spring-framework.md.vtl - shiro-site - Git at Google

 #parse("templates/includes.vtl")

 <a name="SpringFramework-IntegratingApacheShirointoSpringbasedApplications"></a>
 Integrating Apache Shiro into Spring-based Applications
 ===

 This page covers the ways to integrate Shiro into [Spring](http://spring.io)-based applications.

 <a name="SpringFramework-StandaloneApplications"></a>
 Standalone Applications
 ---

 Include the Shiro Spring dependency in you application classpath (we recomend using a tool such as Apache Maven or Gradle to manage this).

 #dependencies('cli', [['org.apache.shiro', 'shiro-spring', "${latestRelease}"],['org.springframework', 'spring-context', '${spring.version}']])

 Import the Shiro Spring configurations:

 ``` java
 @Configuration
 @Import({ShiroBeanConfiguration.class,
          ShiroConfiguration.class,
          ShiroAnnotationProcessorConfiguration.class})
 public class CliAppConfig {
    ...
 }
 ```

 The above configurations do the following:

 | Configuration Class | Description |
 | ------------------- | ----------- |
 | org.apache.shiro.spring.config.ShiroBeanConfiguration | Configures Shiro's lifecycle and events |
 | org.apache.shiro.spring.config.ShiroConfiguration | Configures Shiro Beans (SecurityManager, SessionManager, etc)  |
 | org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration | Enables Shiro's annotation processing |

 The only thing that is left is to configure a [realm](realm.html):

 ``` java
 @Bean
 public Realm realm() {
   ...
 }
 ```

 The easiest way to setup Shiro, so that all SecurityUtils.* methods work in all cases, is to make the `SecurityManager` bean a static singleton.  DO NOT do this in web applications - see the [Web Applications](#Spring-WebApplications) section below instead.

 ``` java
 @Autowired
 private SecurityManager securityManager;

  @PostConstruct
  private void initStaticSecurityManager() {
      SecurityUtils.setSecurityManager(securityManager);
  }
 ```

 That is it, now you can get the current `Subject` using:
 ``` java
 SecurityUtils.getSubject();
 ```

 You can see a full example in our [samples on Github](https://github.com/apache/shiro/tree/main/samples/spring).

 <a name="SpringFramework-WebApplications"></a>
 Web Applications
 ---

 Shiro has first-class support for Spring web applications. In a web application, all Shiro-accessible web requests must go through a main Shiro Filter. This filter itself is extremely powerful, allowing for ad-hoc custom filter chains to be executed based on any URL path expression.

 Include the Shiro Spring web dependencies in you application classpath (we recomend using a tool such as Apache Maven or Gradle to manage this).

 #dependencies('web', [['org.apache.shiro', 'shiro-spring', "${latestRelease}"], ['org.apache.shiro', 'shiro-web', "${latestRelease}"],['org.springframework', 'spring-webmvc', '${spring.version}']])

 <a name="SpringFramework-WebConfig"></a>

 Import the Shiro Spring configurations:

 ``` java
 @Configuration
 @Import({ShiroBeanConfiguration.class,
         ShiroAnnotationProcessorConfiguration.class,
         ShiroWebConfiguration.class,
         ShiroWebFilterConfiguration.class,
         ShiroRequestMappingConfig.class})
 public class ApplicationConfig {
   ...
 }
 ```

 The above configurations do the following:

 | Configuration Class | Description |
 | ------------------- | ----------- |
 | org.apache.shiro.spring.config.ShiroBeanConfiguration | Configures Shiro's lifecycle and events |
 | org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration | Enables Shiro's annotation processing |
 | org.apache.shiro.spring.web.config.ShiroWebConfiguration | Configures Shiro Beans for web usage (SecurityManager, SessionManager, etc)  |
 | org.apache.shiro.spring.web.config.ShiroWebFilterConfiguration | Configures Shiro's web filter |
 | org.apache.shiro.spring.web.config.ShiroRequestMappingConfig | Configures Spring with Shiro's `UrlPathHelper` implementation to ensure URLs are processed the same both frameworks |

 Provide a Realm implementation:
 ``` java
 @Bean
 public Realm realm() {
   ...
 }
 ```

 And finally a `ShiroFilterChainDefinition` which will map any application specific paths to a given filter, in order to allow different paths different levels of access.

 ``` java
 @Bean
 public ShiroFilterChainDefinition shiroFilterChainDefinition() {
     DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();

     // logged in users with the 'admin' role
     chainDefinition.addPathDefinition("/admin/**", "authc, roles[admin]");

     // logged in users with the 'document:read' permission
     chainDefinition.addPathDefinition("/docs/**", "authc, perms[document:read]");

     // all other paths require a logged in user
     chainDefinition.addPathDefinition("/**", "authc");
     return chainDefinition;
 }
 ```

 If you are using Shiro's annotations see the [annotation](#Spring-annotations-web) section below.

 You can see a full example in our [samples on Github](https://github.com/apache/shiro/tree/main/samples/spring-mvc).

 <a name="Spring-annotations"></a>
 Enabling Shiro Annotations
 ---

 In both standalone and web applications, you might want to use Shiro's Annotations for security checks (for example, `@RequiresRoles`, `@RequiresPermissions`, etc.) These annotations are enabled by importing the `ShiroAnnotationProcessorConfiguration` Spring configuration in both sections above.

 Simply annotate your methods in order to use them:

 ``` java
 @RequiresPermissions("document:read")
 public void readDocument() {
     ...
 }
 ```

 <a name="Spring-annotations-web"></a>
 #[[###]]# Annotations and Web Applications

 Shiro annotations are fully supported for use in `@Controller` classes, for example:

 ``` java
 @Controller
 public class AccountInfoController {

     @RequiresRoles("admin")
     @RequestMapping("/admin/config")
     public String adminConfig(Model model) {
         return "view";
     }
 }
 ```

 A `ShiroFilterChainDefinition` bean with at least one definition is still required for this to work, either configure all paths to be accessable via the `anon` filter or a filter in 'permissive' mode, for example: `authcBasic[permissive]`.

 ``` java
 @Bean
 public ShiroFilterChainDefinition shiroFilterChainDefinition() {
     DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
     chainDefinition.addPathDefinition("/**", "anon"); // all paths are managed via annotations

     // or allow basic authentication, but NOT require it.
     // chainDefinition.addPathDefinition("/**", "authcBasic[permissive]");
     return chainDefinition;
 }
 ```

 <a name="Spring-caching"></a>
 # Caching

 Enabling caching is as simple as providing a [CacheManager](http://shiro.apache.org/caching.html) bean:

 ``` java
 @Bean
 protected CacheManager cacheManager() {
     return new MemoryConstrainedCacheManager();
 }
 ```

 <!-- Work around for table styling until, all pages are updated. -->
 #mdStyle()

 # Configuration Properties

 | Key | Default Value | Description |
 | --- | ------------- | ----------- |
 | shiro.sessionManager.deleteInvalidSessions | `true` | Remove invalid session from session storage |
 | shiro.sessionManager.sessionIdCookieEnabled | `true` | Enable session ID to cookie, for session tracking |
 | shiro.sessionManager.sessionIdUrlRewritingEnabled | `true` | Enable session URL rewriting support |
 | shiro.userNativeSessionManager | `false` | If enabled Shiro will manage the HTTP sessions instead of the container |
 | shiro.sessionManager.cookie.name | `JSESSIONID` | Session cookie name |
 | shiro.sessionManager.cookie.maxAge | `-1` | Session cookie max age |
 | shiro.sessionManager.cookie.domain | null | Session cookie domain |
 | shiro.sessionManager.cookie.path | null | Session cookie path |
 | shiro.sessionManager.cookie.secure | `false` | Session cookie secure flag |
 | shiro.rememberMeManager.cookie.name | `rememberMe` | RememberMe cookie name |
 | shiro.rememberMeManager.cookie.maxAge | one year | RememberMe cookie max age |
 | shiro.rememberMeManager.cookie.domain | null | RememberMe cookie domain|
 | shiro.rememberMeManager.cookie.path | null | RememberMe cookie path|
 | shiro.rememberMeManager.cookie.secure | `false` | RememberMe cookie secure flag|
 | shiro.loginUrl | `/login.jsp` | Login URL used when unauthenticated users are redirected to login page |
 | shiro.successUrl | `/` | Default landing page after a user logs in (if alternative cannot be found in the current session) |
 | shiro.unauthorizedUrl | null | Page to redirect user to if they are unauthorized (403 page) |

 <input type="hidden" id="ghEditPage" value="spring-framework.md.vtl"></input>
	#parse("templates/includes.vtl")

	<a name="SpringFramework-IntegratingApacheShirointoSpringbasedApplications"></a>
	Integrating Apache Shiro into Spring-based Applications
	===

	This page covers the ways to integrate Shiro into [Spring](http://spring.io)-based applications.

	<a name="SpringFramework-StandaloneApplications"></a>
	Standalone Applications
	---

	Include the Shiro Spring dependency in you application classpath (we recomend using a tool such as Apache Maven or Gradle to manage this).

	#dependencies('cli', [['org.apache.shiro', 'shiro-spring', "${latestRelease}"],['org.springframework', 'spring-context', '${spring.version}']])

	Import the Shiro Spring configurations:

	``` java
	@Configuration
	@Import({ShiroBeanConfiguration.class,
	ShiroConfiguration.class,
	ShiroAnnotationProcessorConfiguration.class})
	public class CliAppConfig {
	...
	}
	```

	The above configurations do the following:

	\| Configuration Class \| Description \|
	\| ------------------- \| ----------- \|
	\| org.apache.shiro.spring.config.ShiroBeanConfiguration \| Configures Shiro's lifecycle and events \|
	\| org.apache.shiro.spring.config.ShiroConfiguration \| Configures Shiro Beans (SecurityManager, SessionManager, etc) \|
	\| org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration \| Enables Shiro's annotation processing \|

	The only thing that is left is to configure a [realm](realm.html):

	``` java
	@Bean
	public Realm realm() {
	...
	}
	```

	The easiest way to setup Shiro, so that all SecurityUtils.* methods work in all cases, is to make the `SecurityManager` bean a static singleton. DO NOT do this in web applications - see the [Web Applications](#Spring-WebApplications) section below instead.

	``` java
	@Autowired
	private SecurityManager securityManager;

	@PostConstruct
	private void initStaticSecurityManager() {
	SecurityUtils.setSecurityManager(securityManager);
	}
	```

	That is it, now you can get the current `Subject` using:
	``` java
	SecurityUtils.getSubject();
	```

	You can see a full example in our [samples on Github](https://github.com/apache/shiro/tree/main/samples/spring).

	<a name="SpringFramework-WebApplications"></a>
	Web Applications
	---

	Shiro has first-class support for Spring web applications. In a web application, all Shiro-accessible web requests must go through a main Shiro Filter. This filter itself is extremely powerful, allowing for ad-hoc custom filter chains to be executed based on any URL path expression.

	Include the Shiro Spring web dependencies in you application classpath (we recomend using a tool such as Apache Maven or Gradle to manage this).

	#dependencies('web', [['org.apache.shiro', 'shiro-spring', "${latestRelease}"], ['org.apache.shiro', 'shiro-web', "${latestRelease}"],['org.springframework', 'spring-webmvc', '${spring.version}']])

	<a name="SpringFramework-WebConfig"></a>

	Import the Shiro Spring configurations:

	``` java
	@Configuration
	@Import({ShiroBeanConfiguration.class,
	ShiroAnnotationProcessorConfiguration.class,
	ShiroWebConfiguration.class,
	ShiroWebFilterConfiguration.class,
	ShiroRequestMappingConfig.class})
	public class ApplicationConfig {
	...
	}
	```

	The above configurations do the following:

	\| Configuration Class \| Description \|
	\| ------------------- \| ----------- \|
	\| org.apache.shiro.spring.config.ShiroBeanConfiguration \| Configures Shiro's lifecycle and events \|
	\| org.apache.shiro.spring.config.ShiroAnnotationProcessorConfiguration \| Enables Shiro's annotation processing \|
	\| org.apache.shiro.spring.web.config.ShiroWebConfiguration \| Configures Shiro Beans for web usage (SecurityManager, SessionManager, etc) \|
	\| org.apache.shiro.spring.web.config.ShiroWebFilterConfiguration \| Configures Shiro's web filter \|
	\| org.apache.shiro.spring.web.config.ShiroRequestMappingConfig \| Configures Spring with Shiro's `UrlPathHelper` implementation to ensure URLs are processed the same both frameworks \|

	Provide a Realm implementation:
	``` java
	@Bean
	public Realm realm() {
	...
	}
	```

	And finally a `ShiroFilterChainDefinition` which will map any application specific paths to a given filter, in order to allow different paths different levels of access.

	``` java
	@Bean
	public ShiroFilterChainDefinition shiroFilterChainDefinition() {
	DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();

	// logged in users with the 'admin' role
	chainDefinition.addPathDefinition("/admin/**", "authc, roles[admin]");

	// logged in users with the 'document:read' permission
	chainDefinition.addPathDefinition("/docs/**", "authc, perms[document:read]");

	// all other paths require a logged in user
	chainDefinition.addPathDefinition("/**", "authc");
	return chainDefinition;
	}
	```

	If you are using Shiro's annotations see the [annotation](#Spring-annotations-web) section below.

	You can see a full example in our [samples on Github](https://github.com/apache/shiro/tree/main/samples/spring-mvc).

	<a name="Spring-annotations"></a>
	Enabling Shiro Annotations
	---

	In both standalone and web applications, you might want to use Shiro's Annotations for security checks (for example, `@RequiresRoles`, `@RequiresPermissions`, etc.) These annotations are enabled by importing the `ShiroAnnotationProcessorConfiguration` Spring configuration in both sections above.

	Simply annotate your methods in order to use them:

	``` java
	@RequiresPermissions("document:read")
	public void readDocument() {
	...
	}
	```

	<a name="Spring-annotations-web"></a>
	#[[###]]# Annotations and Web Applications

	Shiro annotations are fully supported for use in `@Controller` classes, for example:

	``` java
	@Controller
	public class AccountInfoController {

	@RequiresRoles("admin")
	@RequestMapping("/admin/config")
	public String adminConfig(Model model) {
	return "view";
	}
	}
	```

	A `ShiroFilterChainDefinition` bean with at least one definition is still required for this to work, either configure all paths to be accessable via the `anon` filter or a filter in 'permissive' mode, for example: `authcBasic[permissive]`.

	``` java
	@Bean
	public ShiroFilterChainDefinition shiroFilterChainDefinition() {
	DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
	chainDefinition.addPathDefinition("/**", "anon"); // all paths are managed via annotations

	// or allow basic authentication, but NOT require it.
	// chainDefinition.addPathDefinition("/**", "authcBasic[permissive]");
	return chainDefinition;
	}
	```

	<a name="Spring-caching"></a>
	# Caching

	Enabling caching is as simple as providing a [CacheManager](http://shiro.apache.org/caching.html) bean:

	``` java
	@Bean
	protected CacheManager cacheManager() {
	return new MemoryConstrainedCacheManager();
	}
	```

	<!-- Work around for table styling until, all pages are updated. -->
	#mdStyle()

	# Configuration Properties

	\| Key \| Default Value \| Description \|
	\| --- \| ------------- \| ----------- \|
	\| shiro.sessionManager.deleteInvalidSessions \| `true` \| Remove invalid session from session storage \|
	\| shiro.sessionManager.sessionIdCookieEnabled \| `true` \| Enable session ID to cookie, for session tracking \|
	\| shiro.sessionManager.sessionIdUrlRewritingEnabled \| `true` \| Enable session URL rewriting support \|
	\| shiro.userNativeSessionManager \| `false` \| If enabled Shiro will manage the HTTP sessions instead of the container \|
	\| shiro.sessionManager.cookie.name \| `JSESSIONID` \| Session cookie name \|
	\| shiro.sessionManager.cookie.maxAge \| `-1` \| Session cookie max age \|
	\| shiro.sessionManager.cookie.domain \| null \| Session cookie domain \|
	\| shiro.sessionManager.cookie.path \| null \| Session cookie path \|
	\| shiro.sessionManager.cookie.secure \| `false` \| Session cookie secure flag \|
	\| shiro.rememberMeManager.cookie.name \| `rememberMe` \| RememberMe cookie name \|
	\| shiro.rememberMeManager.cookie.maxAge \| one year \| RememberMe cookie max age \|
	\| shiro.rememberMeManager.cookie.domain \| null \| RememberMe cookie domain\|
	\| shiro.rememberMeManager.cookie.path \| null \| RememberMe cookie path\|
	\| shiro.rememberMeManager.cookie.secure \| `false` \| RememberMe cookie secure flag\|
	\| shiro.loginUrl \| `/login.jsp` \| Login URL used when unauthenticated users are redirected to login page \|
	\| shiro.successUrl \| `/` \| Default landing page after a user logs in (if alternative cannot be found in the current session) \|
	\| shiro.unauthorizedUrl \| null \| Page to redirect user to if they are unauthorized (403 page) \|

	<input type="hidden" id="ghEditPage" value="spring-framework.md.vtl"></input>