Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/bootique/bootique-shiro
Provides Apache Shiro integration with Bootique.
https://github.com/bootique/bootique-shiro
bootique java security shiro
Last synced: about 2 months ago
JSON representation
Provides Apache Shiro integration with Bootique.
- Host: GitHub
- URL: https://github.com/bootique/bootique-shiro
- Owner: bootique
- License: apache-2.0
- Created: 2016-09-20T14:07:46.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2024-04-29T22:59:14.000Z (8 months ago)
- Last Synced: 2024-04-29T23:48:31.062Z (8 months ago)
- Topics: bootique, java, security, shiro
- Language: Java
- Size: 331 KB
- Stars: 4
- Watchers: 8
- Forks: 3
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
[](https://github.com/bootique/bootique-shiro/actions/workflows/maven.yml)
[](https://search.maven.org/artifact/io.bootique.shiro/bootique-shiro/)
# bootique-shiro
## Overview
This is a set of modules that help to integrate [Apache Shiro](http://shiro.apache.org/) security engine in Bootique apps.
Quick description of the provided modules:
* `bootique-shiro` - creates a standalone Shiro stack with user-configured security Realms. Includes factories for
"Ini" realm (that supports in-place definition of user accounts) and ActiveDirectory realm. Provides injectable
`SecurityManager`.
* `bootique-shiro-web` - a module that stands up the Shiro stack and attaches it to a special servlet Filter. Supports
a powerful Shiro feature - [path matching with filters](https://shiro.apache.org/web.html#urls-).
* `bootique-shiro-jdbc` - Provides configurable JDBC realm. Can be used with any of the above modules.
To use Shiro modules, include Bootique BOM in your project:
```xml
io.bootique.bom
bootique-bom
3.0-M4
pom
import
```
## Usage Standalone
Include `bootique-shiro` module:
```xml
io.bootique.shiro
bootique-shiro
```
Now you will need to configure your realms. If you have used Apache Shiro outside Bootique, you may be familiar with
its `.ini` file-based configuration mechanism. We have ported it to a much more flexible Bootique approach that
is a combination of true dependency injection (DI) with a unified config mechanism (YAML and friends). So you might
create a `.yml` file similar to this (you may recognize some of the configs below that replaced Shiro's
`[users]`, and `[roles]` sections; `[main]` is mostly handled by DI) :
```yaml
shiro:
realms:
- users:
adminuser: "password, admin, user"
user: "password, user"
roles:
admin: "admin"
```
_Hint: use `-H` flag to run your app to see configuration docs in details._
Finally you are ready to use Shiro:
```java
@Inject
private SecurityManager securityManager;
public void doSomething() {
new Subject.Builder(securityManager).buildSubject().execute(() -> {
// within 'execute' you can access current Subject using Shiro API
Subject subject = SecurityUtils.subject();
subject.checkPermission("A");
subject.checkPermission("B");
...
});
}
```
## Usage - Web
Include `bootique-shiro-web` module:
```xml
io.bootique.shiro
bootique-shiro-web
```
Configuring of a web environment includes configuring realms (as described above) as well as URL filters.
```yaml
shiro:
realms:
- users:
adminuser: "password, admin, user"
user: "password, user"
roles:
admin: "admin"
shiroweb:
# These URLs are resolved within ShiroFilter that routes
# them to the corresponding internal security filters.
urls:
"/admin" : perms[\"admin\"]
"/pub" : anon
```
Using Shiro within a servlet request or a JAX-RS endpoint is even easier than a standalone app, as all the environment
is already initialized for you:
```java
@GET
public Response get() {
Subject subject = SecurityUtils.getSubject();
subject.checkPermission("A");
subject.checkPermission("B");
...
}
```
## Logging and Integration with MDC
Often you may want to associate application logs with a user who performed the action that generated a given set of logs.
This helps in investigation of production issues, security audit, etc. This can be achieved using
[SLF4J MDC](https://logback.qos.ch/manual/mdc.html) (Mapped Diagnostics Context) functionality. `bootique-shiro`
provides semi-automated MDC integration facilities. You'd usually start by configuring your logger format to include MDC
in the output. We are specifically interested in the "principal" key, so the format might contain `%X{principal:-?}` pattern:
```yaml
log:
appenders:
- logFormat: '%t %X{principal:-?} %-5p %c{1}: %m%n%ex'
```
Now you can initialize and cleanup the MDC as appropriate. `bootique-shiro` provides a class called
[PrincipalMDC](https://github.com/bootique/bootique-shiro/blob/master/bootique-shiro/src/main/java/io/bootique/shiro/mdc/PrincipalMDC.java)
that will do that for you. You just call "reset" and "cleanup" methods as needed.
Now this was the manual approach. If your app is a servlet app and is using `bootique-shiro-web`, MDC initialization and cleanup can be automated. To do that add `bootique-shiro-web-mdc` module to your dependencies:
```xml
io.bootique.shiro
bootique-shiro-web-mdc
```
If your app authenticates every request separately and is not using Shiro sessions, this (and appender configuration above) is all you need for user names to appear in the logs. But in case the app logs in each user once, and then keeps the Subject in a session, a bit more configuration is needed. You will need an extra filter called "mdc" placed in each of your authenticated Shiro chains:
```yaml
shiroweb:
urls:
"/admin" : perms[\"admin\"], mdc
"/pub" : anon
```