One of the simplest setup for a web application is to add /WEB-INF/shiro.ini file as explained in Securing Web Applications with Apache Shiro.
A simple INI configuration with HippoRepositoryRealm can be configured like the following example:
[main]
hippoRealm = org.onehippo.forge.security.support.shiro.realm.HippoRepositoryRealm
hippoRealm.defaultRoleName = everybody
hippoRealm.permissionsLookupEnabled = true
securityManager.realms = $hippoRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
shiro.loginUrl = /login.jsp
[urls]
/login.jsp = authc
/logout = logout
/events/** = authc
In the example configuration shown above, you can find the examples with login URL and restricted URLs as explained in Securing Web Applications with Apache Shiro. In addition, it configures HippoRepositoryRealm as the default realm in order to demonstrate how it authenticates/authorizes users against Hippo Repository security data store.
Now, you can secure your web site by setting 'hst:authenticated', 'hst:roles' or 'hst:users' either 'hst:sitemapitem' node or 'hst:mount' node.
For example, if you have 'securedresource' sitemap item, and it has 'hst:authenticated=true' and 'hst:roles=[ 'everybody' ], then any requests to the sitemap item will be allowed only authenticated users.
HST - Apache Shiro Integration Support supports the same feature for authorization as the default HST-2 Security module provides. So, please refer to the following link in order to learn how to set authorization.
Note: Because Apache Shiro Servlet Filters set up JEE standard principals automatically even with the simple configurations, you don't have to try to add or customize a security related Valve in HST-2 container at all.
You can take advantage of Apache Shiro JSTL Tag Libraries to secure web resources Please see the examples in Securing Web Applications with Apache Shiro.
Also see an example JSP page in the demo project: https://github.com/bloomreach-forge/hst-shiro/blob/master/demo/site/src/main/webapp/WEB-INF/jsp/hstshirointegdemo/homepage-main.jsp.