Apache Shiro Basic – Glassfish, JSF, Eclipse

Apache Shiro is originally called jsecurity. At our work, we use JAAS with Weblogic specific implementation by using LDAP realm. In the xproject, I’d like to implement the Apache Shiro. Shiro documentation was pretty good and several blogger posted pretty detail step by step guide.

In this blog, I’d like to focus on setting up Shiro in JSF project in Eclipse environment with Glassfish. I will focus on the basic authentication & configuration in this page. Later, I will add more roles and SSL connection.

Follow below steps to setup the project:

  1. Download Shiro Web and Shiro Core (1.2.0) from Apache Shiro site.
  2. Create a Dynamic Web Project in the Eclipse. Use MyEclipse implmentation.
  3. Overwrite faces-config.xml to overwrite mojaar implmentation. Please see my previous page.
  4. Create index.xhtml, result.xhtml, and login.jsp.
  5. Create welcome.java as a ManagedBean. navigate() method will return “result.xhtml”. I am omitting all the business logic for the simplicity.
  6. Create shiro.ini file in the WEB-INF folder. Follow the template from Apache Shiro configuration document.
  7. Update web.xml to add Shiro listener, filter, and filter mapping.
  8. I think Shiro source code has references to log4j and slf4j. For this reason, I had to include log4j-1.2.16.jar, slf4j-api-1.6.4.jar, and slf4j-log4j12-1.6.4.jar in the classpath. If Eclipse still throws ClassNotFoundException, incluse these jar files in the lib folder under WEB-INF.


authc.loginUrl = /login.jsp
authc.successUrl = /faces/index.xhtml

user01 = user01, Users
user02 = user02, Users

Users = *

login.jsp = authc
/** = authc

web.xml add below lines



<form name="loginform" action="" method="post">
    Username: <input type="text" name="username"/><br/>
    Password: <input type="password" name="password"/>
    <input type="checkbox" name="rememberMe" value="true"/>Remember Me?<br/>
   <input type="submit" name="submit" value="Login">

By hitting http://localhost:8080/MyProject/faces/index.xhtml page, Shiro filter will intercep the request object and redirect to http://localhost:8080/MyProject/login.jsp for authentication.

I added only one role [Users] with two users [user01, user02] in the shiro.ini file for the initial testing purpose, but I can add more roles and define detail navigation rules in the shiro.ini file.

In my next post, I will add more roles and attempt to do with the SSL.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s