Fork me on GitHub


Simple INI Configuration Example with Apache Shiro

One of the simplest setup for a web application is to add /WEB-INF/shiro.ini file as explained in Securing Web Applications with Apache Shiro.

A simple INI configuration with HippoRepositoryRealm can be configured like the following example:


hippoRealm =
hippoRealm.defaultRoleName = everybody
hippoRealm.permissionsLookupEnabled = true

securityManager.realms = $hippoRealm

cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

shiro.loginUrl = /login.jsp


/login.jsp = authc
/logout = logout
/events/** = authc

In the example configuration shown above, you can find the examples with login URL and restricted URLs as explained in Securing Web Applications with Apache Shiro. In addition, it configures HippoRepositoryRealm as the default realm in order to demonstrate how it authenticates/authorizes users against Hippo Repository security data store.

Securing Your Site

Now, you can secure your web site by setting 'hst:authenticated', 'hst:roles' or 'hst:users' either 'hst:sitemapitem' node or 'hst:mount' node.

For example, if you have 'securedresource' sitemap item, and it has 'hst:authenticated=true' and 'hst:roles=[ 'everybody' ], then any requests to the sitemap item will be allowed only authenticated users.

HST - Apache Shiro Integration Support supports the same feature for authorization as the default HST-2 Security module provides. So, please refer to the following link in order to learn how to set authorization.

Note: Because Apache Shiro Servlet Filters set up JEE standard principals automatically even with the simple configurations, you don't have to try to add or customize a security related Valve in HST-2 container at all.

Using Apache Shiro Tag Libraries

You can take advantage of Apache Shiro JSTL Tag Libraries to secure web resources Please see the examples in Securing Web Applications with Apache Shiro.

Also see an example JSP page in the demo project:

Using Standard Security APIs

Also, you can use JavaEE standard Security APIs now in your components or servlet/filter for programmatic security checks such as:

  • javax.servlet.http.HttpServletRequest#getUserPrincipal()
  • javax.servlet.http.HttpServletRequest#isUserInRole(java.lang.String role)