This project implement extension for security framework Apache Shiro.
-
Additional Shiro filters classes:
RolesAuthzFilter - checks the need for all the listed roles:[filters] roles = com.github.alanger.shiroext.web.RolesAuthzFilter [urls] # Require user must be member all roles /protected/** = roles[admin,user,manager]
RoleAuthzFilter - checks the need for any one the listed roles:
[filters] role = com.github.alanger.shiroext.web.RoleAuthzFilter [urls] # Require user must be member any one role /protected/** = role[admin,user,manager]
PermissionsAuthzFilter - checks the need for all the listed permissions:
[filters] perms = com.github.alanger.shiroext.web.PermissionsAuthzFilter [urls] # Require user must be have all permissions /protected/** = perms[read,write,create]
PermissionAuthzFilter - checks the need for any one the listed permissions:
[filters] perm = com.github.alanger.shiroext.web.PermissionAuthzFilter [urls] # Require user must be have any one permission /protected/** = perm[read,write,create]
FormAuthcFilter - for authentication through form:
[filters] authc = com.github.alanger.shiroext.web.FormAuthcFilter authc.loginUrl = /login [urls] /** = authc
BasicAuthFilter - for basic authentication:
[filters] basic = com.github.alanger.shiroext.web.BasicAuthFilter [urls] /** = basic
LogoutAuthcFilter - for destroy user session:
[filters] logout = com.github.alanger.shiroext.web.LogoutAuthcFilter [urls] /logout = logout
-
All Shiro filters supported two modes:
-
Silent mode - not return redirect or authentication challenge and do not finished HTTP response. Silent mode configuration example (disabled by default):
[filters] basicSilent = com.github.alanger.shiroext.web.BasicAuthcFilter basicSilent.silent = true authcSilent = com.github.alanger.shiroext.web.FormAuthcFilter authcSilent.silent = true logoutSilent = com.github.alanger.shiroext.web.LogoutAuthcFilter logoutSilent.silent = true
-
XHR mode - not return redirect or authentication challenge and always do finished the HTTP response. Mod activated if HTTP header contains:
X-Requested-With: XMLHttpRequest
-
-
ActiveDirectoryRealm - security realm for Active Directory (LDAP) with additional options:
Common or specified suffix of principal for system username:
CORP = com.github.alanger.shiroext.realm.activedirectory.ActiveDirectoryRealm CORP.url = ldaps://corp.company.com:636 # Common suffix principal for all users CORP.principalSuffix = @CORP.COMPANY.COM # System username will be used common suffix principal CORP.systemUsername = username # System username will be used specified suffix principal # CORP.systemUsername = username@SPECIFIED.SUFFIX.COM CORP.systemPassword = password
Special prefix for a more unique username of ldap realm:
# User "myuser" will be translated in "CORP.myuser", after authentication CORP.userPrefix = CORP.
Support of domain name:
# "CORP\username" or just "username" will be the correct CORP = com.github.alanger.shiroext.realm.activedirectory.ActiveDirectoryRealm # If uncomment this, then will be correct only "CORP\username" # CORP.named = true
Load of roles nested if the following is configured:
CORP.roleBase = OU=Departments,OU=HUB,DC=corp,DC=company,DC=com CORP.roleSearch = (&(objectClass=group)(member={0})) CORP.roleNested = true
Can optionally add a common role:
CORP.commonRole = All_Corp_UsersBlack and white list of users:
# Only matching users can be authenticated CORP.userWhiteList = user1|user2|user3 # Only not matching users can be authenticated CORP.userBlackList = baduser1|baduser2|baduser3
Black and white list of roles:
# Only matching roles can be authorized CORP.roleWhiteList = role1|role2|role3 # Only not matching roles can be authorized CORP.roleBlackList = badrole1|badrole2|badrole3
-
AttributeAuthenticationListener - if realm implements AttributeProvider, then listener saving user attributes to
org.apache.shiro.session.Session:authcListener = com.github.alanger.shiroext.authc.AttributeAuthenticationListener securityManager = org.apache.shiro.web.mgt.DefaultWebSecurityManager securityManager.authenticator.authenticationListeners = $authcListener
-
AssignedRealmAuthorizer - allows only roles to be applied to user from the realm in which the authorization takes place, is used in conjunction with
org.apache.shiro.authc.pam.FirstSuccessfulStrategy:realmAuthorizer = com.github.alanger.shiroext.authz.AssignedRealmAuthorizer authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy securityManager = org.apache.shiro.web.mgt.DefaultWebSecurityManager securityManager.authenticator.authenticationStrategy = $authcStrategy securityManager.authorizer = $realmAuthorizer
-
Simple servlet and filters (configured in descriptor
web.xml):
ScriptProcessedServlet - delegate processing HTTP request and response to specified script (by default JavaScript through Nashorn engine):<servlet> <servlet-name>script-processed-servlet</servlet-name> <servlet-class>com.github.alanger.shiroext.servlets.ScriptProcessedServlet</servlet-class> <init-param> <param-name>invoke-script-text</param-name> <param-value>response.getOutputStream().print("text1")</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>script-processed-servlet</servlet-name> <url-pattern>/text1/*</url-pattern> </servlet-mapping>
ScriptProcessedFilter - similarly
ScriptProcessedServlet, but implemented as filter:<filter> <filter-name>script-processed-filter</filter-name> <filter-class>com.github.alanger.shiroext.servlets.ScriptProcessedFilter</filter-class> <init-param> <param-name>invoke-script-text</param-name> <param-value>response.addHeader("script-filter", "true")</param-value> </init-param> </filter> <filter-mapping> <filter-name>script-processed-filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
ResponseComittedFilter - filter not calling
doFiltermethod if responseisCommitted:<!-- Previous filter, response may have been committed --> <filter> <filter-name>response-comitted-filter</filter-name> <filter-class>com.github.alanger.shiroext.servlets.ResponseComittedFilter</filter-class> </filter> <filter-mapping> <filter-name>response-comitted-filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- Next filter do chain of request only if response not committed -->
MutableRequestFilter - makes HttpRequest object is mutable, see MutableRequestWrapper:
<filter> <filter-name>mutable-request-filter</filter-name> <filter-class>com.github.alanger.shiroext.servlets.MutableRequestFilter</filter-class> </filter> <filter-mapping> <filter-name>mutable-request-filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
MultiReadRequestFilter - similarly
MutableRequestFilterand makes HttpRequest object is multiple readable, see MultiReadRequestWrapper:<filter> <filter-name>multiread-request-filter</filter-name> <filter-class>com.github.alanger.shiroext.servlets.MultiReadRequestFilter</filter-class> </filter> <filter-mapping> <filter-name>multiread-request-filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Add this dependency to your pom.xml to reference the library:
<dependency>
<groupId>com.github.a-langer</groupId>
<artifactId>shiro-ext</artifactId>
<version>0.0.3</version>
</dependency>Or this dependency if need all libraries in one file:
<dependency>
<groupId>com.github.a-langer</groupId>
<artifactId>shiro-ext</artifactId>
<version>0.0.3</version>
<classifier>all</classifier>
</dependency>See Apache Shiro documentation and this examples:
- application.properties - configuration for authentications in two realm.
- jenkins-example - configuration for integration Apache Shiro and Jenkins with using UrlRewriteFilter(for hot reload of config support).
- buji-pac4j - Security library for Shiro web applications which supports OAuth, SAML, CAS, OpenID, Google App Engine, Kerberos, JWT and more.
- UrlRewriteFilter - Java Web Filter for any J2EE compliant web application server.
- WebDAV VFS gate - WebDAV gateway for accessing to different file systems.