Shiro

Apr 17, 2017 (updated: May 24, 2017)

1. Indroduction
1. 1.1. Features
2. 1.2. Highlights
2. Components
3. Configuration
1. 3.1. ini
4. Links

Indroduction

Shiro is an easy-to-use Java security framework, that works both on web and standalone applications.

Shiro Archecture

Features

Shiro Features

Highlights

Multi realms support.
Pluggable data storage. (realm, session)
Cryptography.
SSO support.
Web friendly. (URL-specific filter chains)
OAuth, CAS, SAML, OpenID Connect, LDAP, JWT… support. pac4j
Popular web framework support: Spring MVC, Play!, Lift, Wicket, Dropwizard

Components

Subject

The current executing user.

1	Subject currentUser = SecurityUtils.getSubject();

Almost the only object you would cope with in your application.

SecurityManager

The heart of shiro architecture, who does the haavy lifting for Subject behind the scenes.

SessionManager

Manages creation, maintainance, clean-up of sessions.

Realm

Storages for users, roles, permissions.

A Realm is essentially a security-specific DAO.

Authenticator

Processing the login logic.

Authorizer

Performs authorization operations on any given Subject (a.k.a. user).

CacheManager

Maintains the lifecycle of cache instances, it is a wrapper of the popular cache provider, such as EhCache, JCS …

SubjectDAO

create (org.apache.shiro.session.Session)
readSession (java.io.Serializable)
update (org.apache.shiro.session.Session)
delete (org.apache.shiro.session.Session)

CredentialsMatcher

Determines if an AuthenticationToken‘s provided credentials matches a corresponding account’s credentials stored n the realm(s).

Filter

Filter Name	Class	Description
anon	AnonymousFilter	no security check
authc	FormAuthenticationFilter	do login or redirect to loginUrl
logout	LogoutFilter	do logout
noSessionCreation	NoSessionCreationFilter	making `subject.getSession(true)` throws exception
perms	PermissionsAuthorizationFilter	permission specific check
port	PortFilter	accept request only on that port, default `80`
rest	HttpMethodPermissionFilter	/user/** = rest[user] -> `Subject.isPermitted("user:read")`
roles	RolesAuthorizationFilter	denies access if the user has none of the roles specified
ssl	SslFilter	denies access if the schema is not https
user	UserFilter	requires authenticated or remembered

Configuration

ini

Sample shiro.ini

[main]
authc.loginUrl = /login.jsp //①
authc.successUrl = /home.jsp
passwordMatcher = org.apache.shiro.authc.credential.TempFixPasswordMatcher //②
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordMatcher.passwordService = $passwordService
ds = com.jolbox.bonecp.BoneCPDataSource //③
ds.driverClass=com.mysql.jdbc.Driver
ds.jdbcUrl=jdbc:mysql://localhost:3306/simple_shiro_web_app
ds.username = root
ds.password = 123qwe
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm //④
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = SELECT password FROM USERS WHERE username = ?
jdbcRealm.userRolesQuery = SELECT role_name FROM USERS_ROLES WHERE username = ?
jdbcRealm.permissionsQuery = SELECT permission_name FROM ROLES_PERMISSIONS WHERE
role_name = ?
jdbcRealm.credentialsMatcher = $passwordMatcher
jdbcRealm.dataSource=$ds
securityManager.realms = $jdbcRealm //⑤
//⑥
[urls]
# The /login.jsp is not restricted to authenticated users (otherwise no one could log in!), 
# but the 'authc' filter must still be specified for it so it can process that url's login submissions. 
# It is 'smart' enough to allow those requests through as specified by the shiro.loginUrl above.
/login.jsp = authc
/home.jsp = anon, authc
/logout = logout
/account/** = authc

① Configuration for the authc authentication filer.
② Configuration for the passwordMatcher and passwordService, which are components for
password verification and matching.
③ The definition of the Datasource in this example is a JDBC DataSource.
④ Configuration for the Realm in this example is a JDBC Realm.
⑤ This assigns the configured Realm to the Siro SecurityManager.
⑥ This assigns URL patterns to the appropriate filters.