Quick Introduction to Apache Shiro

Please note that this article is not going to cover all the aspects of Apache Shiro or even all the features. This can be used as a “Quick Glance at Apache Shiro for Java Programmers” or as a quick catch up.

What is Apache Shiro?

  • Shiro is a Java security framework which is intended to be used in client applications which can be web application or even stand alone application.
  • Shiro APIs implements JAAS (Java Authentication and Authorization Service) features and enhance the usage.It enables authentication, authorization, cryptography, and session management within an application.
  • Shiro does not provide SSO service out of the box at the moment.

Though this can be used in both Java web applications and alone applications, I am going to brief following Topics with considering only usage in Java web applications.

  1. Framework Basics
  2. Security Implementation
  3. Framework Limitations

1.Framework Basics

There are 3 key concepts you have to think about if you are using Apache Shiro

  • Subject
  • Security Manager
  • Realm

Subject <=> the currently executing user

  • Shiro is entirely built around Subject. And all functionality of an application is represented and secured based on a per-user basis. i.e Subject.
  • Subjects can be maintained across threads (Threading and Concurrency).
  • Developer can access ‘Subject’ anywhere in code which allows security operations to occur anywhere.

import org.apache.shiro.subject.Subject;
import org.apache.shiro.SecurityUtils;

Subject currentUser = SecurityUtils.getSubject();

Security Manager

  • Counterpart of subject: actually handles security behind the scene.
  • ‘Shiro Servlet’ Filter can be specified in web.xml of a web application and that will set up the SecurityManager instance.
  • This instance would be a singleton for an application. By default configured via an ini(can be configured with POJO-compatible configuration mechanisms).

Example Filter

<!– no init-param means load the INI config from classpath:shiro.ini –>


Descriptive shiro.ini

# =======================
# Shiro INI configuration
# =======================
# Objects and their properties are defined here,
# Such as the securityManager, Realms and anything
# else needed to build the SecurityManager

# The ‘users’ section is for simple deployments
# when you only need a small number of statically-defined
# set of User accounts.

# The ‘roles’ section is for simple deployments
# when you only need a small number of statically-defined
# roles.

# The ‘urls’ section is used for url-based security
# in web applications. We’ll discuss this section in the
# Web documentation


  • bridge between Shiro and application’s security data. Such as user accounts (LDAP or User Data Base) to perform authentication and authorization.
  • One or more realms can be configured for an application.

Example LDAP configuration defined in shiro.ini

ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = uid={0},ou=users,dc=yourdc,dc=com
ldapRealm.contextFactory.url = ldap://ldapHost:389
ldapRealm.contextFactory.authenticationMechanism = DIGEST-MD5


2.Security Implementation

Authentication Handling

AuthenticationToken token = new UsernamePasswordToken(username, password);//Acquire submitted principals and credentials

Subject currentUser = SecurityUtils.getSubject();//Get the current Subject


Access Control

if ( subject.hasRole(“administrator”) ) //check role
if ( subject.isPermitted(“user:create”) ) //check permission
if ( subject.isPermitted(“user:delete:jsmith”) ) //check instance permission

Session Handling

  • Capable of handling both Usual Http Sessions and Shiro’s native sessions which are capable of Shiro features.

Session session = subject.getSession();
session.getAttribute(“key”, someValue);
Date start = session.getStartTimestamp();
Date timestamp = session.getLastAccessTime();

Content Filtering in JSP

  • There is a set of Shiro specific tag set

<shiro:hasRole name=”admin”> | <a href=”admin/index.jsp” >Admin Area</a></shiro:hasRole>

3.Framework limitations

  • Does not deal with Virtual Machine level security.
  • No Realm Write Operations.(i.e cannot create new accounts)

Here are some useful links if you want to get in to Apache Shiro.