Configuring Apache Shiro (shiro-web) without shiro.ini


Apache Shiro is a Java security framework, for authentication, authorization, etc.
Tutorials online I found[1,2,3] are all built around /WEB-INF/shiro.ini. Since Servlet 3.0 you can live a life without web.xml completely, so I think it's also possible to get rid of shiro.ini.
Below it shows the (almost) minimal code needed to translate shiro.ini into Java code.


Eclipse WTP 4.4M6
Tomcat 8.0.5
Java 7


  1. Create a dynamic web project.
  2. Mavenize the project.
  3. Add Maven dependencies:
    Maven dependencyNote
    org.apache.tomcat:tomcat-api:jar:8.0.5It's needed for current Luna version
  4. Create ShiroFilter.java:
    import javax.servlet.annotation.WebFilter;
    public class ShiroFilter extends org.apache.shiro.web.servlet.ShiroFilter {
  5. Create ShiroListener.java:
    import javax.servlet.ServletContextEvent;
    import javax.servlet.ServletContextListener;
    import javax.servlet.annotation.WebListener;
    import org.apache.shiro.web.env.EnvironmentLoaderListener;
    public class ShiroListener extends EnvironmentLoaderListener implements
        ServletContextListener {
      public void contextInitialized(ServletContextEvent sce) {
  6. Create HelloWebEnvironment.java:
    import org.apache.shiro.web.env.DefaultWebEnvironment;
    public class HelloWebEnvironment extends DefaultWebEnvironment {
      public HelloWebEnvironment() {
  7. Create HelloHelper.java:
    import org.apache.shiro.mgt.SecurityManager;
    import org.apache.shiro.realm.text.IniRealm;
    import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
    import org.apache.shiro.web.filter.authc.LogoutFilter;
    import org.apache.shiro.web.filter.mgt.DefaultFilterChainManager;
    import org.apache.shiro.web.filter.mgt.FilterChainManager;
    import org.apache.shiro.web.filter.mgt.FilterChainResolver;
    import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;
    import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
    public class HelloHelper {
      private static SecurityManager securityManager = null;
      private static FilterChainResolver filterChainResolver = null;
      public static SecurityManager getSecurityManager() {
        if (securityManager == null) {
          SimpleAccountRealm realm = new SimpleAccountRealm();
          realm.addAccount("jack", "abca1234", "employee");
          securityManager = new DefaultWebSecurityManager(realm);
        return securityManager;
      public static FilterChainResolver getFilterChainResolver() {
        if (filterChainResolver == null) {
          FormAuthenticationFilter authc = new FormAuthenticationFilter();
          LogoutFilter logout = new LogoutFilter();
          FilterChainManager fcMan = new DefaultFilterChainManager();
          fcMan.addFilter("authc", authc);
          fcMan.addFilter("logout", logout);
          fcMan.createChain("/logout", "logout");
          fcMan.createChain("/**", "authc");
          PathMatchingFilterChainResolver resolver = new PathMatchingFilterChainResolver();
          filterChainResolver = resolver;
        return filterChainResolver;
  8. Create login.html:
      <form method="post">
            <td><input name="username" type="text" /></td>
            <td><input name="password" type="password" /></td>
            <td><input type="submit" value="Submit" /></td>

Key points

With the code above, you should be able to start authenticate with jack:abca1234. Some key points:
  • ShiroFilter inherits Shiro's own ShiroFilter, annotated essentially just to bring the Shiro machinery into the Servlet container.
  • ShiroListener is similar to ShiroFilter, inheriting EnvironmentLoaderListener, annotated, with some custom logic to plug HelloWebEnvironment in.
  • HelloWebEnvironment is a custom class to set up Shiro environment. This is the key part to get rid of shiro.ini, which is used by IniWebEnvironment.
  • HelloHelper has 2 functions setting up a FilterChainResolver and a SecurityManager, which are essential for Shiro's operation.
    • Realm configurations are associated with SecurityManager.
    • FilterChainResolver requires a configured FilterChainManager, which is in charge of mapping URLs to filters.
  • In login.html, the form element should have no action attribute.

1 comment:

Diego Fernando dos Santos Flor said...

hello, very very good this post, would have an email contact?