tessl/maven-org-apache-shiro--shiro-web
Web support module for Apache Shiro providing servlet filters, session management, and web-specific authentication and authorization features
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-apache-shiro--shiro-web@1.13.0index.mddocs/
Apache Shiro Web
Apache Shiro Web is a comprehensive security framework module that extends Shiro's core security capabilities with servlet-based web application support. It provides authentication and authorization through configurable filter chains, multiple session management strategies, JSP tag libraries for view-layer security, and seamless integration with Java web applications.
Package Information
- Package Name: org.apache.shiro:shiro-web
- Package Type: Maven
- Language: Java
- Installation: Add to Maven
pom.xml:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.13.0</version>
</dependency>Gradle:
implementation 'org.apache.shiro:shiro-web:1.13.0'Core Imports
// Primary servlet filter for web applications
import org.apache.shiro.web.servlet.ShiroFilter;
// Environment setup and configuration
import org.apache.shiro.web.env.EnvironmentLoaderListener;
import org.apache.shiro.web.env.WebEnvironment;
// Security manager for web applications
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.mgt.WebSecurityManager;
// Filter management and configuration
import org.apache.shiro.web.filter.mgt.FilterChainManager;
import org.apache.shiro.web.filter.mgt.DefaultFilterChainManager;
// Web subject for request/response access
import org.apache.shiro.web.subject.WebSubject;Basic Usage
Servlet Filter Configuration
// web.xml configuration
/*
<listener>
<listener-class>
org.apache.shiro.web.env.EnvironmentLoaderListener
</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
*/
// Programmatic filter configuration
import org.apache.shiro.web.servlet.AbstractShiroFilter;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.filter.mgt.DefaultFilterChainManager;
public class ShiroConfig {
public AbstractShiroFilter createShiroFilter() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
AbstractShiroFilter shiroFilter = new AbstractShiroFilter() {};
shiroFilter.setSecurityManager(securityManager);
DefaultFilterChainManager filterChainManager = new DefaultFilterChainManager();
filterChainManager.createChain("/login", "authc");
filterChainManager.createChain("/admin/**", "authc, roles[admin]");
filterChainManager.createChain("/user/**", "authc");
filterChainManager.createChain("/**", "anon");
return shiroFilter;
}
}Working with Web Subjects
import org.apache.shiro.web.subject.WebSubject;
import org.apache.shiro.web.util.WebUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public void handleRequest(HttpServletRequest request, HttpServletResponse response) {
WebSubject currentUser = (WebSubject) SecurityUtils.getSubject();
// Access servlet request/response through WebSubject
HttpServletRequest subjectRequest = currentUser.getServletRequest();
HttpServletResponse subjectResponse = currentUser.getServletResponse();
// Check authentication and authorization
if (currentUser.isAuthenticated()) {
if (currentUser.hasRole("admin")) {
// Admin functionality
}
} else {
// Redirect to login
WebUtils.issueRedirect(request, response, "/login");
}
}Architecture
Apache Shiro Web follows a layered architecture designed around servlet filters:
- Environment Layer:
WebEnvironmentprovides centralized configuration and component management - Filter Layer: Configurable chains of servlet filters handle authentication, authorization, and session management
- Security Manager:
WebSecurityManagercoordinates web-specific security operations - Subject Layer:
WebSubjectprovides request/response-aware security context - Session Management: Multiple strategies from servlet container sessions to Shiro native sessions
- Tag Library: JSP tags for view-layer security integration
This design enables flexible integration with any servlet-based web application while maintaining Shiro's powerful security features.
Capabilities
Environment and Configuration
Core components for initializing and configuring Shiro in web applications, including environment setup, filter configuration factories, and servlet integration.
// Primary environment interface
interface WebEnvironment extends Environment {
FilterChainResolver getFilterChainResolver();
ServletContext getServletContext();
WebSecurityManager getWebSecurityManager();
}
// Environment initialization
class EnvironmentLoaderListener implements ServletContextListener {
public void contextInitialized(ServletContextEvent event);
public void contextDestroyed(ServletContextEvent event);
}
// Configuration factories
class IniFilterChainResolverFactory extends IniFactorySupport<FilterChainResolver> {
public FilterChainResolver createInstance(Ini ini);
}Servlet Filters and Integration
Comprehensive servlet filter system providing authentication, authorization, and request processing through configurable filter chains and servlet integration components.
// Primary servlet filter
class ShiroFilter extends AbstractShiroFilter {
public void init() throws ServletException;
}
// Base filter functionality
abstract class AbstractShiroFilter extends OncePerRequestFilter {
public WebSecurityManager getSecurityManager();
public void setSecurityManager(WebSecurityManager securityManager);
public FilterChainResolver getFilterChainResolver();
public void setFilterChainResolver(FilterChainResolver resolver);
}
// Filter templates
abstract class AccessControlFilter extends PathMatchingFilter {
public String getLoginUrl();
public void setLoginUrl(String loginUrl);
protected abstract boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue);
protected abstract boolean onAccessDenied(ServletRequest request, ServletResponse response);
}Servlet Filters and Integration
Authentication Filters
Specialized filters for various authentication mechanisms including form-based, HTTP Basic/Bearer, anonymous access, and logout handling.
// Form authentication
class FormAuthenticationFilter extends AuthenticatingFilter {
public String getUsernameParam();
public void setUsernameParam(String usernameParam);
public String getPasswordParam();
public void setPasswordParam(String passwordParam);
public boolean isRememberMe(ServletRequest request);
}
// HTTP Basic authentication
class BasicHttpAuthenticationFilter extends HttpAuthenticationFilter {
protected String[] getPrincipalsAndCredentials(String authorizationHeader, ServletRequest request);
}
// Logout handling
class LogoutFilter extends AdviceFilter {
public String getRedirectUrl();
public void setRedirectUrl(String redirectUrl);
}Authorization Filters
Access control filters for role-based and permission-based authorization, including SSL enforcement, host/port restrictions, and HTTP method permissions.
// Permission-based authorization
class PermissionsAuthorizationFilter extends AuthorizationFilter {
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue);
}
// Role-based authorization
class RolesAuthorizationFilter extends AuthorizationFilter {
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue);
}
// SSL enforcement
class SslFilter extends PortFilter {
public int getPort();
public void setPort(int port);
}
// HTTP method permissions
class HttpMethodPermissionFilter extends PermissionsAuthorizationFilter {
protected String getHttpMethodAction(ServletRequest request);
}Filter Chain Management
Components for managing and resolving filter chains, including path-based chain resolution, filter registration, and configuration management.
// Filter chain resolution
interface FilterChainResolver {
FilterChain getChain(ServletRequest request, ServletResponse response, FilterChain originalChain);
}
// Filter chain management
interface FilterChainManager {
Map<String, NamedFilterList> getFilterChains();
NamedFilterList getChain(String chainName);
void createChain(String chainName, String chainDefinition);
void addToChain(String chainName, String filterName);
}
// Default implementations
class PathMatchingFilterChainResolver implements FilterChainResolver;
class DefaultFilterChainManager implements FilterChainManager;
// Predefined filters
enum DefaultFilter {
anon(AnonymousFilter.class),
authc(FormAuthenticationFilter.class),
authcBasic(BasicHttpAuthenticationFilter.class),
authcBearer(BearerHttpAuthenticationFilter.class),
logout(LogoutFilter.class),
noSessionCreation(NoSessionCreationFilter.class),
perms(PermissionsAuthorizationFilter.class),
port(PortFilter.class),
rest(HttpMethodPermissionFilter.class),
roles(RolesAuthorizationFilter.class),
ssl(SslFilter.class),
user(UserFilter.class),
invalidRequest(InvalidRequestFilter.class);
public Filter newInstance();
public Class<? extends Filter> getFilterClass();
public static Map<String, Filter> createInstanceMap(FilterConfig config);
}Web Security Management
Web-specific security manager implementations, remember-me functionality, subject factories, and session storage evaluation for servlet environments.
// Web security manager
interface WebSecurityManager extends SecurityManager {
boolean isHttpSessionMode();
}
class DefaultWebSecurityManager extends DefaultSecurityManager implements WebSecurityManager {
public DefaultWebSecurityManager();
public DefaultWebSecurityManager(Realm singleRealm);
public DefaultWebSecurityManager(Collection<Realm> realms);
}
// Cookie-based remember me
class CookieRememberMeManager extends AbstractRememberMeManager {
public Cookie getCookie();
public void setCookie(Cookie cookie);
public String getCipherKey();
public void setCipherKey(String cipherKey);
}
// Web subject factory
class DefaultWebSubjectFactory extends DefaultSubjectFactory {
public Subject createSubject(SubjectContext context);
}Session Management
Web session management including servlet container session delegation, native Shiro session management, cookie-based session IDs, and session context management.
// Web session manager interface
interface WebSessionManager extends SessionManager {
boolean isServletContainerSessions();
}
// Default web session manager
class DefaultWebSessionManager extends DefaultSessionManager implements WebSessionManager {
public boolean isServletContainerSessions();
public Cookie getSessionIdCookie();
public void setSessionIdCookie(Cookie cookie);
public boolean isSessionIdUrlRewritingEnabled();
public void setSessionIdUrlRewritingEnabled(boolean sessionIdUrlRewritingEnabled);
}
// Servlet container session delegation
class ServletContainerSessionManager implements WebSessionManager {
public Session start(SessionContext context);
public Session getSession(SessionKey key);
}
// Session contexts and keys
interface WebSessionContext extends SessionContext, RequestPairSource;
class DefaultWebSessionContext extends DefaultSessionContext implements WebSessionContext;
class WebSessionKey extends DefaultSessionKey implements RequestPairSource;Web Subjects
Web-aware subject implementations providing access to servlet requests and responses, with builder patterns for subject creation and context management.
// Web subject interface
interface WebSubject extends Subject, RequestPairSource {
ServletRequest getServletRequest();
ServletResponse getServletResponse();
// Builder for creating WebSubject instances
class Builder extends Subject.Builder {
public Builder(SecurityManager securityManager, ServletRequest request, ServletResponse response);
public Builder sessionId(Serializable sessionId);
public Builder host(String host);
public Builder session(Session session);
public WebSubject buildWebSubject();
}
}
// Context for web subject creation
interface WebSubjectContext extends SubjectContext, RequestPairSource;
class DefaultWebSubjectContext extends DefaultSubjectContext implements WebSubjectContext;
// Web subject implementation
class WebDelegatingSubject extends DelegatingSubject implements WebSubject {
public ServletRequest getServletRequest();
public ServletResponse getServletResponse();
}JSP Tag Library
Complete JSP tag library for view-layer security including authentication status tags, role and permission checks, and principal display tags.
// Base tag class
abstract class SecureTag extends TagSupport {
protected Subject getSubject();
protected abstract int onDoStartTag() throws JspException;
}
// Authentication tags
class AuthenticatedTag extends SecureTag; // Shows content if authenticated
class NotAuthenticatedTag extends SecureTag; // Shows content if not authenticated
class UserTag extends SecureTag; // Shows content if user known
class GuestTag extends SecureTag; // Shows content if guest
// Authorization tags
class HasRoleTag extends RoleTag; // Shows content if has role
class LacksRoleTag extends RoleTag; // Shows content if lacks role
class HasAnyRolesTag extends RoleTag; // Shows content if has any role
class HasPermissionTag extends PermissionTag; // Shows content if has permission
class LacksPermissionTag extends PermissionTag; // Shows content if lacks permission
// Utility tags
class PrincipalTag extends SecureTag; // Displays principalWeb Utilities
Utility classes for common web operations including request handling, path resolution, redirect management, request saving/restoration, and servlet request/response type conversion.
class WebUtils {
// Path and context utilities
public static String getPathWithinApplication(HttpServletRequest request);
public static String getContextPath(HttpServletRequest request);
// Environment access
public static WebEnvironment getWebEnvironment(ServletContext servletContext);
// Redirect utilities
public static void issueRedirect(ServletRequest request, ServletResponse response, String url) throws IOException;
public static void issueRedirect(ServletRequest request, ServletResponse response, String url, Map<String, ?> queryParams, boolean contextRelative, boolean http10Compatible) throws IOException;
// Request saving and restoration
public static void saveRequest(ServletRequest request);
public static SavedRequest getSavedRequest(ServletRequest request);
public static SavedRequest getAndClearSavedRequest(ServletRequest request);
public static void redirectToSavedRequest(ServletRequest request, ServletResponse response, String fallbackUrl) throws IOException;
// Type conversion utilities
public static HttpServletRequest toHttp(ServletRequest request);
public static HttpServletResponse toHttp(ServletResponse response);
}
// Saved request representation
class SavedRequest implements Serializable {
public String getMethod();
public String getQueryString();
public String getRequestURI();
public String getRequestURL();
public Map<String, String[]> getParameterMap();
}