You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by bd...@apache.org on 2016/12/15 23:05:59 UTC
svn commit: r1774534 - in /shiro/site/publish: spring-boot.html
spring-framework.html spring-xml.html
Author: bdemers
Date: Thu Dec 15 23:05:59 2016
New Revision: 1774534
URL: http://svn.apache.org/viewvc?rev=1774534&view=rev
Log:
dark launching updated spring docs, for 1.4.0+
Added:
shiro/site/publish/spring-boot.html
shiro/site/publish/spring-framework.html
shiro/site/publish/spring-xml.html
Added: shiro/site/publish/spring-boot.html
URL: http://svn.apache.org/viewvc/shiro/site/publish/spring-boot.html?rev=1774534&view=auto
==============================================================================
--- shiro/site/publish/spring-boot.html (added)
+++ shiro/site/publish/spring-boot.html Thu Dec 15 23:05:59 2016
@@ -0,0 +1,508 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<html>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+<head>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.">
+ <meta name="google-site-verification" content="QIax6uT5UX3enoU0G8Pz2pXbQ45KaQuHZ3nCh9V27mw">
+ <meta name="google-site-verification" content="ecFap6dWJgS_GCCtxmJQJ_nFYQhM6EgSpBPZDU7xsCE">
+ <meta name="msvalidate.01" content="0B57EB46CBFAD8FD45008D2DB6B6C68C">
+ <meta name="y_key" content="e47896cd6bae4920">
+
+ <title>
+ Apache Shiro | Simple. Java. Security.
+ </title>
+
+
+ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico">
+ <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css">
+
+ <!-- site styles and -->
+ <link rel="stylesheet" type="text/css" href="./assets/css/style.css">
+ <script type="text/javascript" src="./assets/js/shiro-site.js"></script>
+
+ <!-- github ribbon -->
+ <link rel="stylesheet" href="./assets/css/gh-pages/gh-fork-ribbon.css" />
+ <!--[if lt IE 9]>
+ <link rel="stylesheet" href="./assets/css/gh-pages/gh-fork-ribbon.ie.css" />
+ <![endif]-->
+
+ <script src="https://code.jquery.com/jquery-3.1.1.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>
+
+ <!-- bootstrap -->
+ <link rel="stylesheet" href="./assets/bootstrap/css/bootstrap.min.css">
+ <link rel="stylesheet" href="./assets/bootstrap/css/bootstrap-theme.min.css">
+ <script src="./assets/bootstrap/js/bootstrap.min.js"></script>
+
+ <link rel="stylesheet" href="./assets/css/bootstrap-social.css">
+
+ <!-- Google Analytics -->
+ <script>
+ (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+ m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+ })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
+
+ ga('create', 'UA-XXXXX-Y', 'auto');
+ ga('send', 'pageview');
+ </script>
+ <!-- End Google Analytics -->
+
+
+
+ <!-- syntax highlighting -->
+ <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.7.0/styles/default.min.css" integrity="sha256-Zd1icfZ72UBmsId/mUcagrmN7IN5Qkrvh75ICHIQVTk=" crossorigin="anonymous" />
+ <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.7.0/highlight.min.js" integrity="sha256-s63qpgPYoQk+wv3U6WZqioVJrwFNBTgD4dkeegLuwvo=" crossorigin="anonymous"></script>
+ <script>hljs.initHighlightingOnLoad();</script>
+
+ <script type="text/javascript">
+
+ $( document ).ready(function() {
+ addPageEditLink();
+ });
+ </script>
+</head>
+
+<body>
+
+ <div id="top-bar"></div>
+
+ <div class="container" style="max-width: 1200px;">
+
+ <a class="github-fork-ribbon right-top" href="https://github.com/apache/shiro" title="Fork me on GitHub">Fork me on GitHub</a>
+
+
+
+ <div class="masthead">
+ <p class="lead">
+ <a href="./index.html">
+ <img src="./assets/images/apache-shiro-logo.png" style="height:100px; width:auto; vertical-align: bottom; margin-top: 20px;">
+ </a>
+ <span class="tagline">Simple. Java. Security.</span>
+ </p>
+ </div>
+
+
+
+ <nav class="navbar navbar-default" role="navigation">
+ <!-- Brand and toggle get grouped for better mobile display -->
+ <div class="navbar-header">
+ <button type="button" class="navbar-toggle" data-toggle="collapse"
+ data-target="#navbar-collapse-1">
+ <span class="sr-only">Toggle navigation</span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ </div>
+
+ <!-- Collect the nav links, forms, and other content for toggling -->
+ <div class="collapse navbar-collapse" id="navbar-collapse-1">
+ <ul class="nav navbar-nav">
+ <li><a href="./get-started.html">Get Started</a></li>
+ <li><a href="./documentation.html">Docs</a></li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">
+ Web Apps <b class="caret"></b>
+ </a>
+
+ <ul class="dropdown-menu">
+ <li><a href="./web.html">General</a></li>
+ <li class="divider"></li>
+ <li><a href="./web-features.html">Features</a></li>
+ </ul>
+ </li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">
+ Integrations <b class="caret"></b>
+ </a>
+
+ <ul class="dropdown-menu">
+ <li><a href="./spring.html">Spring</a></li>
+ <li><a href="./guice.html">Guice</a></li>
+ <li class="divider"></li>
+ <li><a href="./integration.html">Third-Party Integrations</a></li>
+ </ul>
+ </li>
+
+ <li><a href="./features.html">Features</a></li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">
+ Community <b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="./forums.html">Community Forums</a></li>
+ <li><a href="./mailing-lists.html">Mailing Lists</a></li>
+ <li><a href="./articles.html">Articles</a></li>
+ <li><a href="./news.html">News</a></li>
+ <li><a href="./events.html">Events</a></li>
+ <li class="divider"></li>
+ <li><a href="./community.html">More</a></li>
+ </ul>
+ </li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">
+ About <b class="caret"></b>
+ </a>
+
+ <ul class="dropdown-menu">
+ <li><a href="./about.html">About</a></li>
+ <li><a href="./security-reports.html">Vulnerability Reports</a></li>
+ </ul>
+ </li>
+
+ </ul>
+
+ <ul class="nav navbar-nav navbar-right">
+ <li class="dropdown">
+ <a href="http://www.apache.org/" class="dropdown-toggle" data-toggle="dropdown">
+ Apache Software Foundation <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="http://www.apache.org/">Apache Homepage</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Donate</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ </li>
+ </ul>
+ </div>
+ <!-- /.navbar-collapse -->
+ </nav>
+
+
+ <a name="Spring-IntegratingApacheShirointoSpringbasedApplications"></a>
+<h1>Integrating Apache Shiro into Spring-Boot Applications</h1>
+<p>Shiro’s Spring-Boot integration is the easiest way to integrate Shiro into a Spring-base application, for more general Spring Framework integration, take a the <a href="spring-framework.html">annotation</a> or <a href="spring-xml.html">XML</a> guides. </p>
+<a name="Spring-StandaloneApplications"></a>
+<h2><a href="#standalone-applications" name="standalone-applications">Standalone Applications</a></h2>
+<p>Include the Shiro Spring starter dependency in you application classpath (we recomend using a tool such as Apache Maven or Gradle to manage this).</p>
+<ul class="nav nav-tabs">
+ <li class="active"><a data-toggle="tab" href="#maven-cli">Apache Maven</a></li>
+ <li><a data-toggle="tab" href="#gradle-cli">Gradle</a></li>
+</ul>
+<div class="tab-content">
+ <div id="maven-cli" class="tab-pane fade in active">
+ <pre><code class='xml'><dependency>
+ <groupId>org.apache.shiro</groupId>
+ <artifactId>shiro-spring-boot-starter</artifactId>
+ <version>${earlyRelease}</version>
+</dependency>
+</code></pre>
+ </div>
+ <div id="gradle-cli" class="tab-pane fade">
+ <pre><code class='groovy'>compile 'org.apache.shiro:shiro-spring-boot-starter:${earlyRelease}'
+</code></pre>
+ </div>
+</div>
+<p>The only thing that is left is to configure a <a href="realm.html">realm</a>:</p>
+<pre><code class="java">@Bean
+public Realm realm() {
+ ...
+}
+</code></pre>
+<p>The easiest way to setup Shiro, so that all SecurityUtils.* methods work in all cases, is to make the <code>SecurityManager</code> bean a static singleton. DO NOT do this in web applications - see the <a href="#Spring-WebApplications">Web Applications</a> section below instead.</p>
+<pre><code class="java">@Autowired
+private SecurityManager securityManager;
+
+ @PostConstruct
+ private void initStaticSecurityManager() {
+ SecurityUtils.setSecurityManager(securityManager);
+ }
+</code></pre>
+<p>That is it, now you can get the current <code>Subject</code> using:</p>
+<pre><code class="java">SecurityUtils.getSubject();
+</code></pre>
+<p>You can see a full example in our <a href="https://github.com/apache/shiro/tree/master/samples/spring-boot">samples on Github</a>.</p>
+<a name="Spring-WebApplications"></a>
+<h2><a href="#web-applications" name="web-applications">Web Applications</a></h2>
+<p>Shiro has first-class support for Spring web applications. In a web application, all Shiro-accessible web requests must go through a master Shiro Filter. This filter itself is extremely powerful, allowing for ad-hoc custom filter chains to be executed based on any URL path expression.</p>
+<p>First include the Shiro Spring web starter dependency in you application classpath (we recomend using a tool such as Apache Maven or Gradle to manage this).</p>
+<ul class="nav nav-tabs">
+ <li class="active"><a data-toggle="tab" href="#maven-web">Apache Maven</a></li>
+ <li><a data-toggle="tab" href="#gradle-web">Gradle</a></li>
+</ul>
+<div class="tab-content">
+ <div id="maven-web" class="tab-pane fade in active">
+ <pre><code class='xml'><dependency>
+ <groupId>org.apache.shiro</groupId>
+ <artifactId>shiro-spring-boot-web-starter</artifactId>
+ <version>${earlyRelease}</version>
+</dependency>
+</code></pre>
+ </div>
+ <div id="gradle-web" class="tab-pane fade">
+ <pre><code class='groovy'>compile 'org.apache.shiro:shiro-spring-boot-web-starter:${earlyRelease}'
+</code></pre>
+ </div>
+</div>
+<p>Provide a Realm implementation:</p>
+<pre><code class="java">@Bean
+public Realm realm() {
+ ...
+}
+</code></pre>
+<p>And finally a <code>ShiroFilterChainDefinition</code> which will map any application specific paths to a given filter, in order to allow different paths different levels of access. </p>
+<pre><code class="java">@Bean
+public ShiroFilterChainDefinition shiroFilterChainDefinition() {
+ DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
+
+ // logged in users with the 'admin' role
+ chainDefinition.addPathDefinition("/admin/**", "authc, roles[admin]");
+
+ // logged in users with the 'document:read' permission
+ chainDefinition.addPathDefinition("/docs/**", "authc, perms[document:read]");
+
+ // all other paths require a logged in user
+ chainDefinition.addPathDefinition("/**", "authc");
+ return chainDefinition;
+}
+</code></pre>
+<p>If you are using Shiro’s annotations see the <a href="#Spring-annotations-web">annotation</a> section below.</p>
+<p>You can see a full example in our <a href="https://github.com/apache/shiro/tree/master/samples/spring-boot-web">samples on Github</a>.</p>
+<a name="Spring-annotations"></a>
+<h2><a href="#enabling-shiro-annotations" name="enabling-shiro-annotations">Enabling Shiro Annotations</a></h2>
+<p>In both standalone and web applications, you might want to use Shiro’s Annotations for security checks (for example, <code>@RequiresRoles</code>, <code>@RequiresPermissions</code>, etc.) These annotations are enabled automatically in both starters listed above.</p>
+<p>Simply annotate your methods in order to use them:</p>
+<pre><code class="java">@RequiresPermissions("document:read")
+public void readDocument() {
+ ...
+}
+</code></pre>
+<a name="Spring-annotations-web"></a>
+<h3><a href="#annotations-and-web-applications" name="annotations-and-web-applications">Annotations and Web Applications</a></h3>
+<p>Shiro annotations are fully supported for use in <code>@Controller</code> classes, for example:</p>
+<pre><code class="java">@Controller
+public class AccountInfoController {
+
+ @RequiresRoles("admin")
+ @RequestMapping("/admin/config")
+ public String adminConfig(Model model) {
+ return "view";
+ }
+}
+</code></pre>
+<p>A <code>ShiroFilterChainDefinition</code> bean with at least one definition is still required for this to work, either configure all paths to be accessable via the <code>anon</code> filter or a filter in ‘permissive’ mode, for example: <code>authcBasic[permissive]</code>.</p>
+<pre><code class="java">@Bean
+public ShiroFilterChainDefinition shiroFilterChainDefinition() {
+ DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
+ chainDefinition.addPathDefinition("/**", "anon"); // all paths are managed via annotations
+
+ // or allow basic authentication, but NOT require it.
+ // chainDefinition.addPathDefinition("/**", "authcBasic[permissive]");
+ return chainDefinition;
+}
+</code></pre>
+<a name="Spring-caching"></a>
+<h1><a href="#caching" name="caching">Caching</a></h1>
+<p>Enabling caching is as simple as providing a <a href="http://shiro.apache.org/caching.html">CacheManager</a> bean:</p>
+<pre><code class="java">@Bean
+protected CacheManager cacheManager() {
+ return new MemoryConstrainedCacheManager();
+}
+</code></pre>
+<!-- Work around for table styling until, all pages are updated. -->
+<style>
+
+ table, th, td {
+ border: 1px solid black;
+ border-collapse: collapse;
+ border-color: #ccc;
+ }
+ th {
+ background-color: #f0f0f0
+ }
+ th, td {
+ padding: 8px;
+ }
+</style>
+<h1><a href="#configuration-properties" name="configuration-properties">Configuration Properties</a></h1>
+<table>
+ <thead>
+ <tr>
+ <th>Key </th>
+ <th>Default Value </th>
+ <th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>shiro.enabled </td>
+ <td><code>true</code> </td>
+ <td>Enables Shiro’s Spring module </td>
+ </tr>
+ <tr>
+ <td>shiro.web.enabled </td>
+ <td><code>true</code> </td>
+ <td>Enables Shiro’s Spring web module </td>
+ </tr>
+ <tr>
+ <td>shiro.annotations.enabled </td>
+ <td><code>true</code> </td>
+ <td>Enables Spring support for Shiro’s annotations </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.deleteInvalidSessions </td>
+ <td><code>true</code> </td>
+ <td>Remove invalid session from session storage </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.sessionIdCookieEnabled </td>
+ <td><code>true</code> </td>
+ <td>Enable session ID to cookie, for session tracking </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.sessionIdUrlRewritingEnabled </td>
+ <td><code>true</code> </td>
+ <td>Enable session URL rewriting support </td>
+ </tr>
+ <tr>
+ <td>shiro.userNativeSessionManager </td>
+ <td><code>false</code> </td>
+ <td>If enabled Shiro will manage the HTTP sessions instead of the container </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.cookie.name </td>
+ <td><code>JSESSIONID</code> </td>
+ <td>Session cookie name </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.cookie.maxAge </td>
+ <td><code>-1</code> </td>
+ <td>Session cookie max age </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.cookie.domain </td>
+ <td>null </td>
+ <td>Session cookie domain </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.cookie.path </td>
+ <td>null </td>
+ <td>Session cookie path </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.cookie.secure </td>
+ <td><code>false</code> </td>
+ <td>Session cookie secure flag </td>
+ </tr>
+ <tr>
+ <td>shiro.rememberMeManager.cookie.name </td>
+ <td><code>rememberMe</code> </td>
+ <td>RememberMe cookie name </td>
+ </tr>
+ <tr>
+ <td>shiro.rememberMeManager.cookie.maxAge </td>
+ <td>one year </td>
+ <td>RememberMe cookie max age </td>
+ </tr>
+ <tr>
+ <td>shiro.rememberMeManager.cookie.domain </td>
+ <td>null </td>
+ <td>RememberMe cookie domain</td>
+ </tr>
+ <tr>
+ <td>shiro.rememberMeManager.cookie.path </td>
+ <td>null </td>
+ <td>RememberMe cookie path</td>
+ </tr>
+ <tr>
+ <td>shiro.rememberMeManager.cookie.secure </td>
+ <td><code>false</code> </td>
+ <td>RememberMe cookie secure flag</td>
+ </tr>
+ <tr>
+ <td>shiro.loginUrl </td>
+ <td><code>/login.jsp</code> </td>
+ <td>Login URL used when unauthenticated users are redirected to login page </td>
+ </tr>
+ <tr>
+ <td>shiro.successUrl </td>
+ <td><code>/</code> </td>
+ <td>Default landing page after a user logs in (if alternative cannot be found in the current session) </td>
+ </tr>
+ <tr>
+ <td>shiro.unauthorizedUrl </td>
+ <td>null </td>
+ <td>Page to redirect user to if they are unauthorized (403 page) </td>
+ </tr>
+ </tbody>
+</table>
+<input type="hidden" id="ghEditPage" value="spring-boot.md.vtl"></input>
+
+</div>
+
+ <div class="footer-padding"></div>
+ <footer class="custom-footer">
+
+ <div class="col-md-5">
+ <div class="copyright-footer">
+ <a href="http://www.apache.org/foundation/contributing.html">Donate to the ASF</a> |
+ <a href="http://www.apache.org/licenses/LICENSE-2.0.html">License</a>
+ <p>Copyright © 2008-2016 The Apache Software Foundation</p>
+ </div>
+ </div>
+
+ <div class="social col-md-2">
+ <a class="btn btn-social-icon btn-sm btn-twitter" target="_blank" href="https://twitter.com/ApacheShiro"><span class="fa fa-twitter"></span></a>
+ <a class="btn btn-social-icon btn-sm btn-facebook" target="_blank" href="https://www.facebook.com/ApacheShiro"><span class="fa fa-facebook"></span></a>
+ <a class="btn btn-social-icon btn-sm btn-linkedin" target="_blank" href="https://www.linkedin.com/groups/4382576"><span class="fa fa-linkedin"></span></a>
+ </div>
+
+
+ <div class="col-md-2"></div>
+ <div class="col-md-2 editThisPage">
+ <div class="footer-shield"></div>
+ </div>
+
+ </footer> <!--END FOOTER-->
+
+</body>
+</html>
Added: shiro/site/publish/spring-framework.html
URL: http://svn.apache.org/viewvc/shiro/site/publish/spring-framework.html?rev=1774534&view=auto
==============================================================================
--- shiro/site/publish/spring-framework.html (added)
+++ shiro/site/publish/spring-framework.html Thu Dec 15 23:05:59 2016
@@ -0,0 +1,580 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<html>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+<head>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.">
+ <meta name="google-site-verification" content="QIax6uT5UX3enoU0G8Pz2pXbQ45KaQuHZ3nCh9V27mw">
+ <meta name="google-site-verification" content="ecFap6dWJgS_GCCtxmJQJ_nFYQhM6EgSpBPZDU7xsCE">
+ <meta name="msvalidate.01" content="0B57EB46CBFAD8FD45008D2DB6B6C68C">
+ <meta name="y_key" content="e47896cd6bae4920">
+
+ <title>
+ Apache Shiro | Simple. Java. Security.
+ </title>
+
+
+ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico">
+ <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css">
+
+ <!-- site styles and -->
+ <link rel="stylesheet" type="text/css" href="./assets/css/style.css">
+ <script type="text/javascript" src="./assets/js/shiro-site.js"></script>
+
+ <!-- github ribbon -->
+ <link rel="stylesheet" href="./assets/css/gh-pages/gh-fork-ribbon.css" />
+ <!--[if lt IE 9]>
+ <link rel="stylesheet" href="./assets/css/gh-pages/gh-fork-ribbon.ie.css" />
+ <![endif]-->
+
+ <script src="https://code.jquery.com/jquery-3.1.1.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>
+
+ <!-- bootstrap -->
+ <link rel="stylesheet" href="./assets/bootstrap/css/bootstrap.min.css">
+ <link rel="stylesheet" href="./assets/bootstrap/css/bootstrap-theme.min.css">
+ <script src="./assets/bootstrap/js/bootstrap.min.js"></script>
+
+ <link rel="stylesheet" href="./assets/css/bootstrap-social.css">
+
+ <!-- Google Analytics -->
+ <script>
+ (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+ m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+ })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
+
+ ga('create', 'UA-XXXXX-Y', 'auto');
+ ga('send', 'pageview');
+ </script>
+ <!-- End Google Analytics -->
+
+
+
+ <!-- syntax highlighting -->
+ <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.7.0/styles/default.min.css" integrity="sha256-Zd1icfZ72UBmsId/mUcagrmN7IN5Qkrvh75ICHIQVTk=" crossorigin="anonymous" />
+ <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.7.0/highlight.min.js" integrity="sha256-s63qpgPYoQk+wv3U6WZqioVJrwFNBTgD4dkeegLuwvo=" crossorigin="anonymous"></script>
+ <script>hljs.initHighlightingOnLoad();</script>
+
+ <script type="text/javascript">
+
+ $( document ).ready(function() {
+ addPageEditLink();
+ });
+ </script>
+</head>
+
+<body>
+
+ <div id="top-bar"></div>
+
+ <div class="container" style="max-width: 1200px;">
+
+ <a class="github-fork-ribbon right-top" href="https://github.com/apache/shiro" title="Fork me on GitHub">Fork me on GitHub</a>
+
+
+
+ <div class="masthead">
+ <p class="lead">
+ <a href="./index.html">
+ <img src="./assets/images/apache-shiro-logo.png" style="height:100px; width:auto; vertical-align: bottom; margin-top: 20px;">
+ </a>
+ <span class="tagline">Simple. Java. Security.</span>
+ </p>
+ </div>
+
+
+
+ <nav class="navbar navbar-default" role="navigation">
+ <!-- Brand and toggle get grouped for better mobile display -->
+ <div class="navbar-header">
+ <button type="button" class="navbar-toggle" data-toggle="collapse"
+ data-target="#navbar-collapse-1">
+ <span class="sr-only">Toggle navigation</span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ </div>
+
+ <!-- Collect the nav links, forms, and other content for toggling -->
+ <div class="collapse navbar-collapse" id="navbar-collapse-1">
+ <ul class="nav navbar-nav">
+ <li><a href="./get-started.html">Get Started</a></li>
+ <li><a href="./documentation.html">Docs</a></li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">
+ Web Apps <b class="caret"></b>
+ </a>
+
+ <ul class="dropdown-menu">
+ <li><a href="./web.html">General</a></li>
+ <li class="divider"></li>
+ <li><a href="./web-features.html">Features</a></li>
+ </ul>
+ </li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">
+ Integrations <b class="caret"></b>
+ </a>
+
+ <ul class="dropdown-menu">
+ <li><a href="./spring.html">Spring</a></li>
+ <li><a href="./guice.html">Guice</a></li>
+ <li class="divider"></li>
+ <li><a href="./integration.html">Third-Party Integrations</a></li>
+ </ul>
+ </li>
+
+ <li><a href="./features.html">Features</a></li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">
+ Community <b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="./forums.html">Community Forums</a></li>
+ <li><a href="./mailing-lists.html">Mailing Lists</a></li>
+ <li><a href="./articles.html">Articles</a></li>
+ <li><a href="./news.html">News</a></li>
+ <li><a href="./events.html">Events</a></li>
+ <li class="divider"></li>
+ <li><a href="./community.html">More</a></li>
+ </ul>
+ </li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">
+ About <b class="caret"></b>
+ </a>
+
+ <ul class="dropdown-menu">
+ <li><a href="./about.html">About</a></li>
+ <li><a href="./security-reports.html">Vulnerability Reports</a></li>
+ </ul>
+ </li>
+
+ </ul>
+
+ <ul class="nav navbar-nav navbar-right">
+ <li class="dropdown">
+ <a href="http://www.apache.org/" class="dropdown-toggle" data-toggle="dropdown">
+ Apache Software Foundation <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="http://www.apache.org/">Apache Homepage</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Donate</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ </li>
+ </ul>
+ </div>
+ <!-- /.navbar-collapse -->
+ </nav>
+
+
+ <a name="SpringFramework-IntegratingApacheShirointoSpringbasedApplications"></a>
+<h1>Integrating Apache Shiro into Spring-based Applications</h1>
+<p>This page covers the ways to integrate Shiro into <a href="http://spring.io">Spring</a>-based applications.</p>
+<a name="SpringFramework-StandaloneApplications"></a>
+<h2><a href="#standalone-applications" name="standalone-applications">Standalone Applications</a></h2>
+<p>Include the Shiro Spring dependency in you application classpath (we recomend using a tool such as Apache Maven or Gradle to manage this).</p>
+<ul class="nav nav-tabs">
+ <li class="active"><a data-toggle="tab" href="#maven-cli">Apache Maven</a></li>
+ <li><a data-toggle="tab" href="#gradle-cli">Gradle</a></li>
+</ul>
+<div class="tab-content">
+ <div id="maven-cli" class="tab-pane fade in active">
+ <pre><code class='xml'><dependency>
+ <groupId>org.apache.shiro</groupId>
+ <artifactId>shiro-spring</artifactId>
+ <version>${earlyRelease}</version>
+</dependency>
+<dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-context</artifactId>
+ <version>${spring.version}</version>
+</dependency>
+</code></pre>
+ </div>
+ <div id="gradle-cli" class="tab-pane fade">
+ <pre><code class='groovy'>compile 'org.apache.shiro:shiro-spring:${earlyRelease}'
+compile 'org.springframework:spring-context:${spring.version}'
+</code></pre>
+ </div>
+</div>
+<p>Import the Shiro Spring configurations:</p>
+<pre><code class="java">@Configuration
+@Import({ShiroBeanConfiguration.class,
+ ShiroConfiguration.class,
+ ShiroAnnotationProcessorConfiguration.class})
+public class CliAppConfig {
+ ...
+}
+</code></pre>
+<p>The above configurations do the following:</p>
+<table>
+ <thead>
+ <tr>
+ <th>Configuration Class </th>
+ <th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>org.apache.shiro.spring.config.ShiroBeanConfiguration </td>
+ <td>Configures Shiro’s lifecycle and events </td>
+ </tr>
+ <tr>
+ <td>org.apache.shiro.spring.config.ShiroConfiguration </td>
+ <td>Configures Shiro Beans (SecurityManager, SessionManager, etc) </td>
+ </tr>
+ <tr>
+ <td>org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration </td>
+ <td>Enables Shiro’s annotation processing </td>
+ </tr>
+ </tbody>
+</table>
+<p>The only thing that is left is to configure a <a href="realm.html">realm</a>:</p>
+<pre><code class="java">@Bean
+public Realm realm() {
+ ...
+}
+</code></pre>
+<p>The easiest way to setup Shiro, so that all SecurityUtils.* methods work in all cases, is to make the <code>SecurityManager</code> bean a static singleton. DO NOT do this in web applications - see the <a href="#Spring-WebApplications">Web Applications</a> section below instead.</p>
+<pre><code class="java">@Autowired
+private SecurityManager securityManager;
+
+ @PostConstruct
+ private void initStaticSecurityManager() {
+ SecurityUtils.setSecurityManager(securityManager);
+ }
+</code></pre>
+<p>That is it, now you can get the current <code>Subject</code> using:</p>
+<pre><code class="java">SecurityUtils.getSubject();
+</code></pre>
+<p>You can see a full example in our <a href="https://github.com/apache/shiro/tree/master/samples/spring">samples on Github</a>.</p>
+<a name="SpringFramework-WebApplications"></a>
+<h2><a href="#web-applications" name="web-applications">Web Applications</a></h2>
+<p>Shiro has first-class support for Spring web applications. In a web application, all Shiro-accessible web requests must go through a master Shiro Filter. This filter itself is extremely powerful, allowing for ad-hoc custom filter chains to be executed based on any URL path expression.</p>
+<p>Include the Shiro Spring web dependencies in you application classpath (we recomend using a tool such as Apache Maven or Gradle to manage this).</p>
+<ul class="nav nav-tabs">
+ <li class="active"><a data-toggle="tab" href="#maven-web">Apache Maven</a></li>
+ <li><a data-toggle="tab" href="#gradle-web">Gradle</a></li>
+</ul>
+<div class="tab-content">
+ <div id="maven-web" class="tab-pane fade in active">
+ <pre><code class='xml'><dependency>
+ <groupId>org.apache.shiro</groupId>
+ <artifactId>shiro-spring</artifactId>
+ <version>${earlyRelease}</version>
+</dependency>
+<dependency>
+ <groupId>org.apache.shiro</groupId>
+ <artifactId>shiro-web</artifactId>
+ <version>${earlyRelease}</version>
+</dependency>
+<dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-webmvc</artifactId>
+ <version>${spring.version}</version>
+</dependency>
+</code></pre>
+ </div>
+ <div id="gradle-web" class="tab-pane fade">
+ <pre><code class='groovy'>compile 'org.apache.shiro:shiro-spring:${earlyRelease}'
+compile 'org.apache.shiro:shiro-web:${earlyRelease}'
+compile 'org.springframework:spring-webmvc:${spring.version}'
+</code></pre>
+ </div>
+</div>
+<p>Import the Shiro Spring configurations:</p>
+<pre><code class="java">@Configuration
+@Import({ShiroBeanConfiguration.class,
+ ShiroAnnotationProcessorConfiguration.class,
+ ShiroWebConfiguration.class,
+ ShiroWebFilterConfiguration.class})
+public class ApplicationConfig {
+ ...
+}
+</code></pre>
+<p>The above configurations do the following:</p>
+<table>
+ <thead>
+ <tr>
+ <th>Configuration Class </th>
+ <th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>org.apache.shiro.spring.config.ShiroBeanConfiguration </td>
+ <td>Configures Shiro’s lifecycle and events </td>
+ </tr>
+ <tr>
+ <td>org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration </td>
+ <td>Enables Shiro’s annotation processing </td>
+ </tr>
+ <tr>
+ <td>org.apache.shiro.spring.web.config.ShiroWebConfiguration </td>
+ <td>Configures Shiro Beans for web usage (SecurityManager, SessionManager, etc) </td>
+ </tr>
+ <tr>
+ <td>org.apache.shiro.spring.web.config.ShiroWebFilterConfiguration </td>
+ <td>Configures Shiro’s web filter </td>
+ </tr>
+ </tbody>
+</table>
+<p>Provide a Realm implementation:</p>
+<pre><code class="java">@Bean
+public Realm realm() {
+ ...
+}
+</code></pre>
+<p>And finally a <code>ShiroFilterChainDefinition</code> which will map any application specific paths to a given filter, in order to allow different paths different levels of access. </p>
+<pre><code class="java">@Bean
+public ShiroFilterChainDefinition shiroFilterChainDefinition() {
+ DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
+
+ // logged in users with the 'admin' role
+ chainDefinition.addPathDefinition("/admin/**", "authc, roles[admin]");
+
+ // logged in users with the 'document:read' permission
+ chainDefinition.addPathDefinition("/docs/**", "authc, perms[document:read]");
+
+ // all other paths require a logged in user
+ chainDefinition.addPathDefinition("/**", "authc");
+ return chainDefinition;
+}
+</code></pre>
+<p>If you are using Shiro’s annotations see the <a href="#Spring-annotations-web">annotation</a> section below.</p>
+<p>You can see a full example in our <a href="https://github.com/apache/shiro/tree/master/samples/spring-mvc">samples on Github</a>.</p>
+<a name="Spring-annotations"></a>
+<h2><a href="#enabling-shiro-annotations" name="enabling-shiro-annotations">Enabling Shiro Annotations</a></h2>
+<p>In both standalone and web applications, you might want to use Shiro’s Annotations for security checks (for example, <code>@RequiresRoles</code>, <code>@RequiresPermissions</code>, etc.) These annotations are enabled by importing the <code>ShiroAnnotationProcessorConfiguration</code> Spring configuration in both sections above.</p>
+<p>Simply annotate your methods in order to use them:</p>
+<pre><code class="java">@RequiresPermissions("document:read")
+public void readDocument() {
+ ...
+}
+</code></pre>
+<a name="Spring-annotations-web"></a>
+<h3><a href="#annotations-and-web-applications" name="annotations-and-web-applications">Annotations and Web Applications</a></h3>
+<p>Shiro annotations are fully supported for use in <code>@Controller</code> classes, for example:</p>
+<pre><code class="java">@Controller
+public class AccountInfoController {
+
+ @RequiresRoles("admin")
+ @RequestMapping("/admin/config")
+ public String adminConfig(Model model) {
+ return "view";
+ }
+}
+</code></pre>
+<p>A <code>ShiroFilterChainDefinition</code> bean with at least one definition is still required for this to work, either configure all paths to be accessable via the <code>anon</code> filter or a filter in ‘permissive’ mode, for example: <code>authcBasic[permissive]</code>.</p>
+<pre><code class="java">@Bean
+public ShiroFilterChainDefinition shiroFilterChainDefinition() {
+ DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
+ chainDefinition.addPathDefinition("/**", "anon"); // all paths are managed via annotations
+
+ // or allow basic authentication, but NOT require it.
+ // chainDefinition.addPathDefinition("/**", "authcBasic[permissive]");
+ return chainDefinition;
+}
+</code></pre>
+<a name="Spring-caching"></a>
+<h1><a href="#caching" name="caching">Caching</a></h1>
+<p>Enabling caching is as simple as providing a <a href="http://shiro.apache.org/caching.html">CacheManager</a> bean:</p>
+<pre><code class="java">@Bean
+protected CacheManager cacheManager() {
+ return new MemoryConstrainedCacheManager();
+}
+</code></pre>
+<!-- Work around for table styling until, all pages are updated. -->
+<style>
+
+ table, th, td {
+ border: 1px solid black;
+ border-collapse: collapse;
+ border-color: #ccc;
+ }
+ th {
+ background-color: #f0f0f0
+ }
+ th, td {
+ padding: 8px;
+ }
+</style>
+<h1><a href="#configuration-properties" name="configuration-properties">Configuration Properties</a></h1>
+<table>
+ <thead>
+ <tr>
+ <th>Key </th>
+ <th>Default Value </th>
+ <th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>shiro.sessionManager.deleteInvalidSessions </td>
+ <td><code>true</code> </td>
+ <td>Remove invalid session from session storage </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.sessionIdCookieEnabled </td>
+ <td><code>true</code> </td>
+ <td>Enable session ID to cookie, for session tracking </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.sessionIdUrlRewritingEnabled </td>
+ <td><code>true</code> </td>
+ <td>Enable session URL rewriting support </td>
+ </tr>
+ <tr>
+ <td>shiro.userNativeSessionManager </td>
+ <td><code>false</code> </td>
+ <td>If enabled Shiro will manage the HTTP sessions instead of the container </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.cookie.name </td>
+ <td><code>JSESSIONID</code> </td>
+ <td>Session cookie name </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.cookie.maxAge </td>
+ <td><code>-1</code> </td>
+ <td>Session cookie max age </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.cookie.domain </td>
+ <td>null </td>
+ <td>Session cookie domain </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.cookie.path </td>
+ <td>null </td>
+ <td>Session cookie path </td>
+ </tr>
+ <tr>
+ <td>shiro.sessionManager.cookie.secure </td>
+ <td><code>false</code> </td>
+ <td>Session cookie secure flag </td>
+ </tr>
+ <tr>
+ <td>shiro.rememberMeManager.cookie.name </td>
+ <td><code>rememberMe</code> </td>
+ <td>RememberMe cookie name </td>
+ </tr>
+ <tr>
+ <td>shiro.rememberMeManager.cookie.maxAge </td>
+ <td>one year </td>
+ <td>RememberMe cookie max age </td>
+ </tr>
+ <tr>
+ <td>shiro.rememberMeManager.cookie.domain </td>
+ <td>null </td>
+ <td>RememberMe cookie domain</td>
+ </tr>
+ <tr>
+ <td>shiro.rememberMeManager.cookie.path </td>
+ <td>null </td>
+ <td>RememberMe cookie path</td>
+ </tr>
+ <tr>
+ <td>shiro.rememberMeManager.cookie.secure </td>
+ <td><code>false</code> </td>
+ <td>RememberMe cookie secure flag</td>
+ </tr>
+ <tr>
+ <td>shiro.loginUrl </td>
+ <td><code>/login.jsp</code> </td>
+ <td>Login URL used when unauthenticated users are redirected to login page </td>
+ </tr>
+ <tr>
+ <td>shiro.successUrl </td>
+ <td><code>/</code> </td>
+ <td>Default landing page after a user logs in (if alternative cannot be found in the current session) </td>
+ </tr>
+ <tr>
+ <td>shiro.unauthorizedUrl </td>
+ <td>null </td>
+ <td>Page to redirect user to if they are unauthorized (403 page) </td>
+ </tr>
+ </tbody>
+</table>
+<input type="hidden" id="ghEditPage" value="spring-framework.md.vtl"></input>
+
+</div>
+
+ <div class="footer-padding"></div>
+ <footer class="custom-footer">
+
+ <div class="col-md-5">
+ <div class="copyright-footer">
+ <a href="http://www.apache.org/foundation/contributing.html">Donate to the ASF</a> |
+ <a href="http://www.apache.org/licenses/LICENSE-2.0.html">License</a>
+ <p>Copyright © 2008-2016 The Apache Software Foundation</p>
+ </div>
+ </div>
+
+ <div class="social col-md-2">
+ <a class="btn btn-social-icon btn-sm btn-twitter" target="_blank" href="https://twitter.com/ApacheShiro"><span class="fa fa-twitter"></span></a>
+ <a class="btn btn-social-icon btn-sm btn-facebook" target="_blank" href="https://www.facebook.com/ApacheShiro"><span class="fa fa-facebook"></span></a>
+ <a class="btn btn-social-icon btn-sm btn-linkedin" target="_blank" href="https://www.linkedin.com/groups/4382576"><span class="fa fa-linkedin"></span></a>
+ </div>
+
+
+ <div class="col-md-2"></div>
+ <div class="col-md-2 editThisPage">
+ <div class="footer-shield"></div>
+ </div>
+
+ </footer> <!--END FOOTER-->
+
+</body>
+</html>
Added: shiro/site/publish/spring-xml.html
URL: http://svn.apache.org/viewvc/shiro/site/publish/spring-xml.html?rev=1774534&view=auto
==============================================================================
--- shiro/site/publish/spring-xml.html (added)
+++ shiro/site/publish/spring-xml.html Thu Dec 15 23:05:59 2016
@@ -0,0 +1,405 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<html>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+<head>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.">
+ <meta name="google-site-verification" content="QIax6uT5UX3enoU0G8Pz2pXbQ45KaQuHZ3nCh9V27mw">
+ <meta name="google-site-verification" content="ecFap6dWJgS_GCCtxmJQJ_nFYQhM6EgSpBPZDU7xsCE">
+ <meta name="msvalidate.01" content="0B57EB46CBFAD8FD45008D2DB6B6C68C">
+ <meta name="y_key" content="e47896cd6bae4920">
+
+ <title>
+ Apache Shiro | Simple. Java. Security.
+ </title>
+
+
+ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico">
+ <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css">
+
+ <!-- site styles and -->
+ <link rel="stylesheet" type="text/css" href="./assets/css/style.css">
+ <script type="text/javascript" src="./assets/js/shiro-site.js"></script>
+
+ <!-- github ribbon -->
+ <link rel="stylesheet" href="./assets/css/gh-pages/gh-fork-ribbon.css" />
+ <!--[if lt IE 9]>
+ <link rel="stylesheet" href="./assets/css/gh-pages/gh-fork-ribbon.ie.css" />
+ <![endif]-->
+
+ <script src="https://code.jquery.com/jquery-3.1.1.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>
+
+ <!-- bootstrap -->
+ <link rel="stylesheet" href="./assets/bootstrap/css/bootstrap.min.css">
+ <link rel="stylesheet" href="./assets/bootstrap/css/bootstrap-theme.min.css">
+ <script src="./assets/bootstrap/js/bootstrap.min.js"></script>
+
+ <link rel="stylesheet" href="./assets/css/bootstrap-social.css">
+
+ <!-- Google Analytics -->
+ <script>
+ (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+ m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+ })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
+
+ ga('create', 'UA-XXXXX-Y', 'auto');
+ ga('send', 'pageview');
+ </script>
+ <!-- End Google Analytics -->
+
+
+
+ <!-- syntax highlighting -->
+ <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.7.0/styles/default.min.css" integrity="sha256-Zd1icfZ72UBmsId/mUcagrmN7IN5Qkrvh75ICHIQVTk=" crossorigin="anonymous" />
+ <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.7.0/highlight.min.js" integrity="sha256-s63qpgPYoQk+wv3U6WZqioVJrwFNBTgD4dkeegLuwvo=" crossorigin="anonymous"></script>
+ <script>hljs.initHighlightingOnLoad();</script>
+
+ <script type="text/javascript">
+
+ $( document ).ready(function() {
+ addPageEditLink();
+ });
+ </script>
+</head>
+
+<body>
+
+ <div id="top-bar"></div>
+
+ <div class="container" style="max-width: 1200px;">
+
+ <a class="github-fork-ribbon right-top" href="https://github.com/apache/shiro" title="Fork me on GitHub">Fork me on GitHub</a>
+
+
+
+ <div class="masthead">
+ <p class="lead">
+ <a href="./index.html">
+ <img src="./assets/images/apache-shiro-logo.png" style="height:100px; width:auto; vertical-align: bottom; margin-top: 20px;">
+ </a>
+ <span class="tagline">Simple. Java. Security.</span>
+ </p>
+ </div>
+
+
+
+ <nav class="navbar navbar-default" role="navigation">
+ <!-- Brand and toggle get grouped for better mobile display -->
+ <div class="navbar-header">
+ <button type="button" class="navbar-toggle" data-toggle="collapse"
+ data-target="#navbar-collapse-1">
+ <span class="sr-only">Toggle navigation</span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ </div>
+
+ <!-- Collect the nav links, forms, and other content for toggling -->
+ <div class="collapse navbar-collapse" id="navbar-collapse-1">
+ <ul class="nav navbar-nav">
+ <li><a href="./get-started.html">Get Started</a></li>
+ <li><a href="./documentation.html">Docs</a></li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">
+ Web Apps <b class="caret"></b>
+ </a>
+
+ <ul class="dropdown-menu">
+ <li><a href="./web.html">General</a></li>
+ <li class="divider"></li>
+ <li><a href="./web-features.html">Features</a></li>
+ </ul>
+ </li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">
+ Integrations <b class="caret"></b>
+ </a>
+
+ <ul class="dropdown-menu">
+ <li><a href="./spring.html">Spring</a></li>
+ <li><a href="./guice.html">Guice</a></li>
+ <li class="divider"></li>
+ <li><a href="./integration.html">Third-Party Integrations</a></li>
+ </ul>
+ </li>
+
+ <li><a href="./features.html">Features</a></li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">
+ Community <b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="./forums.html">Community Forums</a></li>
+ <li><a href="./mailing-lists.html">Mailing Lists</a></li>
+ <li><a href="./articles.html">Articles</a></li>
+ <li><a href="./news.html">News</a></li>
+ <li><a href="./events.html">Events</a></li>
+ <li class="divider"></li>
+ <li><a href="./community.html">More</a></li>
+ </ul>
+ </li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">
+ About <b class="caret"></b>
+ </a>
+
+ <ul class="dropdown-menu">
+ <li><a href="./about.html">About</a></li>
+ <li><a href="./security-reports.html">Vulnerability Reports</a></li>
+ </ul>
+ </li>
+
+ </ul>
+
+ <ul class="nav navbar-nav navbar-right">
+ <li class="dropdown">
+ <a href="http://www.apache.org/" class="dropdown-toggle" data-toggle="dropdown">
+ Apache Software Foundation <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="http://www.apache.org/">Apache Homepage</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Donate</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ </li>
+ </ul>
+ </div>
+ <!-- /.navbar-collapse -->
+ </nav>
+
+
+ <a name="SpringXml-IntegratingApacheShirointoSpringbasedApplications"></a>
+<h1>Integrating Apache Shiro into Spring-based Applications</h1>
+<p>This page covers the ways to integrate Shiro into <a href="http://spring.io">Spring</a>-based applications.</p>
+<p>Shiro’s JavaBeans compatibility makes it perfectly suited to be configured via Spring XML or other Spring-based configuration mechanisms. Shiro applications need an application singleton <code>SecurityManager</code> instance. Note that this does not have to be a <em>static</em> singleton, but there should only be a single instance used by the application, whether its a static singleton or not.</p>
+<h2><a name="SpringXml-StandaloneApplications"></a>Standalone Applications</h2>
+<p>Here is the simplest way to enable an application singleton <code>SecurityManager</code> in Spring applications:</p>
+<pre><code class="xml"><!-- Define the realm you want to use to connect to your back-end security datasource: -->
+<bean id="myRealm" class="...">
+ ...
+</bean>
+
+<bean id="securityManager" class="org.apache.shiro.mgt.DefaultSecurityManager">
+ <!-- Single realm app. If you have multiple realms, use the 'realms' property instead. -->
+ <property name="realm" ref="myRealm"/>
+</bean>
+
+<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
+
+<!-- For simplest integration, so that all SecurityUtils.* methods work in all cases, -->
+<!-- make the securityManager bean a static singleton. DO NOT do this in web -->
+<!-- applications - see the 'Web Applications' section below instead. -->
+<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
+ <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
+ <property name="arguments" ref="securityManager"/>
+</bean>
+</code></pre>
+<a name="SpringXml-WebApplications"></a>
+<h2><a href="#web-applications" name="web-applications">Web Applications</a></h2>
+<p>Shiro has first-rate support for Spring web applications. In a web application, all Shiro-accessible web requests must go through a master Shiro Filter. This filter itself is extremely powerful, allowing for<br/>ad-hoc custom filter chains to be executed based on any URL path expression.</p>
+<p>Prior to Shiro 1.0, you had to use a hybrid approach in Spring web applications, defining the Shiro filter and<br/>all of its configuration properties in web.xml but define the <code>SecurityManager</code> in Spring XML. This was a little frustrating since you couldn’t 1) consolidate your configuration in one place and 2) leverage the configuration power of the more advanced Spring features, like the <code>PropertyPlaceholderConfigurer</code> or abstract beans to consolidate common configuration.</p>
+<p>Now in Shiro 1.0 and later, all Shiro configuration is done in Spring XML providing access to the more robust Spring configuration mechanisms.</p>
+<p>Here is how to configure Shiro in a Spring-based web application:</p>
+<a name="SpringXml-web.xml"></a>
+<h3>web.xml</h3>
+<p>In addition to your other Spring web.xml elements (<code>ContextLoaderListener</code>, <code>Log4jConfigListener</code>, etc), define the following filter and filter mapping:</p>
+<pre><code class="xml"><!-- The filter-name matches name of a 'shiroFilter' bean inside applicationContext.xml -->
+<filter>
+ <filter-name>shiroFilter</filter-name>
+ <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+ <init-param>
+ <param-name>targetFilterLifecycle</param-name>
+ <param-value>true</param-value>
+ </init-param>
+</filter>
+
+...
+
+<!-- Make sure any request you want accessible to Shiro is filtered. /* catches all -->
+<!-- requests. Usually this filter mapping is defined first (before all others) to -->
+<!-- ensure that Shiro works in subsequent filters in the filter chain: -->
+<filter-mapping>
+ <filter-name>shiroFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+</filter-mapping>
+</code></pre>
+<p>You can see a full example in our <a href="https://github.com/apache/shiro/tree/master/samples/spring-xml">samples on Github</a>.</p>
+<a name="SpringXml-applicationContext.xml"></a>
+<h3>applicationContext.xml</h3>
+<p>In your applicationContext.xml file, define the web-enabled <code>SecurityManager</code> and the ‘shiroFilter’ bean that will be referenced from <code>web.xml</code>.</p>
+<pre><code class="xml"><bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
+ <property name="securityManager" ref="securityManager"/>
+ <!-- override these for application-specific URLs if you like:
+ <property name="loginUrl" value="/login.jsp"/>
+ <property name="successUrl" value="/home.jsp"/>
+ <property name="unauthorizedUrl" value="/unauthorized.jsp"/> -->
+ <!-- The 'filters' property is not necessary since any declared javax.servlet.Filter bean -->
+ <!-- defined will be automatically acquired and available via its beanName in chain -->
+ <!-- definitions, but you can perform instance overrides or name aliases here if you like: -->
+ <!-- <property name="filters">
+ <util:map>
+ <entry key="anAlias" value-ref="someFilter"/>
+ </util:map>
+ </property> -->
+ <property name="filterChainDefinitions">
+ <value>
+ # some example chain definitions:
+ /admin/** = authc, roles[admin]
+ /docs/** = authc, perms[document:read]
+ /** = authc
+ # more URL-to-FilterChain definitions here
+ </value>
+ </property>
+</bean>
+
+<!-- Define any javax.servlet.Filter beans you want anywhere in this application context. -->
+<!-- They will automatically be acquired by the 'shiroFilter' bean above and made available -->
+<!-- to the 'filterChainDefinitions' property. Or you can manually/explicitly add them -->
+<!-- to the shiroFilter's 'filters' Map if desired. See its JavaDoc for more details. -->
+<bean id="someFilter" class="..."/>
+<bean id="anotherFilter" class="..."> ... </bean>
+...
+
+<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
+ <!-- Single realm app. If you have multiple realms, use the 'realms' property instead. -->
+ <property name="realm" ref="myRealm"/>
+ <!-- By default the servlet container sessions will be used. Uncomment this line
+ to use shiro's native sessions (see the JavaDoc for more): -->
+ <!-- <property name="sessionMode" value="native"/> -->
+</bean>
+<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
+
+<!-- Define the Shiro Realm implementation you want to use to connect to your back-end -->
+<!-- security datasource: -->
+<bean id="myRealm" class="...">
+ ...
+</bean>
+</code></pre>
+<a name="SpringXml-EnablingShiroAnnotations"></a>
+<h2><a href="#enabling-shiro-annotations" name="enabling-shiro-annotations">Enabling Shiro Annotations</a></h2>
+<p>In both standalone and web applications, you might want to use Shiro’s Annotations for security checks (for example, <code>@RequiresRoles</code>, <code>@RequiresPermissions</code>, etc. This requires Shiro’s Spring AOP integration to scan for the appropriate annotated classes and perform security logic as necessary.</p>
+<p>Here is how to enable these annotations. Just add these two bean definitions to <code>applicationContext.xml</code>:</p>
+<pre><code class="xml"><!-- Enable Shiro Annotations for Spring-configured beans. Only run after -->
+<!-- the lifecycleBeanProcessor has run: -->
+<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
+ <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
+ <property name="securityManager" ref="securityManager"/>
+</bean>
+</code></pre>
+<a name="SpringXml-SecureSpringRemoting"></a>
+<h2><a href="#secure-spring-remoting" name="secure-spring-remoting">Secure Spring Remoting</a></h2>
+<p>There are two parts to Shiro’s Spring remoting support: Configuration for the client making the remoting call and configuration for the server receiving and processing the remoting call.</p>
+<a name="SpringXml-ServersideConfiguration"></a>
+<h3>Server-side Configuration</h3>
+<p>When a remote method invocation comes in to a Shiro-enabled server, the <a href="subject.html" title="Subject">Subject</a> associated with that RPC call must be bound to the receiving thread for access during the thread’s execution. This is done by defining Shiro’s <code>SecureRemoteInvocationExecutor</code> bean in <code>applicationContext.xml</code>:</p>
+<pre><code class="xml"><!-- Secure Spring remoting: Ensure any Spring Remoting method invocations -->
+<!-- can be associated with a Subject for security checks. -->
+<bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor">
+ <property name="securityManager" ref="securityManager"/>
+</bean>
+</code></pre>
+<p>Once you have defined this bean, you must plug it in to whatever remoting <code>Exporter</code> you are using to export/expose your services. <code>Exporter</code> implementations are defined according to the remoting mechanism/protocol in use. See Spring’s <a href="http://docs.spring.io/spring/docs/2.5.x/reference/remoting.html">Remoting chapter</a> on defining <code>Exporter</code> beans.</p>
+<p>For example, if using HTTP-based remoting (notice the property reference to the <code>secureRemoteInvocationExecutor</code> bean):</p>
+<pre><code class="xml"><bean name="/someService" class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
+ <property name="service" ref="someService"/>
+ <property name="serviceInterface" value="com.pkg.service.SomeService"/>
+ <property name="remoteInvocationExecutor" ref="secureRemoteInvocationExecutor"/>
+</bean>
+</code></pre>
+<a name="SpringXml-ClientsideConfiguration"></a>
+<h3>Client-side Configuration</h3>
+<p>When a remote call is being executed, the <code>Subject</code> identifying information must be attached to the remoting payload to let the server know who is making the call. If the client is a Spring-based client, that association is done via Shiro’s <code>SecureRemoteInvocationFactory</code>:</p>
+<pre><code class="xml"><bean id="secureRemoteInvocationFactory" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationFactory"/>
+</code></pre>
+<p>Then after you’ve defined this bean, you need to plug it in to the protocol-specific Spring remoting <code>ProxyFactoryBean</code> you’re using.</p>
+<p>For example, if you were using HTTP-based remoting (notice the property reference to the <code>secureRemoteInvocationFactory</code> bean defined above):</p>
+<pre><code class="xml"><bean id="someService" class="org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean">
+ <property name="serviceUrl" value="http://host:port/remoting/someService"/>
+ <property name="serviceInterface" value="com.pkg.service.SomeService"/>
+ <property name="remoteInvocationFactory" ref="secureRemoteInvocationFactory"/>
+</bean>
+</code></pre>
+<a name="SpringXml-Lendahandwithdocumentation"></a>
+<h2><a href="#lend-a-hand-with-documentation" name="lend-a-hand-with-documentation">Lend a hand with documentation</a></h2>
+<p>While we hope this documentation helps you with the work you’re doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you’d like to help the Shiro project, please consider corrected, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro.</p>
+<p>The easiest way to contribute your documentation is to send it to the <a href="http://shiro-user.582556.n2.nabble.com/">User Forum</a> or the <a href="mailing-lists.html" title="Mailing Lists">User Mailing List</a>.<br/><input type="hidden" id="ghEditPage" value="spring-xml.md"></input></p>
+
+</div>
+
+ <div class="footer-padding"></div>
+ <footer class="custom-footer">
+
+ <div class="col-md-5">
+ <div class="copyright-footer">
+ <a href="http://www.apache.org/foundation/contributing.html">Donate to the ASF</a> |
+ <a href="http://www.apache.org/licenses/LICENSE-2.0.html">License</a>
+ <p>Copyright © 2008-2016 The Apache Software Foundation</p>
+ </div>
+ </div>
+
+ <div class="social col-md-2">
+ <a class="btn btn-social-icon btn-sm btn-twitter" target="_blank" href="https://twitter.com/ApacheShiro"><span class="fa fa-twitter"></span></a>
+ <a class="btn btn-social-icon btn-sm btn-facebook" target="_blank" href="https://www.facebook.com/ApacheShiro"><span class="fa fa-facebook"></span></a>
+ <a class="btn btn-social-icon btn-sm btn-linkedin" target="_blank" href="https://www.linkedin.com/groups/4382576"><span class="fa fa-linkedin"></span></a>
+ </div>
+
+
+ <div class="col-md-2"></div>
+ <div class="col-md-2 editThisPage">
+ <div class="footer-shield"></div>
+ </div>
+
+ </footer> <!--END FOOTER-->
+
+</body>
+</html>