How to configure Shiro with Spring Boot

Question

I have a Spring MVC web application that uses Shiro authentication using Spring configuration rather than a shiro.ini.

I want to transition to a Spring Boot application.

I have been mainly successful. The application starts in Spring Boot and my Shiro environment gets setup. However I just cannot work out how to setup the Shiro Filter correctly. I need this to be working to make sure requests end up being handled by the correct thread.

In the original app I configured the Shiro Filter in the web.xml like this:

<filter>
    <filter-name>shiroFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>targetFilterLifecycle</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>shiroFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

I have tried replicate this using a Java Config like this:

  @Autowired
  private WebSecurityManager webSecurityManager;

  @Bean
  public ShiroFilterFactoryBean shiroFilterFactoryBean() {
    ShiroFilterFactoryBean shiroFilterFactoryBean = new org.apache.shiro.spring.web.ShiroFilterFactoryBean();
    shiroFilterFactoryBean.setSecurityManager(webSecurityManager);
    return shiroFilterFactoryBean;
  }

  @Bean
  public org.apache.shiro.spring.LifecycleBeanPostProcessor lifecycleBeanPostProcessor()
  {
    return new org.apache.shiro.spring.LifecycleBeanPostProcessor();
  }

  @Bean
  public Filter shiroFilter()
  {
    DelegatingFilterProxy filter = new DelegatingFilterProxy();
    filter.setTargetBeanName("shiroFilterFactoryBean");
    filter.setTargetFilterLifecycle(true);
    return filter;
  }

However I just cannot get everything to fit together and don't have enough knowledge to sort it out. I just can't see to connect the filter to the environment. I would guess it is something to do with the order things are setup.

Has anyone managed to use Spring Boot and Shiro together successfully?

You don't really normally need `DelegatingFilterProxy` in a Spring Boot application. If the `ShiroFilterFactoryBean` creates a `Filter` then it should be applied to all requests by default. — Dave Syer, Aug 11 '14 at 17:12
@Daniel Vaughan Can you share the code base if you have completed it — Naanavanalla, Nov 03 '17 at 09:23

score 8 · Answer 1 · edited Sep 07 '17 at 01:13

Well, it seems that the lack of something, java config like this:

import java.util.HashMap;
import java.util.Map;
import javax.servlet.Filter;
import org.apache.shiro.realm.text.PropertiesRealm;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.web.filter.authc.AnonymousFilter;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.apache.shiro.web.filter.authc.LogoutFilter;
import org.apache.shiro.web.filter.authc.UserFilter;
import org.apache.shiro.web.filter.authz.RolesAuthorizationFilter;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.mgt.WebSecurityManager;

@Bean(name = "shiroFilter")
public ShiroFilterFactoryBean shiroFilter() {
    ShiroFilterFactoryBean shiroFilter = new ShiroFilterFactoryBean();
    shiroFilter.setLoginUrl("/login");
    shiroFilter.setSuccessUrl("/index");
    shiroFilter.setUnauthorizedUrl("/forbidden");
    Map<String, String> filterChainDefinitionMapping = new HashMap<String, String>();
    filterChainDefinitionMapping.put("/", "anon");
    filterChainDefinitionMapping.put("/home", "authc,roles[guest]");
    filterChainDefinitionMapping.put("/admin", "authc,roles[admin]");
    shiroFilter.setFilterChainDefinitionMap(filterChainDefinitionMapping);
    shiroFilter.setSecurityManager(securityManager());
    Map<String, Filter> filters = new HashMap<String, Filter>();
    filters.put("anon", new AnonymousFilter());
    filters.put("authc", new FormAuthenticationFilter());
    filters.put("logout", new LogoutFilter());
    filters.put("roles", new RolesAuthorizationFilter());
    filters.put("user", new UserFilter());
    shiroFilter.setFilters(filters);
    System.out.println(shiroFilter.getFilters().size());
    return shiroFilter;
}

@Bean(name = "securityManager")
public SecurityManager securityManager() {
    DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
    securityManager.setRealm(realm());
    return securityManager;
}

@Bean(name = "realm")
@DependsOn("lifecycleBeanPostProcessor")
public PropertiesRealm realm() {
    PropertiesRealm propertiesRealm = new PropertiesRealm();
    propertiesRealm.init();
    return propertiesRealm;
}

@Bean
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
    return new LifecycleBeanPostProcessor();
}

https://github.com/lenicliu/eg-spring/tree/master/eg-spring-boot/eg-spring-boot-shiro

The answer well suited but still getting: org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an invalid application configuration. — Smit, Dec 04 '16 at 12:01
here an example, maybe, it'll help you. https://github.com/lenicliu/eg-spring/tree/master/eg-spring-boot/eg-spring-boot-shiro — lenicliu, Dec 07 '16 at 10:56

Juan Carlos · Answer 2 · 2015-10-07T22:26:15.747

lenicliu gave great information, since I can't comment on his answer because I don't have enough reputation. I would like to add all the imports I had to make for his code to actually compile (maybe useful for noobies on Shiro, like me).

import java.util.HashMap;
import java.util.Map;
import javax.servlet.Filter;
import org.apache.shiro.realm.text.PropertiesRealm;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.web.filter.authc.AnonymousFilter;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.apache.shiro.web.filter.authc.LogoutFilter;
import org.apache.shiro.web.filter.authc.UserFilter;
import org.apache.shiro.web.filter.authz.RolesAuthorizationFilter;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.mgt.WebSecurityManager;

This should be an edit to the other answer, not a separate answer. — james.garriss, Jul 11 '17 at 12:59
yes, thank you. As I said I didn't have enough rep to edit the other answer but will do now. — Juan Carlos, Sep 06 '17 at 16:49

How to configure Shiro with Spring Boot

2 Answers2

Linked