forked from apache/shiro-site
-
Notifications
You must be signed in to change notification settings - Fork 0
/
spring-framework.md.vtl
211 lines (161 loc) · 8.14 KB
/
spring-framework.md.vtl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
#parse("templates/includes.vtl")
<a name="SpringFramework-IntegratingApacheShirointoSpringbasedApplications"></a>
Integrating Apache Shiro into Spring-based Applications
===
This page covers the ways to integrate Shiro into [Spring](http://spring.io)-based applications.
<a name="SpringFramework-StandaloneApplications"></a>
Standalone Applications
---
Include the Shiro Spring dependency in you application classpath (we recomend using a tool such as Apache Maven or Gradle to manage this).
#dependencies('cli', [['org.apache.shiro', 'shiro-spring', "${earlyRelease}"],['org.springframework', 'spring-context', '${spring.version}']])
Import the Shiro Spring configurations:
``` java
@Configuration
@Import({ShiroBeanConfiguration.class,
ShiroConfiguration.class,
ShiroAnnotationProcessorConfiguration.class})
public class CliAppConfig {
...
}
```
The above configurations do the following:
| Configuration Class | Description |
| ------------------- | ----------- |
| org.apache.shiro.spring.config.ShiroBeanConfiguration | Configures Shiro's lifecycle and events |
| org.apache.shiro.spring.config.ShiroConfiguration | Configures Shiro Beans (SecurityManager, SessionManager, etc) |
| org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration | Enables Shiro's annotation processing |
The only thing that is left is to configure a [realm](realm.html):
``` java
@Bean
public Realm realm() {
...
}
```
The easiest way to setup Shiro, so that all SecurityUtils.* methods work in all cases, is to make the `SecurityManager` bean a static singleton. DO NOT do this in web applications - see the [Web Applications](#Spring-WebApplications) section below instead.
``` java
@Autowired
private SecurityManager securityManager;
@PostConstruct
private void initStaticSecurityManager() {
SecurityUtils.setSecurityManager(securityManager);
}
```
That is it, now you can get the current `Subject` using:
``` java
SecurityUtils.getSubject();
```
You can see a full example in our [samples on Github](https://github.com/apache/shiro/tree/master/samples/spring).
<a name="SpringFramework-WebApplications"></a>
Web Applications
---
Shiro has first-class support for Spring web applications. In a web application, all Shiro-accessible web requests must go through a master Shiro Filter. This filter itself is extremely powerful, allowing for ad-hoc custom filter chains to be executed based on any URL path expression.
Include the Shiro Spring web dependencies in you application classpath (we recomend using a tool such as Apache Maven or Gradle to manage this).
#dependencies('web', [['org.apache.shiro', 'shiro-spring', "${earlyRelease}"], ['org.apache.shiro', 'shiro-web', "${earlyRelease}"],['org.springframework', 'spring-webmvc', '${spring.version}']])
Import the Shiro Spring configurations:
``` java
@Configuration
@Import({ShiroBeanConfiguration.class,
ShiroAnnotationProcessorConfiguration.class,
ShiroWebConfiguration.class,
ShiroWebFilterConfiguration.class})
public class ApplicationConfig {
...
}
```
The above configurations do the following:
| Configuration Class | Description |
| ------------------- | ----------- |
| org.apache.shiro.spring.config.ShiroBeanConfiguration | Configures Shiro's lifecycle and events |
| org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration | Enables Shiro's annotation processing |
| org.apache.shiro.spring.web.config.ShiroWebConfiguration | Configures Shiro Beans for web usage (SecurityManager, SessionManager, etc) |
| org.apache.shiro.spring.web.config.ShiroWebFilterConfiguration | Configures Shiro's web filter |
Provide a Realm implementation:
``` java
@Bean
public Realm realm() {
...
}
```
And finally a `ShiroFilterChainDefinition` which will map any application specific paths to a given filter, in order to allow different paths different levels of access.
``` java
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
// logged in users with the 'admin' role
chainDefinition.addPathDefinition("/admin/**", "authc, roles[admin]");
// logged in users with the 'document:read' permission
chainDefinition.addPathDefinition("/docs/**", "authc, perms[document:read]");
// all other paths require a logged in user
chainDefinition.addPathDefinition("/**", "authc");
return chainDefinition;
}
```
If you are using Shiro's annotations see the [annotation](#Spring-annotations-web) section below.
You can see a full example in our [samples on Github](https://github.com/apache/shiro/tree/master/samples/spring-mvc).
<a name="Spring-annotations"></a>
Enabling Shiro Annotations
---
In both standalone and web applications, you might want to use Shiro's Annotations for security checks (for example, `@RequiresRoles`, `@RequiresPermissions`, etc.) These annotations are enabled by importing the `ShiroAnnotationProcessorConfiguration` Spring configuration in both sections above.
Simply annotate your methods in order to use them:
``` java
@RequiresPermissions("document:read")
public void readDocument() {
...
}
```
<a name="Spring-annotations-web"></a>
#[[###]]# Annotations and Web Applications
Shiro annotations are fully supported for use in `@Controller` classes, for example:
``` java
@Controller
public class AccountInfoController {
@RequiresRoles("admin")
@RequestMapping("/admin/config")
public String adminConfig(Model model) {
return "view";
}
}
```
A `ShiroFilterChainDefinition` bean with at least one definition is still required for this to work, either configure all paths to be accessable via the `anon` filter or a filter in 'permissive' mode, for example: `authcBasic[permissive]`.
``` java
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
chainDefinition.addPathDefinition("/**", "anon"); // all paths are managed via annotations
// or allow basic authentication, but NOT require it.
// chainDefinition.addPathDefinition("/**", "authcBasic[permissive]");
return chainDefinition;
}
```
<a name="Spring-caching"></a>
# Caching
Enabling caching is as simple as providing a [CacheManager](http://shiro.apache.org/caching.html) bean:
``` java
@Bean
protected CacheManager cacheManager() {
return new MemoryConstrainedCacheManager();
}
```
<!-- Work around for table styling until, all pages are updated. -->
#mdStyle()
# Configuration Properties
| Key | Default Value | Description |
| --- | ------------- | ----------- |
| shiro.sessionManager.deleteInvalidSessions | `true` | Remove invalid session from session storage |
| shiro.sessionManager.sessionIdCookieEnabled | `true` | Enable session ID to cookie, for session tracking |
| shiro.sessionManager.sessionIdUrlRewritingEnabled | `true` | Enable session URL rewriting support |
| shiro.userNativeSessionManager | `false` | If enabled Shiro will manage the HTTP sessions instead of the container |
| shiro.sessionManager.cookie.name | `JSESSIONID` | Session cookie name |
| shiro.sessionManager.cookie.maxAge | `-1` | Session cookie max age |
| shiro.sessionManager.cookie.domain | null | Session cookie domain |
| shiro.sessionManager.cookie.path | null | Session cookie path |
| shiro.sessionManager.cookie.secure | `false` | Session cookie secure flag |
| shiro.rememberMeManager.cookie.name | `rememberMe` | RememberMe cookie name |
| shiro.rememberMeManager.cookie.maxAge | one year | RememberMe cookie max age |
| shiro.rememberMeManager.cookie.domain | null | RememberMe cookie domain|
| shiro.rememberMeManager.cookie.path | null | RememberMe cookie path|
| shiro.rememberMeManager.cookie.secure | `false` | RememberMe cookie secure flag|
| shiro.loginUrl | `/login.jsp` | Login URL used when unauthenticated users are redirected to login page |
| shiro.successUrl | `/` | Default landing page after a user logs in (if alternative cannot be found in the current session) |
| shiro.unauthorizedUrl | null | Page to redirect user to if they are unauthorized (403 page) |
<input type="hidden" id="ghEditPage" value="spring-framework.md.vtl"></input>