Modified: shiro/site/publish/support.html URL: http://svn.apache.org/viewvc/shiro/site/publish/support.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/support.html (original) +++ shiro/site/publish/support.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> @@ -71,7 +73,9 @@ <div id="content"> - <h1>Apache Shiro Community Support"</h1><p>The Shiro project offers support through its community of users, contributors, and project committers.</p><p>We encourage everyone to participate and use the available community support tools below.</p> + <h1>Apache Shiro Community Support"</h1> +<p>The Shiro project offers support through its community of users, contributors, and project committers.</p> +<p>We encourage everyone to participate and use the available community support tools below.</p> <ul> <li><a href="mailing-lists.html" title="Mailing Lists">Mailing Lists</a></li> <li><a href="forums.html" title="Forums">Forums</a></li>
Modified: shiro/site/publish/tags.html URL: http://svn.apache.org/viewvc/shiro/site/publish/tags.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/tags.html (original) +++ shiro/site/publish/tags.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/team.html URL: http://svn.apache.org/viewvc/shiro/site/publish/team.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/team.html (original) +++ shiro/site/publish/team.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/terminology.html URL: http://svn.apache.org/viewvc/shiro/site/publish/terminology.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/terminology.html (original) +++ shiro/site/publish/terminology.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/testing.html URL: http://svn.apache.org/viewvc/shiro/site/publish/testing.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/testing.html (original) +++ shiro/site/publish/testing.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> @@ -84,7 +86,7 @@ <ol><li>A <tt>Subject</tt> instance must be created</li><li>The <tt>Subject</tt> instance must be <em>bound</em> to the currently executing thread.</li><li>After the thread is finished executing (or if the thread's execution results in a <tt>Throwable</tt>), the <tt>Subject</tt> must be <em>unbound</em> to ensure that the thread remains 'clean' in any thread-pooled environment.</li></ol> -<p>Shiro has architectural components that perform this bind/unbind logic automatically for a running application. For example, in a web application, the root Shiro Filter performs this logic when <a class="external-link" href="static/current/apidocs/org/apache/shiro/web/servlet/AbstractShiroFilter.html#doFilterInternal(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)">filtering a request</a>. But as test environments and frameworks differ, we need to perform this bind/unbind logic ourselves for our chosen test framework.</p> +<p>Shiro has architectural components that perform this bind/unbind logic automatically for a running application. For example, in a web application, the root Shiro Filter performs this logic when <a class="external-link" href="static/current/apidocs/org/apache/shiro/web/servlet/AbstractShiroFilter.html\#doFilterInternal(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)">filtering a request</a>. But as test environments and frameworks differ, we need to perform this bind/unbind logic ourselves for our chosen test framework.</p> <h2><a name="Testing-TestSetup"></a>Test Setup</h2> @@ -174,9 +176,28 @@ </pre> </div></div> -<div class="panelMacro"><table class="noteMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Testing & Frameworks</b><br clear="none">The code in the <tt>AbstractShiroTest</tt> class uses Shiro's <tt>ThreadState</tt> concept and a static SecurityManager. These techniques are useful in tests and in framework code, but rarely ever used in application code. - -<p>Most end-users working with Shiro who need to ensure thread-state consistency will almost always use Shiro's automatic management mechanisms, namely the <tt>Subject.associateWith</tt> and the <tt>Subject.execute</tt> methods. These methods are covered in the reference on <a href="subject.html#Subject-ThreadAssociation">Subject thread association</a>.</p></td></tr></table></div> +<div class="panelMacro"> + <table class="noteMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-warning"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>Testing & Frameworks</b> + <br clear="none"> + The code in the <tt>AbstractShiroTest</tt> class uses Shiro's <tt>ThreadState</tt> concept and a static SecurityManager. These techniques are useful in tests and in framework code, but rarely ever used in application code. +<p>Most end-users working with Shiro who need to ensure thread-state consistency will almost always use Shiro's automatic management mechanisms, namely the <tt>Subject.associateWith</tt> and the <tt>Subject.execute</tt> methods. These methods are covered in the reference on <a href="subject.html\#Subject-ThreadAssociation">Subject thread association</a>.</p> + </td> + </tr> + </tbody> + </table> +</div> <h2><a name="Testing-UnitTesting"></a>Unit Testing</h2> Modified: shiro/site/publish/tools.html URL: http://svn.apache.org/viewvc/shiro/site/publish/tools.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/tools.html (original) +++ shiro/site/publish/tools.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/tutorial.html URL: http://svn.apache.org/viewvc/shiro/site/publish/tutorial.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/tutorial.html (original) +++ shiro/site/publish/tutorial.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> @@ -104,9 +106,31 @@ <h3><a name="Tutorial-Setup"></a>Setup</h3> <p>In this simple example, we'll create a very simple command-line application that will run and quickly exit, just so you can get a feel for Shiro's API.</p> +<br/><br/> -<div class="panelMacro"><table class="infoMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Any Application</b><br clear="none">Apache Shiro was designed from day one to support <em>any</em> application - from the smallest command-line applications to the largest clustered web applications. Even though we're creating a simple app for this tutorial, know that the same usage patterns apply no matter how your application is created or where it is deployed.</td></tr></table></div> - +<div class="panelMacro"> + <table class="infoMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + + + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-info-circle"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>Any Application</b> + <br clear="none"> + Apache Shiro was designed from day one to support <em>any</em> application - from the smallest command-line applications to the largest clustered web applications. Even though we're creating a simple app for this tutorial, know that the same usage patterns apply no matter how your application is created or where it is deployed. + </td> + </tr> + </tbody> + </table> +</div> <p>This tutorial requires Java 1.5 or later. We'll also be using Apache <a class="external-link" href="http://maven.apache.org";>Maven</a> as our build tool, but of course this is not required to use Apache Shiro. You may acquire Shiro's .jars and incorporate them in any way you like into your application, for example maybe using Apache <a class="external-link" href="http://ant.apache.org";>Ant</a> and <a class="external-link" href="http://ant.apache.org/ivy";>Ivy</a>.</p> <p>For this tutorial, please ensure that you are using Maven 2.2.1 or later. You should be able to type <tt>mvn --version</tt> in a command prompt and see something similar to the following:</p> @@ -259,7 +283,25 @@ OS name: <span class="code-quote">"mac o <p>To that end, Shiro provides a default ‘common denominator’ solution via text-based <a class="external-link" href="http://en.wikipedia.org/wiki/INI_file"; rel="nofollow">INI</a> configuration. People are pretty tired of using bulky XML files these days, and INI is easy to read, simple to use, and requires very few dependencies. You’ll also see later that with a simple understanding of object graph navigation, INI can be used effectively to configure simple object graphs like the SecurityManager. </p> -<div class="panelMacro"><table class="tipMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Many Configuration Options</b><br clear="none">Shiro's <tt>SecurityManager</tt> implementations and all supporting components are all JavaBeans compatible. This allows Shiro to be configured with practically any configuration format such as XML (Spring, JBoss, Guice, etc), <a class="external-link" href="http://www.yaml.org/"; rel="nofollow">YAML</a>, JSON, Groovy Builder markup, and more. INI is just Shiro's 'common denominator' format that allows configuration in any environment in case other options are not available.</td></tr></table></div> +<div class="panelMacro"> + <table class="tipMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody><tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-check-square-o"></i> + </td> + <td colspan="1" rowspan="1"> + <b>Many Configuration Options</b> + <br clear="none"> + Shiro's <tt>SecurityManager</tt> implementations and all supporting components are all JavaBeans compatible. This allows Shiro to be configured with practically any configuration format such as XML (Spring, JBoss, Guice, etc), <a class="external-link" href="http://www.yaml.org/"; rel="nofollow">YAML</a>, JSON, Groovy Builder markup, and more. INI is just Shiro's 'common denominator' format that allows configuration in any environment in case other options are not available. + </td> + </tr> + </tbody> + </table> +</div> <h5><a name="Tutorial-%7B%7Bshiro.ini%7D%7D"></a><tt>shiro.ini</tt></h5> @@ -412,7 +454,25 @@ session.setAttribute( <span class="code- <p>There are many different types of exceptions you can check, or throw your own for custom conditions Shiro might not account for. See the <a class="external-link" href="static/current/apidocs/org/apache/shiro/authc/AuthenticationException.html">AuthenticationException JavaDoc</a> for more. </p> -<div class="panelMacro"><table class="tipMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Handy Hint</b><br clear="none">Security best practice is to give generic login failure messages to users because you do not want to aid an attacker trying to break into your system.</td></tr></table></div> +<div class="panelMacro"> + <table class="tipMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody><tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-check-square-o"></i> + </td> + <td colspan="1" rowspan="1"> + <b>Handy Hint</b> + <br clear="none"> + Security best practice is to give generic login failure messages to users because you do not want to aid an attacker trying to break into your system. + </td> + </tr> + </tbody> + </table> +</div> <p>Ok, so by now, we have a logged in user. What else can we do?</p> Modified: shiro/site/publish/version-2-brainstorming.html URL: http://svn.apache.org/viewvc/shiro/site/publish/version-2-brainstorming.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/version-2-brainstorming.html (original) +++ shiro/site/publish/version-2-brainstorming.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> Modified: shiro/site/publish/web-features.html URL: http://svn.apache.org/viewvc/shiro/site/publish/web-features.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/web-features.html (original) +++ shiro/site/publish/web-features.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> @@ -71,7 +73,9 @@ <div id="content"> - <h1>Apache Shiro for Web Applications</h1><p>Although Apache Shiro is designed to be used to secure <em>any</em> JVM-based application, it is most commonly used to secure a web application. It greatly simplifies how you secure web applications base on simple URL pattern matching and filter chain definitions. In addition to Shiro’s API, Shiro’s web support includes a rich JSP tag library to control page output.</p><h2>Features</h2> + <h1><a href="#apache-shiro-for-web-applications" name="apache-shiro-for-web-applications">Apache Shiro for Web Applications</a></h1> +<p>Although Apache Shiro is designed to be used to secure <em>any</em> JVM-based application, it is most commonly used to secure a web application. It greatly simplifies how you secure web applications base on simple URL pattern matching and filter chain definitions. In addition to Shiro’s API, Shiro’s web support includes a rich JSP tag library to control page output.</p> +<h2><a href="#features" name="features">Features</a></h2> <table align="right" width="275" style="margin-left: 15px; margin-bottom: 20px; border-style: solid; border-width: 2px; border-color: navy" cellpadding="10px"> <tr> @@ -90,13 +94,16 @@ </tr> </table> <ul> - <li><p><strong>Simple ShiroFilter web.xml definition</strong><br/>You can enable Shiro for a web application with one simple filter definition in web.xml.</p></li> - <li><p><strong>Protects all URLs</strong><br/>Shiro can protect any type of web request that comes into your system. For example, dynamically generated pages, REST request, etc.</p></li> - <li><p><strong>Innovative Filtering (URL-specific chains)</strong><br/>Defining URL specific filter chains is much easier and more intuitive than using web.xml because, in Shiro, you can explicitly specify which filters you want to execute for each path and in what order. And with Shiro you can have path-specific configuration for each filter in that chain.</p></li> -</ul> -<ul> - <li><p><strong>JSP Tag support</strong><br/>The JSP tags allow you to easily control page output based on the current user’s state and access rights.</p></li> - <li><p><strong>Transparent HttpSession support</strong><br/>If you are using Shiro’s native sessions, we have implemented HTTP Session API and the Servlet 2.5 API so you don’t have to change any of your existing web code to use Shiro.</p></li> + <li> + <p><strong>Simple ShiroFilter web.xml definition</strong><br/>You can enable Shiro for a web application with one simple filter definition in web.xml.</p></li> + <li> + <p><strong>Protects all URLs</strong><br/>Shiro can protect any type of web request that comes into your system. For example, dynamically generated pages, REST request, etc.</p></li> + <li> + <p><strong>Innovative Filtering (URL-specific chains)</strong><br/>Defining URL specific filter chains is much easier and more intuitive than using web.xml because, in Shiro, you can explicitly specify which filters you want to execute for each path and in what order. And with Shiro you can have path-specific configuration for each filter in that chain.</p></li> + <li> + <p><strong>JSP Tag support</strong><br/>The JSP tags allow you to easily control page output based on the current user’s state and access rights.</p></li> + <li> + <p><strong>Transparent HttpSession support</strong><br/>If you are using Shiro’s native sessions, we have implemented HTTP Session API and the Servlet 2.5 API so you don’t have to change any of your existing web code to use Shiro.</p></li> </ul> </div> Modified: shiro/site/publish/web.html URL: http://svn.apache.org/viewvc/shiro/site/publish/web.html?rev=1765607&r1=1765606&r2=1765607&view=diff ============================================================================== --- shiro/site/publish/web.html (original) +++ shiro/site/publish/web.html Wed Oct 19 14:24:58 2016 @@ -15,6 +15,7 @@ limitations under the License. --> <html> + <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management."> @@ -29,6 +30,7 @@ <link rel="icon" type="image/vnd.microsoft.icon" href="./assets/images/favicon.ico"> + <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css";> <link rel="stylesheet" type="text/css" href="./assets/css/normalize.css"> <link rel="stylesheet" type="text/css" href="./assets/css/confluence.css" media="screen"> @@ -108,9 +110,31 @@ <p><a name="Web-configuration"></a></p> <h2><a name="Web-Configuration"></a>Configuration</h2> -<p>The simplest way to integrate Shiro into any web application is to configure a Servlet ContextListener and Filter in web.xml that understands how to read Shiro's INI configuration. The bulk of the INI config format itself is defined in the Configuration pages's <a href="configuration.html#Configuration-INISections">INI Sections</a> section, but we'll cover some additional web-specific sections here.</p> +<p>The simplest way to integrate Shiro into any web application is to configure a Servlet ContextListener and Filter in web.xml that understands how to read Shiro's INI configuration. The bulk of the INI config format itself is defined in the Configuration pages's <a href="configuration.html\#Configuration-INISections">INI Sections</a> section, but we'll cover some additional web-specific sections here.</p> -<div class="panelMacro"><table class="infoMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Using Spring?</b><br clear="none">Spring Framework users will not perform this setup. If you use Spring, you will want to read about <a href="spring.html#Spring-WebApplications">Spring-specific web configuration</a> instead.</td></tr></table></div> +<div class="panelMacro"> + <table class="infoMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + + + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-info-circle"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>Using Spring?</b> + <br clear="none"> + Spring Framework users will not perform this setup. If you use Spring, you will want to read about <a href="spring.html\#Spring-WebApplications">Spring-specific web configuration</a> instead. + </td> + </tr> + </tbody> + </table> +</div> <h3><a name="Web-%7B%7Bweb.xml%7D%7D"></a><tt>web.xml</tt></h3> @@ -155,7 +179,25 @@ <br clear="none" class="atl-forced-newline"></li><li>Finally, the <tt>filter-mapping</tt> definition ensures that all requests are filtered by the <tt>ShiroFilter</tt>, recommended for most web applications to ensure that any request can be secured.</li></ul> -<div class="panelMacro"><table class="tipMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>ShiroFilter filter-mapping</b><br clear="none">It is usually desirable to define the <tt>ShiroFilter filter-mapping</tt> before any other <tt>filter-mapping</tt> declarations to ensure that Shiro can function in those filters as well.</td></tr></table></div> +<div class="panelMacro"> + <table class="tipMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody><tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-check-square-o"></i> + </td> + <td colspan="1" rowspan="1"> + <b>ShiroFilter filter-mapping</b> + <br clear="none"> + It is usually desirable to define the <tt>ShiroFilter filter-mapping</tt> before any other <tt>filter-mapping</tt> declarations to ensure that Shiro can function in those filters as well. + </td> + </tr> + </tbody> + </table> +</div> <h5><a name="Web-Custom%7B%7BWebEnvironment%7D%7DClass"></a>Custom <tt>WebEnvironment</tt> Class</h5> @@ -192,7 +234,7 @@ </pre> </div></div> -<p>By default, the <tt>param-value</tt> is expected to be resolvable by the rules defined by <tt>ServletContext.</tt><tt><a class="external-link" href="http://download.oracle.com/javaee/6/api/javax/servlet/ServletContext.html#getResource(java.lang.String)" rel="nofollow">getResource</a></tt> method. For example, <tt>/WEB-INF/some/path/shiro.ini</tt> </p> +<p>By default, the <tt>param-value</tt> is expected to be resolvable by the rules defined by <tt>ServletContext.</tt><tt><a class="external-link" href="http://download.oracle.com/javaee/6/api/javax/servlet/ServletContext.html\#getResource(java.lang.String)" rel="nofollow">getResource</a></tt> method. For example, <tt>/WEB-INF/some/path/shiro.ini</tt> </p> <p>But you may also specify specific file-system, classpath or URL locations by using an appropriate resource prefix supported by Shiro's <a class="external-link" href="static/current/apidocs/org/apache/shiro/io/ResourceUtils.html">ResourceUtils class</a>, for example:</p> <ul><li><tt><a class="external-link" href="file:/home/foobar/myapp/shiro.ini" rel="nofollow">file:/home/foobar/myapp/shiro.ini</a></tt></li><li><tt>classpath:com/foo/bar/shiro.ini</tt></li><li><tt>url:<a class="external-link" href="http://confighost.mycompany.com/myapp/shiro.ini"; rel="nofollow">http://confighost.mycompany.com/myapp/shiro.ini</a></tt></li></ul> @@ -247,9 +289,29 @@ </div></div> <p>Unqualified (schemeless or 'non-prefixed') <tt>configPath</tt> values are assumed to be <tt>ServletContext</tt> resource paths, resolvable via the rules defined by the<br clear="none"> -<tt>ServletContext.</tt><tt><a class="external-link" href="http://download.oracle.com/javaee/6/api/javax/servlet/ServletContext.html#getResource(java.lang.String)" rel="nofollow">getResource</a></tt> method.</p> +<tt>ServletContext.</tt><tt><a class="external-link" href="http://download.oracle.com/javaee/6/api/javax/servlet/ServletContext.html\#getResource(java.lang.String)" rel="nofollow">getResource</a></tt> method.</p> -<div class="panelMacro"><table class="noteMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>ServletContext resource paths - Shiro 1.2+</b><br clear="none">ServletContext resource paths are available in Shiro 1.2 and later. In 1.1 and earlier, all <tt>configPath</tt> definitions must specify a <tt>classpath:</tt>, <tt>file:</tt> or <tt>url:</tt> prefix.</td></tr></table></div> +<div class="panelMacro"> + <table class="noteMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-warning"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>ServletContext resource paths - Shiro 1.2+</b> + <br clear="none"> + ServletContext resource paths are available in Shiro 1.2 and later. In 1.1 and earlier, all <tt>configPath</tt> definitions must specify a <tt>classpath:</tt>, <tt>file:</tt> or <tt>url:</tt> prefix. + </td> + </tr> + </tbody> + </table> +</div> <p>You may also specify other non-<tt>ServletContext</tt> resource locations by using <tt>classpath:</tt>, <tt>url:</tt>, or <tt>file:</tt> prefixes indicating classpath, url, or filesystem locations respectively. For example:</p> @@ -346,10 +408,25 @@ <p>This line states that "Any request to my application's path of <tt>/account</tt> or any of it's sub paths (<tt>/account/foo</tt>, <tt>/account/bar/baz</tt>, etc) will trigger the 'ssl, authc' filter chain". We'll cover filter chains below.</p> -<p>Note that all path expressions are relative to your application's context root. This means that if you deploy your application one day to, say, <tt>www.somehost.com/myapp</tt> and then later deploy it to <tt>www.anotherhost.com</tt> (no 'myapp' sub-path), the pattern matching will still work. All paths are relative to the <a class="external-link" href="http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/HttpServletRequest.html#getContextPath()" rel="nofollow">HttpServletRequest.getContextPath()</a> value.</p> +<p>Note that all path expressions are relative to your application's context root. This means that if you deploy your application one day to, say, <tt>www.somehost.com/myapp</tt> and then later deploy it to <tt>www.anotherhost.com</tt> (no 'myapp' sub-path), the pattern matching will still work. All paths are relative to the <a class="external-link" href="http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/HttpServletRequest.html\#getContextPath()" rel="nofollow">HttpServletRequest.getContextPath()</a> value.</p> -<div class="panelMacro"><table class="noteMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Order Matters!</b><br clear="none">URL path expressions are evaluated against an incoming request in the order they are defined and the <em>FIRST MATCH WINS</em>. For example, let's asume that there are the following chain definitions: +<div class="panelMacro"> + <table class="noteMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-warning"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>Order Matters!</b> + <br clear="none"> + URL path expressions are evaluated against an incoming request in the order they are defined and the <em>FIRST MATCH WINS</em>. For example, let's asume that there are the following chain definitions: <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> @@ -360,7 +437,12 @@ <p>If an incoming request is intended to reach <tt>/account/signup/index.html</tt> (accessible by all 'anon'ymous users), <em>it will never be handled!</em>. The reason is that the <tt>/account/**</tt> pattern matched the incoming request first and 'short-circuited' all remaining definitions.</p> -<p>Always remember to define your filter chains based on a <em>FIRST MATCH WINS</em> policy!</p></td></tr></table></div> +<p>Always remember to define your filter chains based on a <em>FIRST MATCH WINS</em> policy!</p> + </td> + </tr> + </tbody> + </table> +</div> <h5><a name="Web-FilterChainDefinitions"></a>Filter Chain Definitions</h5> @@ -378,9 +460,26 @@ <p>Finally, each filter is free to handle the response however it wants if its necessary conditions are not met (e.g. perform a redirect, respond with an HTTP error code, direct rendering, etc). Otherwise it is expected to allow the request to continue through the chain on to the final destination view.</p> -<div class="panelMacro"><table class="tipMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1">Being able to react to path specific configuration, i.e. the <tt>[optional_configN]</tt> part of a filter token, is a unique feature available to Shiro filters. - -<p>If you want to create your own <tt>javax.servlet.Filter</tt> implementation that can also do this, make sure your filter subclasses <a class="external-link" href="static/current/apidocs/org/apache/shiro/web/filter/PathMatchingFilter.html">org.apache.shiro.web.filter.PathMatchingFilter</a></p></td></tr></table></div> +<div class="panelMacro"> + <table class="tipMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody><tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-check-square-o"></i> + </td> + <td colspan="1" rowspan="1"> + <b>Tip</b> + <br clear="none"> + Being able to react to path specific configuration, i.e. the <tt>[optional_configN]</tt> part of a filter token, is a unique feature available to Shiro filters. +<p>If you want to create your own <tt>javax.servlet.Filter</tt> implementation that can also do this, make sure your filter subclasses <a class="external-link" href="static/current/apidocs/org/apache/shiro/web/filter/PathMatchingFilter.html">org.apache.shiro.web.filter.PathMatchingFilter</a></p> + </td> + </tr> + </tbody> + </table> +</div> <h6><a name="Web-AvailableFilters"></a>Available Filters</h6> @@ -528,15 +627,36 @@ securityManager.sessionManager = $sessio <h5><a name="Web-NativeSessionTimeout"></a>Native Session Timeout</h5> -<p>After configuring the <tt>DefaultWebSessionManager</tt> instance, session timeout is configured as described in <a href="session-management.html#SessionManagement-sessionTimeout">Session Management: Session Timeout</a></p> +<p>After configuring the <tt>DefaultWebSessionManager</tt> instance, session timeout is configured as described in <a href="session-management.html\#SessionManagement-sessionTimeout">Session Management: Session Timeout</a></p> <h5><a name="Web-SessionCookie"></a>Session Cookie</h5> <p>The <tt>DefaultWebSessionManager</tt> supports two web-specific configuration properties: </p> <ul class="alternate" type="square"><li><tt>sessionIdCookieEnabled</tt> (a boolean)</li><li><tt>sessionIdCookie</tt>, a <a class="external-link" href="static/current/apidocs/org/apache/shiro/web/servlet/Cookie.html">Cookie</a> instance.</li></ul> - -<div class="panelMacro"><table class="infoMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Cookie as a template</b><br clear="none">The <tt>sessionIdCookie</tt> property is essentially a template - you configure the <tt>Cookie</tt> instance properties, and this template will be used to set the actual HTTP <tt>Cookie</tt> header at runtime with an appropriate session ID value.</td></tr></table></div> +<div class="panelMacro"> + <table class="infoMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + + + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-info-circle"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>Cookie as a template</b> + <br clear="none"> + The <tt>sessionIdCookie</tt> property is essentially a template - you configure the <tt>Cookie</tt> instance properties, and this template will be used to set the actual HTTP <tt>Cookie</tt> header at runtime with an appropriate session ID value. + </td> + </tr> + </tbody> + </table> +</div> <h6><a name="Web-SessionCookieConfiguration"></a>Session Cookie Configuration</h6> @@ -556,7 +676,29 @@ securityManager.sessionManager.sessionId <p>The cookie's default name is <tt>JSESSIONID</tt> in accordance with the servlet specification. Additionally, Shiro's cookie supports the <tt><a class="external-link" href="http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie"; rel="nofollow">HttpOnly</a></tt> flag. The <tt>sessionIdCookie</tt> sets <tt>HttpOnly</tt> to <tt>true</tt> by default for extra security.</p> -<div class="panelMacro"><table class="infoMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1">Shiro's <tt>Cookie</tt> concept supports the <tt>HttpOnly</tt> flag even in Servlet 2.4 and 2.5 environments (whereas the Servlet API only supports it natively in 2.6 or later).</td></tr></table></div> +<div class="panelMacro"> + <table class="infoMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + + + <tbody> + <tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-info-circle"></i> + </td> + + <td colspan="1" rowspan="1"> + <b>Note</b> + <br clear="none"> + Shiro's <tt>Cookie</tt> concept supports the <tt>HttpOnly</tt> flag even in Servlet 2.4 and 2.5 environments (whereas the Servlet API only supports it natively in 2.6 or later). + </td> + </tr> + </tbody> + </table> +</div> <h6><a name="Web-DisablingtheSessionCookie"></a>Disabling the Session Cookie</h6> @@ -583,7 +725,25 @@ securityManager.sessionManager.sessionId <p>If this method returns <tt>true</tt>, Shiro will remember the end-user's identity across sessions.</p> -<div class="panelMacro"><table class="tipMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"; width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>UsernamePasswordToken and RememberMe</b><br clear="none">The frequently-used <tt>UsernamePasswordToken</tt> already implements the <tt>RememberMeAuthenticationToken</tt> interface and supports rememberMe logins.</td></tr></table></div> +<div class="panelMacro"> + <table class="tipMacro"> + <colgroup span="1"> + <col span="1" width="24"> + <col span="1"> + </colgroup> + <tbody><tr> + <td colspan="1" rowspan="1" valign="top"> + <i class="fa fa-check-square-o"></i> + </td> + <td colspan="1" rowspan="1"> + <b>UsernamePasswordToken and RememberMe</b> + <br clear="none"> + The frequently-used <tt>UsernamePasswordToken</tt> already implements the <tt>RememberMeAuthenticationToken</tt> interface and supports rememberMe logins. + </td> + </tr> + </tbody> + </table> +</div> <h3><a name="Web-ProgrammaticSupport"></a>Programmatic Support</h3> @@ -764,7 +924,7 @@ securityManager.rememberMeManager = $rem <a name="Web-principaltag"></a></p> <h3><a name="Web-The%7B%7Bprincipal%7D%7Dtag"></a>The <tt>principal</tt> tag</h3> -<p>The <tt>principal</tt> tag will output the Subject's <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#getPrincipal()">principal</a></tt> (identifying attribute) or a property of that principal.</p> +<p>The <tt>principal</tt> tag will output the Subject's <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#getPrincipal()">principal</a></tt> (identifying attribute) or a property of that principal.</p> <p>Without any tag attributes, the tag will render the <tt>toString()</tt> value of the principal. For example (assuming the principal is a String username):</p> @@ -784,7 +944,7 @@ Hello, <span class="code-tag"><%= Sec <h4><a name="Web-Typedprincipal"></a>Typed principal</h4> -<p>The <tt>principal</tt> tag assumes by default that the principal to print is the <tt>subject.getPrincipal()</tt> value. But if you wanted to print a value that is <em>not</em> the primary principal, but another in the Subject's {<a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html#getPrincipals()">principal collection</a>, you can acquire that principal by type and print that value instead.</p> +<p>The <tt>principal</tt> tag assumes by default that the principal to print is the <tt>subject.getPrincipal()</tt> value. But if you wanted to print a value that is <em>not</em> the primary principal, but another in the Subject's {<a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html\#getPrincipals()">principal collection</a>, you can acquire that principal by type and print that value instead.</p> <p>For example, printing the Subject's user ID (and not the username), assuming the ID was in the principal collection:</p>
![https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"){kind=link}