Apache Shiro Java Security Framework Overview and Integration Guide

Apache Shiro is a powerful and easy‑to‑use Java security framework that provides authentication, authorization, cryptography and session management for applications ranging from small mobile apps to large enterprise systems.

The core components include Subject (the current user), SecurityManager (central manager), Authenticator , Authorizer , Realm (data source), SessionManager , CacheManager and Cryptography .

Integration steps are illustrated:

Add Shiro dependencies: <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.4.0</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.4.0</version> </dependency>

Configure the Shiro filter in web.xml : <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

Create a custom realm extending AuthorizingRealm : public class CustomRealm extends AuthorizingRealm { @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { String userName = (String) principalCollection.getPrimaryPrincipal(); List permissionList = new ArrayList<>(); permissionList.add("user:add"); permissionList.add("user:delete"); if (userName.equals("zhou")) { permissionList.add("user:query"); } SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); info.addStringPermissions(permissionList); info.addRole("admin"); return info; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { String userName = (String) authenticationToken.getPrincipal(); if ("".equals(userName)) { return null; } SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(userName, "123456", getName()); return info; } }

Define beans in spring-shiro.xml (SecurityManager, custom realm, filter chain, loginUrl, successUrl, unauthorizedUrl, etc.).

Map Shiro exceptions in spring-mvc.xml using SimpleMappingExceptionResolver to redirect to a 403 page.

Implement a login controller: @RequestMapping(value = "/login", method = RequestMethod.POST) public String login(String userName, String passwd, Model model) { Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken(userName, passwd); try { subject.login(token); } catch (UnknownAccountException e) { model.addAttribute("userName", "用户名错误！"); return "login"; } catch (IncorrectCredentialsException e) { model.addAttribute("passwd", "密码错误"); return "login"; } return "index"; }

Use Shiro JSP tags ( shiro:guest , shiro:user , shiro:hasRole , shiro:hasPermission , etc.) to conditionally render page fragments based on authentication, roles and permissions.

The article also includes architecture diagrams, filter flow charts, and a QR code for further Java resources.