configuration for sessions and remember me
}

interface ShiroFilterChainDefinition {
    // Filter chain URL pattern definitions
}

class ShiroUrlPathHelper {
    // URL path resolution utility
}

class ShiroFilterFactoryBean {
    // Factory for creating Shiro filter instances
}

class FilterRegistrationBean<T> {
    // Spring Boot filter registration
}

class LifecycleBeanPostProcessor {
    // Bean lifecycle management
}

class EventBus {
    // Event handling system
}

class ShiroEventBusBeanPostProcessor {
    // Event bus integration
}

class DefaultAdvisorAutoProxyCreator {
    // AOP proxy creation for annotations
}

class AuthorizationAttributeSourceAdvisor {
    // Security annotation processing
}

class ShiroEnvironmentPostProcessor implements EnvironmentPostProcessor {
    // Automatically configures Spring MVC path matching strategy to ant_path_matcher
    void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application);
}

Usage Examples

Basic Web Application Setup

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class SecureWebApp {
    public static void main(String[] args) {
        SpringApplication.run(SecureWebApp.class, args);
    }
}

// application.properties
// shiro.loginUrl=/login
// shiro.successUrl=/dashboard
// shiro.unauthorizedUrl=/unauthorized

Custom Realm Configuration

import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.stereotype.Component;

@Component
public class DatabaseRealm extends AuthorizingRealm {
    
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        // Authorization logic
        return new SimpleAuthorizationInfo();
    }
    
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) {
        // Authentication logic
        return new SimpleAuthenticationInfo();
    }
}

Security Filter Chain Configuration

import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class ShiroWebConfig {
    
    @Bean
    public ShiroFilterChainDefinition shiroFilterChainDefinition() {
        DefaultShiroFilterChainDefinition definition = 
            new DefaultShiroFilterChainDefinition();
        
        // Public endpoints
        definition.addPathDefinition("/", "anon");
        definition.addPathDefinition("/login", "anon");
        definition.addPathDefinition("/css/**", "anon");
        definition.addPathDefinition("/js/**", "anon");
        
        // Protected endpoints
        definition.addPathDefinition("/admin/**", "authc, roles[admin]");
        definition.addPathDefinition("/user/**", "authc");
        definition.addPathDefinition("/**", "authc");
        
        return definition;
    }
}

Using Security Annotations

import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;
import java.util.List;

@RestController
public class SecureController {
    
    @RequiresAuthentication
    @GetMapping("/profile")
    public String getProfile() {
        return "User profile";
    }
    
    @RequiresRoles("admin")
    @GetMapping("/admin/users")
    public List<User> getUsers() {
        return userService.getAllUsers();
    }
    
    @RequiresPermissions("user:create")
    @PostMapping("/users")
    public User createUser(@RequestBody User user) {
        return userService.createUser(user);
    }
}

Cookie Configuration Example

import org.springframework.context.annotation.Configuration;
import org.springframework.boot.context.properties.ConfigurationProperties;

@Configuration
public class ShiroSecurityConfig {
    
    // Configure secure cookies for production
    // application.properties:
    /*
    shiro.sessionManager.cookie.secure=true
    shiro.sessionManager.cookie.sameSite=STRICT
    shiro.rememberMeManager.cookie.secure=true
    shiro.rememberMeManager.cookie.sameSite=STRICT
    shiro.rememberMeManager.cookie.maxAge=604800
    */
}

Environment-Specific Configuration

# Development environment (application-dev.properties)
shiro.sessionManager.cookie.secure=false
shiro.sessionManager.cookie.sameSite=LAX
shiro.rememberMeManager.cookie.secure=false

# Production environment (application-prod.properties)
shiro.sessionManager.cookie.secure=true
shiro.sessionManager.cookie.sameSite=STRICT
shiro.rememberMeManager.cookie.secure=true
shiro.sessionManager.cookie.domain=.yourdomain.com

Notes

  • This starter is a dependency aggregation module that pulls in the base shiro-spring-boot-starter and adds web-specific dependencies
  • All auto-configured beans are conditional and can be overridden by defining custom beans
  • The starter integrates seamlessly with Spring Boot's auto-configuration system
  • Supports both programmatic configuration and properties-based configuration
  • Automatically registers the Shiro filter in the Spring Boot servlet container
  • Enables Shiro security annotations through AOP integration
  • Compatible with Spring Boot 2.x and 3.x (check compatibility matrix for specific versions)

docs

index.md

tile.json