src/site/content/jaxrs.adoc - shiro-site - Git at Google

 = Apache Shiro JAX-RS Support
 :jbake-date: 2010-03-18 00:00:00
 :jbake-type: page
 :jbake-status: published
 :jbake-tags: documentation, jax-rs, integrations, web
 :idprefix:
 :icons: font

 Apache Shiro's JAX-RS support is built on top of the more general link:web.html[Servlet] support, and requires Shiro's Servlet Filter to be setup. The Servlet Filter can be setup by using Shiro's Servlet fragment, `web.xml` configuration, or programmatically.

 == Dependencies

 Include the `shiro-servlet-plugin` and `shiro-jaxrs` dependencies in you application classpath (we recomend using a tool such as Apache Maven or Gradle to manage this).

 ++++
 <@dependencies.dependencies anchorId="cli" deps=[{'g':'org.apache.shiro', 'a':'shiro-servlet-plugin', "v":"${versions.latestRelease}"},{"g":'org.apache.shiro', "a":'shiro-jaxrs', "v":'${versions.latestRelease}'}] />
 ++++


 For information on other ways to set up the Apache Shiro Filter see the link:web.html[web documentation].

 == Configuration

 There are two basic approaches used to define the authentication and authorization for your JAX-RS resources: paths defined statically in configuration, or via annotations on your resource.

 If you are using link:guice.html[Guice] or link:spring.html[Spring] see those docs on how to configure Shiro.

 === Paths defined in `shiro.ini`

 Just like any other web application, your resources paths can be defined in a `shiro.ini` file. For example, to require resources under `/api/secured` to use basic authentication, your `[urls]` section would look like:

 [source,ini]
 ----
 [urls]

 /api/secured/** = authcBaic

 ----

 See the link:web.html[web documentation] for more details.

 The other, probably more popular, option is to use Shiro's link:java-annotations-list.html[annotations] along side other JAX-RS annotations on your resources. However you *MUST* still define at least one path in your `shiro.ini` file.

 The below code block will allow for basic authentication but NOT require it (via the `permissive` flag). This way all of the resources under `/api` can optional require authentication and authorization based on annotations.

 [source,ini]
 ----
 [urls]

 /api/** = authcBaic[permissive]

 ----

 == Example

 To create a simple example we can define a JAX-RS resource `HelloShiro`:

 [source,java]
 ----
 @Path("/shiro")
 public class HelloShiro {

   @GET
   @RequiresUser
   public String sayHelloShiro() {
       return "Hello!";
   }

   @GET
   @Path("define")
   @RequiresPermissions("hello:define")
   public String defineShiro() {
       return  "Shiro is the Japanese term for a castle";
   }
 }
 ----

 This resource has two end points, the first allows access by any logged in user, the second any user with the link:permissions.html[permission] `hello:define`.

 The corresponding JAX-RS Application class:

 [source,java]
 ----
 @ApplicationPath("/api")
 public class ExampleApp extends Application {

 @Override
     public Set<Class<?>> getClasses() {
         Set<Class<?>> classes = new HashSet<>();

         // register the Shiro Feature
         classes.add(ShiroFeature.class);

         // register resources:
         classes.add(HelloShiro.class);

         return classes;
     }
 }
 ----

 The `ShiroFeature` does three things:

 * configures exception mapping from Shiro's `AuthorizationException` to HTTP status codes (401 and 403)
 * exposes Shiro's `Subject` as a `java.security.Principal`
 * Configures processing of Shiro's annotations

 In the above example, requests to either `/api/shiro` or `/api/shiro/define` will return an HTTP status of `401` if a user is not currently logged in. A request to `/api/shiro/define` made by a user without the `hello:define` will return a `403`.

 == Want to see more?

 You can find portable JAX-RS application that runs with https://jersey.java.net/[Jersey], https://resteasy.dev/[RestEasy] or https://cxf.apache.org[Apache CXF] in the https://github.com/apache/shiro/tree/main/samples[samples] directory on Github.
	= Apache Shiro JAX-RS Support
	:jbake-date: 2010-03-18 00:00:00
	:jbake-type: page
	:jbake-status: published
	:jbake-tags: documentation, jax-rs, integrations, web
	:idprefix:
	:icons: font

	Apache Shiro's JAX-RS support is built on top of the more general link:web.html[Servlet] support, and requires Shiro's Servlet Filter to be setup. The Servlet Filter can be setup by using Shiro's Servlet fragment, `web.xml` configuration, or programmatically.

	== Dependencies

	Include the `shiro-servlet-plugin` and `shiro-jaxrs` dependencies in you application classpath (we recomend using a tool such as Apache Maven or Gradle to manage this).

	++++
	<@dependencies.dependencies anchorId="cli" deps=[{'g':'org.apache.shiro', 'a':'shiro-servlet-plugin', "v":"${versions.latestRelease}"},{"g":'org.apache.shiro', "a":'shiro-jaxrs', "v":'${versions.latestRelease}'}] />
	++++


	For information on other ways to set up the Apache Shiro Filter see the link:web.html[web documentation].

	== Configuration

	There are two basic approaches used to define the authentication and authorization for your JAX-RS resources: paths defined statically in configuration, or via annotations on your resource.

	If you are using link:guice.html[Guice] or link:spring.html[Spring] see those docs on how to configure Shiro.

	=== Paths defined in `shiro.ini`

	Just like any other web application, your resources paths can be defined in a `shiro.ini` file. For example, to require resources under `/api/secured` to use basic authentication, your `[urls]` section would look like:

	[source,ini]
	----
	[urls]

	/api/secured/** = authcBaic

	----

	See the link:web.html[web documentation] for more details.

	The other, probably more popular, option is to use Shiro's link:java-annotations-list.html[annotations] along side other JAX-RS annotations on your resources. However you MUST still define at least one path in your `shiro.ini` file.

	The below code block will allow for basic authentication but NOT require it (via the `permissive` flag). This way all of the resources under `/api` can optional require authentication and authorization based on annotations.

	[source,ini]
	----
	[urls]

	/api/** = authcBaic[permissive]

	----

	== Example

	To create a simple example we can define a JAX-RS resource `HelloShiro`:

	[source,java]
	----
	@Path("/shiro")
	public class HelloShiro {

	@GET
	@RequiresUser
	public String sayHelloShiro() {
	return "Hello!";
	}

	@GET
	@Path("define")
	@RequiresPermissions("hello:define")
	public String defineShiro() {
	return "Shiro is the Japanese term for a castle";
	}
	}
	----

	This resource has two end points, the first allows access by any logged in user, the second any user with the link:permissions.html[permission] `hello:define`.

	The corresponding JAX-RS Application class:

	[source,java]
	----
	@ApplicationPath("/api")
	public class ExampleApp extends Application {

	@Override
	public Set<Class<?>> getClasses() {
	Set<Class<?>> classes = new HashSet<>();

	// register the Shiro Feature
	classes.add(ShiroFeature.class);

	// register resources:
	classes.add(HelloShiro.class);

	return classes;
	}
	}
	----

	The `ShiroFeature` does three things:

	* configures exception mapping from Shiro's `AuthorizationException` to HTTP status codes (401 and 403)
	* exposes Shiro's `Subject` as a `java.security.Principal`
	* Configures processing of Shiro's annotations

	In the above example, requests to either `/api/shiro` or `/api/shiro/define` will return an HTTP status of `401` if a user is not currently logged in. A request to `/api/shiro/define` made by a user without the `hello:define` will return a `403`.

	== Want to see more?

	You can find portable JAX-RS application that runs with https://jersey.java.net/[Jersey], https://resteasy.dev/[RestEasy] or https://cxf.apache.org[Apache CXF] in the https://github.com/apache/shiro/tree/main/samples[samples] directory on Github.