Understanding Apache Shiro Architecture, Realm Implementation, and Spring MVC Integration

Apache Shiro is a powerful Java security framework that works independently of containers and can be used in both Java SE and Java EE environments. Its core component is SecurityManager , which handles authentication and authorization, while Subject represents the current user session.

Authentication starts by creating a UsernamePasswordToken from the user's login credentials. The token is then passed to SecurityUtils.getSubject().login(token) , which delegates the verification to the configured Realm .

The Realm is responsible for providing AuthenticationInfo (user credentials) and AuthorizationInfo (roles and permissions). Implementations typically retrieve user data from a database, use a hashing algorithm (MD5 in this example) with a salt, and store the hashed password.

To limit repeated login failures, a custom RetryLimitHashedCredentialsMatcher extends HashedCredentialsMatcher and uses an EhCache cache to count failed attempts, throwing ExcessiveAttemptsException after five errors.

Cache configuration is defined in ehcache.xml , where timeToLiveSeconds and timeToIdleSeconds control entry lifetimes. The PasswordHelper class demonstrates how to generate a salt and hash a password using Shiro's SimpleHash .

Integration with Spring MVC requires configuring a DelegatingFilterProxy in web.xml and defining Shiro beans in spring-shiro-web.xml . Key beans include the EhCacheManager , the custom credentialsMatcher , the userRealm , and the DefaultWebSecurityManager . The filter chain is ordered to allow anonymous access, authenticated access, and role‑based access.

Finally, a Spring MVC LoginController shows how to create a UsernamePasswordToken , perform subject.login() , handle authentication exceptions, store the logged‑in User in Shiro's session, and redirect to success or error views. An AuthcController demonstrates protected endpoints that require authentication or specific roles.