Modified: shiro/site/publish/tutorial.html URL: http://svn.apache.org/viewvc/shiro/site/publish/tutorial.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/tutorial.html (original) +++ shiro/site/publish/tutorial.html Mon Oct 24 14:33:52 2016 @@ -78,12 +78,9 @@ <div id="content"> - <h1><a name="Tutorial-ApacheShiroTutorial"></a>Apache Shiro Tutorial</h1> - -<table align="right" width="275" style="margin-left: 20px; margin-bottom: 20px; border-style: solid; border-width: 2px; border-color: navy" cellpadding="10px"> - -<tr> -<td> + <a name="Tutorial-ApacheShiroTutorial"></a> +<h1><a href="#apache-shiro-tutorial" name="apache-shiro-tutorial">Apache Shiro Tutorial</a></h1> +<table align="right" width="275" style="margin-left: 20px; margin-bottom: 20px; border-style: solid; border-width: 2px; border-color: navy" cellpadding="10px"><tr><td> <div id="border"> <h2>Related Content</h2> @@ -97,22 +94,18 @@ <p>Step-by-step tutorial for securing a web application with Shiro. </br><span style="font-size:11"><a href="webapp-tutorial.html">Read More >></a></span></p> </div> -</td> -</tr> -</table> - -<h2><a name="Tutorial-YourFirstApacheShiroApplication"></a>Your First Apache Shiro Application</h2> - -<p>If you're new to Apache Shiro, this short tutorial will show you how to set up an initial and very simple application secured by Apache Shiro. We'll discuss Shiro's core concepts along the way to help familiarize you with Shiro's design and API.</p> - -<p>If you don't want to actually edit files as you follow this tutorial, you can obtain a nearly identical sample application and reference it as you go. Choose a location:</p> -<ul><li>In Apache Shiro's Git repository: <a class="external-link" href="https://github.com/apache/shiro/tree/master/samples/quickstart";>https://github.com/apache/shiro/tree/master/samples/quickstart</a></li><li>In Apache Shiro's source distribution's <tt>samples/quickstart</tt> directory. The source distribution is available from the <a href="download.html" title="Download">Download</a> page.</li></ul> - -<h3><a name="Tutorial-Setup"></a>Setup</h3> - -<p>In this simple example, we'll create a very simple command-line application that will run and quickly exit, just so you can get a feel for Shiro's API.</p> -<br/><br/> - +</td></tr></table> +<a name="Tutorial-YourFirstApacheShiroApplication"></a> +<h2><a href="#your-first-apache-shiro-application" name="your-first-apache-shiro-application">Your First Apache Shiro Application</a></h2> +<p>If you’re new to Apache Shiro, this short tutorial will show you how to set up an initial and very simple application secured by Apache Shiro. We’ll discuss Shiro’s core concepts along the way to help familiarize you with Shiro’s design and API.</p> +<p>If you don’t want to actually edit files as you follow this tutorial, you can obtain a nearly identical sample application and reference it as you go. Choose a location:</p> +<ul> + <li>In Apache Shiro’s Git repository: <a href="https://github.com/apache/shiro/tree/master/samples/quickstart";>https://github.com/apache/shiro/tree/master/samples/quickstart</a></li> + <li>In Apache Shiro’s source distribution’s <code>samples/quickstart</code> directory. The source distribution is available from the <a href="download.html" title="Download">Download</a> page.</li> +</ul> +<a name="Tutorial-Setup"></a> +<h3><a href="#setup" name="setup">Setup</a></h3> +<p>In this simple example, we’ll create a very simple command-line application that will run and quickly exit, just so you can get a feel for Shiro’s API.</p> <div class="panelMacro"> <table class="infoMacro"> <colgroup span="1"> @@ -136,158 +129,135 @@ </tbody> </table> </div> -<p>This tutorial requires Java 1.5 or later. We'll also be using Apache <a class="external-link" href="http://maven.apache.org";>Maven</a> as our build tool, but of course this is not required to use Apache Shiro. You may acquire Shiro's .jars and incorporate them in any way you like into your application, for example maybe using Apache <a class="external-link" href="http://ant.apache.org";>Ant</a> and <a class="external-link" href="http://ant.apache.org/ivy";>Ivy</a>.</p> - -<p>For this tutorial, please ensure that you are using Maven 2.2.1 or later. You should be able to type <tt>mvn --version</tt> in a command prompt and see something similar to the following:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Testing Maven Installation</b></div><div class="codeContent panelContent"> -<pre class="code-java"> -hazlewood:~/shiro-tutorial$ mvn --version +<p>This tutorial requires Java 1.5 or later. We’ll also be using Apache <a href="http://maven.apache.org";>Maven</a> as our build tool, but of course this is not required to use Apache Shiro. You may acquire Shiro’s .jars and incorporate them in any way you like into your application, for example maybe using Apache <a href="http://ant.apache.org";>Ant</a> and <a href="http://ant.apache.org/ivy";>Ivy</a>.</p> +<p>For this tutorial, please ensure that you are using Maven 2.2.1 or later. You should be able to type <code>mvn --version</code> in a command prompt and see something similar to the following:</p> +<p><strong>Testing Maven Installation</strong></p> +<pre><code class="bash">hazlewood:~/shiro-tutorial$ mvn --version Apache Maven 2.2.1 (r801777; 2009-08-06 12:16:01-0700) Java version: 1.6.0_24 -Java home: /<span class="code-object">System</span>/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home +Java home: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home Default locale: en_US, platform encoding: MacRoman -OS name: <span class="code-quote">"mac os x"</span> version: <span class="code-quote">"10.6.7"</span> arch: <span class="code-quote">"x86_64"</span> Family: <span class="code-quote">"mac"</span> -</pre> -</div></div> - -<p>For now, create a new directory on your filesystem, for example, <b><tt>shiro-tutorial</tt></b> and save the following Maven <b><tt>pom.xml</tt></b> file in that directory:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>pom.xml</b></div><div class="codeContent panelContent"> -<pre class="code-xml"> -<span class="code-tag"><?xml version=<span class="code-quote">"1.0"</span> encoding=<span class="code-quote">"UTF-8"</span>?></span> -<project xmlns=<span class="code-quote">"http://maven.apache.org/POM/4.0.0";</span> - <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance";</span> - xsi:schemaLocation=<span class="code-quote">"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd";</span>> - - <span class="code-tag"><modelVersion></span>4.0.0<span class="code-tag"></modelVersion></span> - <span class="code-tag"><groupId></span>org.apache.shiro.tutorials<span class="code-tag"></groupId></span> - <span class="code-tag"><artifactId></span>shiro-tutorial<span class="code-tag"></artifactId></span> - <span class="code-tag"><version></span>1.0.0-SNAPSHOT<span class="code-tag"></version></span> - <span class="code-tag"><name></span>First Apache Shiro Application<span class="code-tag"></name></span> - <span class="code-tag"><packaging></span>jar<span class="code-tag"></packaging></span> - - <span class="code-tag"><properties></span> - <span class="code-tag"><project.build.sourceEncoding></span>UTF-8<span class="code-tag"></project.build.sourceEncoding></span> - <span class="code-tag"></properties></span> - - <span class="code-tag"><build></span> - <span class="code-tag"><plugins></span> - <span class="code-tag"><plugin></span> - <span class="code-tag"><groupId></span>org.apache.maven.plugins<span class="code-tag"></groupId></span> - <span class="code-tag"><artifactId></span>maven-compiler-plugin<span class="code-tag"></artifactId></span> - <span class="code-tag"><version></span>2.0.2<span class="code-tag"></version></span> - <span class="code-tag"><configuration></span> - <span class="code-tag"><source></span>1.5<span class="code-tag"></source></span> - <span class="code-tag"><target></span>1.5<span class="code-tag"></target></span> - <span class="code-tag"><encoding></span>${project.build.sourceEncoding}<span class="code-tag"></encoding></span> - <span class="code-tag"></configuration></span> - <span class="code-tag"></plugin></span> - - <!-- This plugin is only to test run our little application. It is not - needed in most Shiro-enabled applications: --> - <span class="code-tag"><plugin></span> - <span class="code-tag"><groupId></span>org.codehaus.mojo<span class="code-tag"></groupId></span> - <span class="code-tag"><artifactId></span>exec-maven-plugin<span class="code-tag"></artifactId></span> - <span class="code-tag"><version></span>1.1<span class="code-tag"></version></span> - <span class="code-tag"><executions></span> - <span class="code-tag"><execution></span> - <span class="code-tag"><goals></span> - <span class="code-tag"><goal></span>java<span class="code-tag"></goal></span> - <span class="code-tag"></goals></span> - <span class="code-tag"></execution></span> - <span class="code-tag"></executions></span> - <span class="code-tag"><configuration></span> - <span class="code-tag"><classpathScope></span>test<span class="code-tag"></classpathScope></span> - <span class="code-tag"><mainClass></span>Tutorial<span class="code-tag"></mainClass></span> - <span class="code-tag"></configuration></span> - <span class="code-tag"></plugin></span> - <span class="code-tag"></plugins></span> - <span class="code-tag"></build></span> - - <span class="code-tag"><dependencies></span> - <span class="code-tag"><dependency></span> - <span class="code-tag"><groupId></span>org.apache.shiro<span class="code-tag"></groupId></span> - <span class="code-tag"><artifactId></span>shiro-core<span class="code-tag"></artifactId></span> - <span class="code-tag"><version></span>1.1.0<span class="code-tag"></version></span> - <span class="code-tag"></dependency></span> - <!-- Shiro uses SLF4J for logging. We'll use the 'simple' binding +OS name: "mac os x" version: "10.6.7" arch: "x86_64" Family: "mac" +</code></pre> +<p>For now, create a new directory on your filesystem, for example, <strong><code>shiro-tutorial</code></strong> and save the following Maven <strong><code>pom.xml</code></strong> file in that directory:</p> +<p><strong>pom.xml</strong></p> +<pre><code class="xml"><?xml version="1.0" encoding="UTF-8"?> + <project xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> + + <modelVersion>4.0.0</modelVersion> + <groupId>org.apache.shiro.tutorials</groupId> + <artifactId>shiro-tutorial</artifactId> + <version>1.0.0-SNAPSHOT</version> + <name>First Apache Shiro Application</name> + <packaging>jar</packaging> + + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + </properties> + + <build> + <plugins> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-compiler-plugin</artifactId> + <version>2.0.2</version> + <configuration> + <source>1.5</source> + <target>1.5</target> + <encoding>${project.build.sourceEncoding}</encoding> + </configuration> + </plugin> + + <!-- This plugin is only to test run our little application. It is not + needed in most Shiro-enabled applications: --> + <plugin> + <groupId>org.codehaus.mojo</groupId> + <artifactId>exec-maven-plugin</artifactId> + <version>1.1</version> + <executions> + <execution> + <goals> + <goal>java</goal> + </goals> + </execution> + </executions> + <configuration> + <classpathScope>test</classpathScope> + <mainClass>Tutorial</mainClass> + </configuration> + </plugin> + </plugins> + </build> + + <dependencies> + <dependency> + <groupId>org.apache.shiro</groupId> + <artifactId>shiro-core</artifactId> + <version>1.1.0</version> + </dependency> + <!-- Shiro uses SLF4J for logging. We'll use the 'simple' binding in this example app. See http://www.slf4j.org for more info. --> - <span class="code-tag"><dependency></span> - <span class="code-tag"><groupId></span>org.slf4j<span class="code-tag"></groupId></span> - <span class="code-tag"><artifactId></span>slf4j-simple<span class="code-tag"></artifactId></span> - <span class="code-tag"><version></span>1.6.1<span class="code-tag"></version></span> - <span class="code-tag"><scope></span>test<span class="code-tag"></scope></span> - <span class="code-tag"></dependency></span> - <span class="code-tag"></dependencies></span> - -<span class="code-tag"></project></span> -</pre> -</div></div> - -<h4><a name="Tutorial-TheTutorialclass"></a>The Tutorial class</h4> - -<p>We'll be running a simple command-line application, so we'll need to create a Java class with a <tt>public static void main(String[] args)</tt> method. </p> - -<p>In the same directory containing your <tt>pom.xml</tt> file, create a *<tt>src/main/java</tt> sub directory. In <tt>src/main/java</tt> create a <tt>Tutorial.java</tt> file with the following contents:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>src/main/java/Tutorial.java</b></div><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">import</span> org.apache.shiro.SecurityUtils; -<span class="code-keyword">import</span> org.apache.shiro.authc.*; -<span class="code-keyword">import</span> org.apache.shiro.config.IniSecurityManagerFactory; -<span class="code-keyword">import</span> org.apache.shiro.mgt.<span class="code-object">SecurityManager</span>; -<span class="code-keyword">import</span> org.apache.shiro.session.Session; -<span class="code-keyword">import</span> org.apache.shiro.subject.Subject; -<span class="code-keyword">import</span> org.apache.shiro.util.Factory; -<span class="code-keyword">import</span> org.slf4j.Logger; -<span class="code-keyword">import</span> org.slf4j.LoggerFactory; - -<span class="code-keyword">public</span> class Tutorial { - - <span class="code-keyword">private</span> <span class="code-keyword">static</span> <span class="code-keyword">final</span> <span class="code-keyword">transient</span> Logger log = LoggerFactory.getLogger(Tutorial.class); - - <span class="code-keyword">public</span> <span class="code-keyword">static</span> void main(<span class="code-object">String</span>[] args) { - log.info(<span class="code-quote">"My First Apache Shiro Application"</span>); - <span class="code-object">System</span>.exit(0); + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-simple</artifactId> + <version>1.6.1</version> + <scope>test</scope> + </dependency> + </dependencies> + +</project> +</code></pre> +<a name="Tutorial-TheTutorialclass"></a> +<h4><a href="#the-tutorial-class" name="the-tutorial-class">The Tutorial class</a></h4> +<p>We’ll be running a simple command-line application, so we’ll need to create a Java class with a <code>public static void main(String[] args)</code> method.</p> +<p>In the same directory containing your <code>pom.xml</code> file, create a *<code>src/main/java</code> sub directory. In <code>src/main/java</code> create a <code>Tutorial.java</code> file with the following contents:</p> +<p><strong>src/main/java/Tutorial.java</strong></p> +<pre><code class="java">import org.apache.shiro.SecurityUtils; +import org.apache.shiro.authc.*; +import org.apache.shiro.config.IniSecurityManagerFactory; +import org.apache.shiro.mgt.SecurityManager; +import org.apache.shiro.session.Session; +import org.apache.shiro.subject.Subject; +import org.apache.shiro.util.Factory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class Tutorial { + + private static final transient Logger log = LoggerFactory.getLogger(Tutorial.class); + + public static void main(String[] args) { + log.info("My First Apache Shiro Application"); + System.exit(0); } } -</pre> -</div></div> - -<p>Don't worry about the import statements for now - we'll get to them shortly. But for now, we've got a typical command line program 'shell'. All this program will do is print out the text "My First Apache Shiro Application" and exit.</p> - -<h3><a name="Tutorial-TestRun"></a>Test Run</h3> - -<p>To try our Tutorial application, execute the following in a command prompt in your tutorial project's root dirctory (e.g. <tt>shiro-tutorial</tt>), and type the following:</p> - -<p><tt>mvn compile exec:java</tt></p> - -<p>And you will see our little Tutorial 'application' run and exit. You should see something similar to the following (notice the bold text, indicating our output):</p> - -<div class="panel" style="background-color: white;border-width: 1px;"><div class="panelHeader" style="border-bottom-width: 1px;background-color: white;"><b>Run the Application</b></div><div class="panelContent" style="background-color: white;"> -<p><tt>lhazlewood:~/projects/shiro-tutorial$ mvn compile exec:java</tt></p> - -<p><tt>... a bunch of Maven output ...</tt></p> - -<p><b><tt>1 [Tutorial.main()] INFO Tutorial - My First Apache Shiro Application</tt></b><br clear="none"> -<tt>lhazlewood:~/projects/shiro-tutorial\$</tt></p> -</div></div> - -<p>We've verified the application runs successfully - now let's enable Apache Shiro. As we continue with the tutorial, you can run <tt>mvn compile exec:java</tt> after each time we add some more code to see the results of our changes.</p> - -<h3><a name="Tutorial-EnableShiro"></a>Enable Shiro</h3> - -<p>The first thing to understand in enabling Shiro in an application is that almost everything in Shiro is related to a central/core component called the <tt>SecurityManager</tt>. For those familiar with Java security, this is Shiro's notion of a SecurityManager - it is <em>NOT</em> the same thing as the <tt>java.lang.SecurityManager</tt>.</p> - -<p>While we will cover Shiro's design in detail in the <a href="architecture.html" title="Architecture">Architecture</a> chapter, it is good enough for now to know that the Shiro <tt>SecurityManager</tt> is the core of a Shiro environment for an application and one <tt>SecurityManager</tt> must exist per application. So, the first thing we must do in our Tutorial application is set-up the <tt>SecurityManager</tt> instance.</p> - -<h4><a name="Tutorial-Configuration"></a>Configuration</h4> - -<p>While we could instantiate a <tt>SecurityManager</tt> class directly, Shiro's <tt>SecurityManager</tt> implementations have enough configuration options and internal components that make this a pain to do in Java source code - it would be much easier to configure the <tt>SecurityManager</tt> with a flexible text-based configuration format. </p> - -<p>To that end, Shiro provides a default ‘common denominator’ solution via text-based <a class="external-link" href="https://en.wikipedia.org/wiki/INI_file"; rel="nofollow">INI</a> configuration. People are pretty tired of using bulky XML files these days, and INI is easy to read, simple to use, and requires very few dependencies. You’ll also see later that with a simple understanding of object graph navigation, INI can be used effectively to configure simple object graphs like the SecurityManager. </p> - +</code></pre> +<p>Don’t worry about the import statements for now - we’ll get to them shortly. But for now, we’ve got a typical command line program ‘shell’. All this program will do is print out the text “My First Apache Shiro Application” and exit.</p> +<a name="Tutorial-TestRun"></a> +<h3><a href="#test-run" name="test-run">Test Run</a></h3> +<p>To try our Tutorial application, execute the following in a command prompt in your tutorial project’s root dirctory (e.g. <code>shiro-tutorial</code>), and type the following:</p> +<p><code>mvn compile exec:java</code></p> +<p>And you will see our little Tutorial ‘application’ run and exit. You should see something similar to the following (notice the bold text, indicating our output):</p> +<p><strong>Run the Application</strong></p> +<code> +lhazlewood:~/projects/shiro-tutorial$ mvn compile exec:java</br> +</br> +... a bunch of Maven output ...</br> +</br> +<strong>1 [Tutorial.main()] INFO Tutorial - My First Apache Shiro Application</strong></br> +lhazlewood:~/projects/shiro-tutorial\$ +</code> +<p>We’ve verified the application runs successfully - now let’s enable Apache Shiro. As we continue with the tutorial, you can run <code>mvn compile exec:java</code> after each time we add some more code to see the results of our changes.</p> +<a name="Tutorial-EnableShiro"></a> +<h3><a href="#enable-shiro" name="enable-shiro">Enable Shiro</a></h3> +<p>The first thing to understand in enabling Shiro in an application is that almost everything in Shiro is related to a central/core component called the <code>SecurityManager</code>. For those familiar with Java security, this is Shiro’s notion of a SecurityManager - it is <em>NOT</em> the same thing as the <code>java.lang.SecurityManager</code>.</p> +<p>While we will cover Shiro’s design in detail in the <a href="architecture.html" title="Architecture">Architecture</a> chapter, it is good enough for now to know that the Shiro <code>SecurityManager</code> is the core of a Shiro environment for an application and one <code>SecurityManager</code> must exist per application. So, the first thing we must do in our Tutorial application is set-up the <code>SecurityManager</code> instance.</p> +<a name="Tutorial-Configuration"></a> +<h4><a href="#configuration" name="configuration">Configuration</a></h4> +<p>While we could instantiate a <code>SecurityManager</code> class directly, Shiro’s <code>SecurityManager</code> implementations have enough configuration options and internal components that make this a pain to do in Java source code - it would be much easier to configure the <code>SecurityManager</code> with a flexible text-based configuration format.</p> +<p>To that end, Shiro provides a default âcommon denominatorâ solution via text-based <a href="https://en.wikipedia.org/wiki/INI_file";>INI</a> configuration. People are pretty tired of using bulky XML files these days, and INI is easy to read, simple to use, and requires very few dependencies. Youâll also see later that with a simple understanding of object graph navigation, INI can be used effectively to configure simple object graphs like the SecurityManager.</p> <div class="panelMacro"> <table class="tipMacro"> <colgroup span="1"> @@ -301,23 +271,20 @@ OS name: <span class="code-quote">"mac o <td colspan="1" rowspan="1"> <b>Many Configuration Options</b> <br clear="none"> - Shiro's <tt>SecurityManager</tt> implementations and all supporting components are all JavaBeans compatible. This allows Shiro to be configured with practically any configuration format such as XML (Spring, JBoss, Guice, etc), <a class="external-link" href="http://www.yaml.org/"; rel="nofollow">YAML</a>, JSON, Groovy Builder markup, and more. INI is just Shiro's 'common denominator' format that allows configuration in any environment in case other options are not available. + Shiro's <code>SecurityManager</code> implementations and all supporting components are all JavaBeans compatible. This allows Shiro to be configured with practically any configuration format such as XML (Spring, JBoss, Guice, etc), <a class="external-link" href="http://www.yaml.org/"; rel="nofollow">YAML</a>, JSON, Groovy Builder markup, and more. INI is just Shiro's 'common denominator' format that allows configuration in any environment in case other options are not available. </td> </tr> </tbody> </table> </div> - -<h5><a name="Tutorial-%7B%7Bshiro.ini%7D%7D"></a><tt>shiro.ini</tt></h5> - -<p>So we'll use an INI file to configure the Shiro <tt>SecurityManager</tt> for this simple application. First, create a <b><tt>src/main/resources</tt></b> directory starting in the same directory where the <tt>pom.xml</tt> is. Then create a <tt>shiro.ini</tt> file in that new directory with the following contents:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>src/main/resources/shiro.ini</b></div><div class="codeContent panelContent"> -<pre class="code-java"> -# ============================================================================= +<a name="Tutorial-%7B%7Bshiro.ini%7D%7D"></a> +<h5><a href="#shiro-ini" name="shiro-ini">shiro.ini</a></h5> +<p>So we’ll use an INI file to configure the Shiro <code>SecurityManager</code> for this simple application. First, create a <strong><code>src/main/resources</code></strong> directory starting in the same directory where the <code>pom.xml</code> is. Then create a <code>shiro.ini</code> file in that new directory with the following contents:</p> +<p><strong>src/main/resources/shiro.ini</strong></p> +<pre><code class="ini"># ============================================================================= # Tutorial INI configuration # -# Usernames/passwords are based on the classic Mel Brooks' film <span class="code-quote">"Spaceballs"</span> :) +# Usernames/passwords are based on the classic Mel Brooks' film "Spaceballs" :) # ============================================================================= # ----------------------------------------------------------------------------- @@ -339,126 +306,86 @@ lonestarr = vespa, goodguy, schwartz admin = * schwartz = lightsaber:* goodguy = winnebago:drive:eagle5 -</pre> -</div></div> - -<p>As you see, this configuration basically sets up a small set of static user accounts, good enough for our first application. In later chapters, you will see how we can use more complex User data sources like relational databases, LDAP an ActiveDirectory, and more.</p> - -<h4><a name="Tutorial-ReferencingtheConfiguration"></a>Referencing the Configuration</h4> - -<p>Now that we have an INI file defined, we can create the <tt>SecurityManager</tt> instance in our Tutorial application class. Change the <tt>main</tt> method to reflect the following updates:</p> +</code></pre> +<p>As you see, this configuration basically sets up a small set of static user accounts, good enough for our first application. In later chapters, you will see how we can use more complex User data sources like relational databases, LDAP an ActiveDirectory, and more.</p> +<a name="Tutorial-ReferencingtheConfiguration"></a> +<h4><a href="#referencing-the-configuration" name="referencing-the-configuration">Referencing the Configuration</a></h4> +<p>Now that we have an INI file defined, we can create the <code>SecurityManager</code> instance in our Tutorial application class. Change the <code>main</code> method to reflect the following updates:</p> +<pre><code class="java">public static void main(String[] args) { -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">public</span> <span class="code-keyword">static</span> void main(<span class="code-object">String</span>[] args) { + log.info("My First Apache Shiro Application"); - log.info(<span class="code-quote">"My First Apache Shiro Application"</span>); + //1. + Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini"); - <span class="code-comment">//1. -</span> Factory<<span class="code-object">SecurityManager</span>> factory = <span class="code-keyword">new</span> IniSecurityManagerFactory(<span class="code-quote">"classpath:shiro.ini"</span>); + //2. + SecurityManager securityManager = factory.getInstance(); - <span class="code-comment">//2. -</span> <span class="code-object">SecurityManager</span> securityManager = factory.getInstance(); + //3. + SecurityUtils.setSecurityManager(securityManager); - <span class="code-comment">//3. -</span> SecurityUtils.setSecurityManager(securityManager); - - <span class="code-object">System</span>.exit(0); + System.exit(0); } -</pre> -</div></div> - -<p>And there we go - Shiro is enabled in our sample application after adding only 3 lines of code! How easy was that? </p> - -<p>Feel free to run <tt>mvn compile exec:java</tt> and see that everything still runs successfully (due to Shiro's default logging of debug or lower, you won't see any Shiro log messages - if it starts and runs without error, then you know everything is still ok).</p> - +</code></pre> +<p>And there we go - Shiro is enabled in our sample application after adding only 3 lines of code! How easy was that?</p> +<p>Feel free to run <code>mvn compile exec:java</code> and see that everything still runs successfully (due to Shiro’s default logging of debug or lower, you won’t see any Shiro log messages - if it starts and runs without error, then you know everything is still ok).</p> <p>Here is what the above additions are doing:</p> - -<ol><li>We use Shiro's <tt>IniSecurityManagerFactory</tt> implementation to ingest our <tt>shiro.ini</tt> file which is located at the root of the classpath. This implementation reflects Shiro's support of the <a class="external-link" href="https://en.wikipedia.org/wiki/Factory_method_pattern"; rel="nofollow">Factory Method Design Pattern</a>. The <tt>classpath:</tt> prefix is an resource indicator that tells shiro where to load the ini file from (other prefixes, like <tt>url:</tt> and <tt>file:</tt> are supported as well). -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li><li>The <tt>factory.getInstance()</tt> method is called, which parses the INI file and returns a <tt>SecurityManager</tt> instance reflecting the configuration. -<br clear="none" class="atl-forced-newline"> -<br clear="none" class="atl-forced-newline"></li><li>In this simple example, we set the <tt>SecurityManager</tt> to be a <em>static</em> (memory) singleton, accessible across the JVM. Note however that this is not desireable if you will ever have more than one Shiro-enabled application in a single JVM. For this simple example, it is ok, but more sophisticated application environments will usually place the <tt>SecurityManager</tt> in application-specific memory (such as in a web app's <tt>ServletContext</tt> or a Spring, Guice or JBoss DI container instance).</li></ol> - - -<h3><a name="Tutorial-UsingShiro"></a>Using Shiro</h3> - +<ol> + <li> + <p>We use Shiro’s <code>IniSecurityManagerFactory</code> implementation to ingest our <code>shiro.ini</code> file which is located at the root of the classpath. This implementation reflects Shiro’s support of the <a href="https://en.wikipedia.org/wiki/Factory_method_pattern";>Factory Method Design Pattern</a>. The <code>classpath:</code> prefix is an resource indicator that tells shiro where to load the ini file from (other prefixes, like <code>url:</code> and <code>file:</code> are supported as well).</p></li> + <li> + <p>The <code>factory.getInstance()</code> method is called, which parses the INI file and returns a <code>SecurityManager</code> instance reflecting the configuration.</p></li> + <li> + <p>In this simple example, we set the <code>SecurityManager</code> to be a <em>static</em> (memory) singleton, accessible across the JVM. Note however that this is not desireable if you will ever have more than one Shiro-enabled application in a single JVM. For this simple example, it is ok, but more sophisticated application environments will usually place the <code>SecurityManager</code> in application-specific memory (such as in a web app’s <code>ServletContext</code> or a Spring, Guice or JBoss DI container instance).</p></li> +</ol> +<a name="Tutorial-UsingShiro"></a> +<h3><a href="#using-shiro" name="using-shiro">Using Shiro</a></h3> <p>Now that our SecurityManager is set-up and ready-to go, now we can start doing the things we really care about - performing security operations.</p> - -<p>When securing our applications, probably the most relevant questions we ask ourselves are “Who is the current user?” or “Is the current user allowed to do X”? It is common to ask these questions as we're writing code or designing user interfaces: applications are usually built based on user stories, and you want functionality represented (and secured) based on a per-user basis. So, the most natural way for us to think about security in our application is based on the current user. Shiro’s API fundamentally represents the notion of 'the current user' with its <tt>Subject</tt> concept. </p> - +<p>When securing our applications, probably the most relevant questions we ask ourselves are âWho is the current user?â or âIs the current user allowed to do Xâ? It is common to ask these questions as we’re writing code or designing user interfaces: applications are usually built based on user stories, and you want functionality represented (and secured) based on a per-user basis. So, the most natural way for us to think about security in our application is based on the current user. Shiroâs API fundamentally represents the notion of ‘the current user’ with its <code>Subject</code> concept.</p> <p>In almost all environments, you can obtain the currently executing user via the following call:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -Subject currentUser = SecurityUtils.getSubject(); -</pre> -</div></div> - -<p>Using <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/SecurityUtils.html">SecurityUtils</a>.<a class="external-link" href="static/current/apidocs/org/apache/shiro/SecurityUtils.html#getSubject()">getSubject()</a></tt>, we can obtain the currently executing <tt><a class="external-link" href="static/current/apidocs/org/apache/shiro/subject/Subject.html">Subject</a></tt>. <em>Subject</em> is a security term that basically means "a security-specific view of the currently executing user". It is not called a 'User' because the word 'User' is usually associated with a human being. In the security world, the term 'Subject' can mean a human being, but also a 3rd party process, cron job, daemon account, or anything similar. It simply means 'the thing that is currently interacting with the software'. For most intents and purposes though, you can think of the <tt>Subject</tt> as Shiro’s ‘User’ concept.</p> - -<p>The <tt>getSubject()</tt> call in a standalone application might return a <tt>Subject</tt> based on user data in an application-specific location, and in a server environment (e.g. web app), it acquires the <tt>Subject</tt> based on user data associated with current thread or incoming request.</p> - -<p>Now that you have a <tt>Subject</tt>, what can you do with it?</p> - +<pre><code class="java">Subject currentUser = SecurityUtils.getSubject(); +</code></pre> +<p>Using <a href="static/current/apidocs/org/apache/shiro/SecurityUtils.html"><code>SecurityUtils</code></a>.<a href="static/current/apidocs/org/apache/shiro/SecurityUtils.html#getSubject--">getSubject()</a>, we can obtain the currently executing <a href="static/current/apidocs/org/apache/shiro/subject/Subject.html"><code>Subject</code></a>. <em>Subject</em> is a security term that basically means “a security-specific view of the currently executing user”. It is not called a ‘User’ because the word ‘User’ is usually associated with a human being. In the security world, the term ‘Subject’ can mean a human being, but also a 3rd party process, cron job, daemon account, or anything similar. It simply means ‘the thing that is currently interacting with the software’. For most intents and purposes though, you can think of the <code>Subject</code> as Shiroâs âUserâ concept.</p> +<p>The <code>getSubject()</code> call in a standalone application might return a <code>Subject</code> based on user data in an application-specific location, and in a server environment (e.g. web app), it acquires the <code>Subject</code> based on user data associated with current thread or incoming request.</p> +<p>Now that you have a <code>Subject</code>, what can you do with it?</p> <p>If you want to make things available to the user during their current session with the application, you can get their session:</p> +<pre><code class="java">Session session = currentUser.getSession(); +session.setAttribute( "someKey", "aValue" ); +</code></pre> +<p>The <code>Session</code> is a Shiro-specific instance that provides most of what you’re used to with regular HttpSessions but with some extra goodies and one <strong>big</strong> difference: it does not require an HTTP environment!</p> +<p>If deploying inside a web application, by default the <code>Session</code> will be <code>HttpSession</code> based. But, in a non-web environment, like this simple tutorial application, Shiro will automatically use its Enterprise Session Management by default. This means you get to use the same API in your applications, in any tier, regardless of deployment environment! This opens a whole new world of applications since any application requiring sessions does not need to be forced to use the <code>HttpSession</code> or EJB Stateful Session Beans. And, any client technology can now share session data.</p> +<p>So now you can acquire a <code>Subject</code> and their <code>Session</code>. What about the <em>really</em> useful stuff like checking if they are allowed to do things, like checking against roles and permissions?</p> +<p>Well, we can only do those checks for a known user. Our <code>Subject</code> instance above represents the current user, but <em>who</em> is the current user? Well, they’re anonymous - that is, until they log in at least once. So, let’s do that:</p> +<pre><code class="java">if ( !currentUser.isAuthenticated() ) { + //collect user principals and credentials in a gui specific manner + //such as username/password html form, X509 certificate, OpenID, etc. + //We'll use the username/password example here since it is the most common. + UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa"); -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -Session session = currentUser.getSession(); -session.setAttribute( <span class="code-quote">"someKey"</span>, <span class="code-quote">"aValue"</span> ); -</pre> -</div></div> - -<p>The <tt>Session</tt> is a Shiro-specific instance that provides most of what you're used to with regular HttpSessions but with some extra goodies and one <b>big</b> difference: it does not require an HTTP environment!</p> - -<p>If deploying inside a web application, by default the <tt>Session</tt> will be <tt>HttpSession</tt> based. But, in a non-web environment, like this simple tutorial application, Shiro will automatically use its Enterprise Session Management by default. This means you get to use the same API in your applications, in any tier, regardless of deployment environment! This opens a whole new world of applications since any application requiring sessions does not need to be forced to use the <tt>HttpSession</tt> or EJB Stateful Session Beans. And, any client technology can now share session data.</p> - -<p>So now you can acquire a <tt>Subject</tt> and their <tt>Session</tt>. What about the <em>really</em> useful stuff like checking if they are allowed to do things, like checking against roles and permissions?</p> - -<p>Well, we can only do those checks for a known user. Our <tt>Subject</tt> instance above represents the current user, but <em>who</em> is the current user? Well, they're anonymous - that is, until they log in at least once. So, let's do that:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">if</span> ( !currentUser.isAuthenticated() ) { - <span class="code-comment">//collect user principals and credentials in a gui specific manner -</span> <span class="code-comment">//such as username/password html form, X509 certificate, OpenID, etc. -</span> <span class="code-comment">//We'll use the username/password example here since it is the most common. -</span> UsernamePasswordToken token = <span class="code-keyword">new</span> UsernamePasswordToken(<span class="code-quote">"lonestarr"</span>, <span class="code-quote">"vespa"</span>); - - <span class="code-comment">//<span class="code-keyword">this</span> is all you have to <span class="code-keyword">do</span> to support 'remember me' (no config - built in!): -</span> token.setRememberMe(<span class="code-keyword">true</span>); + //this is all you have to do to support 'remember me' (no config - built in!): + token.setRememberMe(true); currentUser.login(token); } -</pre> -</div></div> - -<p>That's it! It couldn't be easier.</p> - -<p>But what if their login attempt fails? You can catch all sorts of specific exceptions that tell you exactly what happened and allows you to handle and react accordingly:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">try</span> { +</code></pre> +<p>That’s it! It couldn’t be easier.</p> +<p>But what if their login attempt fails? You can catch all sorts of specific exceptions that tell you exactly what happened and allows you to handle and react accordingly:</p> +<pre><code class="java">try { currentUser.login( token ); - <span class="code-comment">//<span class="code-keyword">if</span> no exception, that's it, we're done! -</span>} <span class="code-keyword">catch</span> ( UnknownAccountException uae ) { - <span class="code-comment">//username wasn't in the system, show them an error message? -</span>} <span class="code-keyword">catch</span> ( IncorrectCredentialsException ice ) { - <span class="code-comment">//password didn't match, <span class="code-keyword">try</span> again? -</span>} <span class="code-keyword">catch</span> ( LockedAccountException lae ) { - <span class="code-comment">//account <span class="code-keyword">for</span> that username is locked - can't login. Show them a message? -</span>} - ... more types exceptions to check <span class="code-keyword">if</span> you want ... -} <span class="code-keyword">catch</span> ( AuthenticationException ae ) { - <span class="code-comment">//unexpected condition - error? -</span>} -</pre> -</div></div> - -<p>There are many different types of exceptions you can check, or throw your own for custom conditions Shiro might not account for. See the <a class="external-link" href="static/current/apidocs/org/apache/shiro/authc/AuthenticationException.html">AuthenticationException JavaDoc</a> for more. </p> - + //if no exception, that's it, we're done! +} catch ( UnknownAccountException uae ) { + //username wasn't in the system, show them an error message? +} catch ( IncorrectCredentialsException ice ) { + //password didn't match, try again? +} catch ( LockedAccountException lae ) { + //account for that username is locked - can't login. Show them a message? +} + ... more types exceptions to check if you want ... +} catch ( AuthenticationException ae ) { + //unexpected condition - error? +} +</code></pre> +<p>There are many different types of exceptions you can check, or throw your own for custom conditions Shiro might not account for. See the <a href="static/current/apidocs/org/apache/shiro/authc/AuthenticationException.html">AuthenticationException JavaDoc</a> for more.</p> <div class="panelMacro"> <table class="tipMacro"> <colgroup span="1"> @@ -478,178 +405,131 @@ session.setAttribute( <span class="code- </tbody> </table> </div> - -<p>Ok, so by now, we have a logged in user. What else can we do?</p> - -<p>Let's say who they are:</p> - -<p></p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-comment">//print their identifying principal (in <span class="code-keyword">this</span> <span class="code-keyword">case</span>, a username): -</span>log.info( <span class="code-quote">"User ["</span> + currentUser.getPrincipal() + <span class="code-quote">"] logged in successfully."</span> ); -</pre> -</div></div> - +<p>Ok, so by now, we have a logged in user. What else can we do?</p> +<p>Let’s say who they are:</p> +<pre><code class="java">//print their identifying principal (in this case, a username): +log.info( "User [" + currentUser.getPrincipal() + "] logged in successfully." ); +</code></pre> <p>We can also test to see if they have specific role or not:</p> - -<p></p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">if</span> ( currentUser.hasRole( <span class="code-quote">"schwartz"</span> ) ) { - log.info(<span class="code-quote">"May the Schwartz be with you!"</span> ); -} <span class="code-keyword">else</span> { - log.info( <span class="code-quote">"Hello, mere mortal."</span> ); +<pre><code class="java">if ( currentUser.hasRole( "schwartz" ) ) { + log.info("May the Schwartz be with you!" ); +} else { + log.info( "Hello, mere mortal." ); } -</pre> -</div></div> - +</code></pre> <p>We can also see if they have a permission to act on a certain type of entity:</p> - -<p></p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">if</span> ( currentUser.isPermitted( <span class="code-quote">"lightsaber:weild"</span> ) ) { - log.info(<span class="code-quote">"You may use a lightsaber ring. Use it wisely."</span>); -} <span class="code-keyword">else</span> { - log.info(<span class="code-quote">"Sorry, lightsaber rings are <span class="code-keyword">for</span> schwartz masters only."</span>); +<pre><code class="java">if ( currentUser.isPermitted( "lightsaber:weild" ) ) { + log.info("You may use a lightsaber ring. Use it wisely."); +} else { + log.info("Sorry, lightsaber rings are for schwartz masters only."); } -</pre> -</div></div> - +</code></pre> <p>Also, we can perform an extremely powerful <em>instance-level</em> permission check - the ability to see if the user has the ability to access a specific instance of a type:</p> - -<p></p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">if</span> ( currentUser.isPermitted( <span class="code-quote">"winnebago:drive:eagle5"</span> ) ) { - log.info(<span class="code-quote">"You are permitted to 'drive' the 'winnebago' with license plate (id) 'eagle5'. "</span> + - <span class="code-quote">"Here are the keys - have fun!"</span>); -} <span class="code-keyword">else</span> { - log.info(<span class="code-quote">"Sorry, you aren't allowed to drive the 'eagle5' winnebago!"</span>); +<pre><code class="java">if ( currentUser.isPermitted( "winnebago:drive:eagle5" ) ) { + log.info("You are permitted to 'drive' the 'winnebago' with license plate (id) 'eagle5'. " + + "Here are the keys - have fun!"); +} else { + log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!"); } -</pre> -</div></div> - +</code></pre> <p>Piece of cake, right?</p> - <p>Finally, when the user is done using the application, they can log out:</p> +<pre><code class="java">currentUser.logout(); //removes all identifying information and invalidates their session too. +</code></pre> +<a name="Tutorial-FinalTutorialclass"></a> +<h4><a href="#final-tutorial-class" name="final-tutorial-class">Final Tutorial class</a></h4> +<p>After adding in the above code examples, here is our final Tutorial class file. Feel free to edit and play with it and change the security checks (and the INI configuration) as you like:</p> +<p><strong>Final src/main/java/Tutorial.java</strong></p> +<pre><code class="java">import org.apache.shiro.SecurityUtils; +import org.apache.shiro.authc.*; +import org.apache.shiro.config.IniSecurityManagerFactory; +import org.apache.shiro.mgt.SecurityManager; +import org.apache.shiro.session.Session; +import org.apache.shiro.subject.Subject; +import org.apache.shiro.util.Factory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class Tutorial { -<p></p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -currentUser.logout(); <span class="code-comment">//removes all identifying information and invalidates their session too.</span> -</pre> -</div></div> - -<h4><a name="Tutorial-FinalTutorialclass"></a>Final Tutorial class</h4> - -<p>After adding in the above code examples, here is our final Tutorial class file. Feel free to edit and play with it and change the security checks (and the INI configuration) as you like:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Final src/main/java/Tutorial.java</b></div><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">import</span> org.apache.shiro.SecurityUtils; -<span class="code-keyword">import</span> org.apache.shiro.authc.*; -<span class="code-keyword">import</span> org.apache.shiro.config.IniSecurityManagerFactory; -<span class="code-keyword">import</span> org.apache.shiro.mgt.<span class="code-object">SecurityManager</span>; -<span class="code-keyword">import</span> org.apache.shiro.session.Session; -<span class="code-keyword">import</span> org.apache.shiro.subject.Subject; -<span class="code-keyword">import</span> org.apache.shiro.util.Factory; -<span class="code-keyword">import</span> org.slf4j.Logger; -<span class="code-keyword">import</span> org.slf4j.LoggerFactory; + private static final transient Logger log = LoggerFactory.getLogger(Tutorial.class); -<span class="code-keyword">public</span> class Tutorial { + public static void main(String[] args) { + log.info("My First Apache Shiro Application"); - <span class="code-keyword">private</span> <span class="code-keyword">static</span> <span class="code-keyword">final</span> <span class="code-keyword">transient</span> Logger log = LoggerFactory.getLogger(Tutorial.class); - - - <span class="code-keyword">public</span> <span class="code-keyword">static</span> void main(<span class="code-object">String</span>[] args) { - log.info(<span class="code-quote">"My First Apache Shiro Application"</span>); - - Factory<<span class="code-object">SecurityManager</span>> factory = <span class="code-keyword">new</span> IniSecurityManagerFactory(<span class="code-quote">"classpath:shiro.ini"</span>); - <span class="code-object">SecurityManager</span> securityManager = factory.getInstance(); + Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini"); + SecurityManager securityManager = factory.getInstance(); SecurityUtils.setSecurityManager(securityManager); + // get the currently executing user: + Subject currentUser = SecurityUtils.getSubject(); - <span class="code-comment">// get the currently executing user: -</span> Subject currentUser = SecurityUtils.getSubject(); - - <span class="code-comment">// Do some stuff with a Session (no need <span class="code-keyword">for</span> a web or EJB container!!!) -</span> Session session = currentUser.getSession(); - session.setAttribute(<span class="code-quote">"someKey"</span>, <span class="code-quote">"aValue"</span>); - <span class="code-object">String</span> value = (<span class="code-object">String</span>) session.getAttribute(<span class="code-quote">"someKey"</span>); - <span class="code-keyword">if</span> (value.equals(<span class="code-quote">"aValue"</span>)) { - log.info(<span class="code-quote">"Retrieved the correct value! ["</span> + value + <span class="code-quote">"]"</span>); + // Do some stuff with a Session (no need for a web or EJB container!!!) + Session session = currentUser.getSession(); + session.setAttribute("someKey", "aValue"); + String value = (String) session.getAttribute("someKey"); + if (value.equals("aValue")) { + log.info("Retrieved the correct value! [" + value + "]"); } - <span class="code-comment">// let's login the current user so we can check against roles and permissions: -</span> <span class="code-keyword">if</span> (!currentUser.isAuthenticated()) { - UsernamePasswordToken token = <span class="code-keyword">new</span> UsernamePasswordToken(<span class="code-quote">"lonestarr"</span>, <span class="code-quote">"vespa"</span>); - token.setRememberMe(<span class="code-keyword">true</span>); - <span class="code-keyword">try</span> { + // let's login the current user so we can check against roles and permissions: + if (!currentUser.isAuthenticated()) { + UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa"); + token.setRememberMe(true); + try { currentUser.login(token); - } <span class="code-keyword">catch</span> (UnknownAccountException uae) { - log.info(<span class="code-quote">"There is no user with username of "</span> + token.getPrincipal()); - } <span class="code-keyword">catch</span> (IncorrectCredentialsException ice) { - log.info(<span class="code-quote">"Password <span class="code-keyword">for</span> account "</span> + token.getPrincipal() + <span class="code-quote">" was incorrect!"</span>); - } <span class="code-keyword">catch</span> (LockedAccountException lae) { - log.info(<span class="code-quote">"The account <span class="code-keyword">for</span> username "</span> + token.getPrincipal() + <span class="code-quote">" is locked. "</span> + - <span class="code-quote">"Please contact your administrator to unlock it."</span>); + } catch (UnknownAccountException uae) { + log.info("There is no user with username of " + token.getPrincipal()); + } catch (IncorrectCredentialsException ice) { + log.info("Password for account " + token.getPrincipal() + " was incorrect!"); + } catch (LockedAccountException lae) { + log.info("The account for username " + token.getPrincipal() + " is locked. " + + "Please contact your administrator to unlock it."); + } + // ... catch more exceptions here (maybe custom ones specific to your application? + catch (AuthenticationException ae) { + //unexpected condition? error? } - <span class="code-comment">// ... <span class="code-keyword">catch</span> more exceptions here (maybe custom ones specific to your application? -</span> <span class="code-keyword">catch</span> (AuthenticationException ae) { - <span class="code-comment">//unexpected condition? error? -</span> } } - <span class="code-comment">//say who they are: -</span> <span class="code-comment">//print their identifying principal (in <span class="code-keyword">this</span> <span class="code-keyword">case</span>, a username): -</span> log.info(<span class="code-quote">"User ["</span> + currentUser.getPrincipal() + <span class="code-quote">"] logged in successfully."</span>); - - <span class="code-comment">//test a role: -</span> <span class="code-keyword">if</span> (currentUser.hasRole(<span class="code-quote">"schwartz"</span>)) { - log.info(<span class="code-quote">"May the Schwartz be with you!"</span>); - } <span class="code-keyword">else</span> { - log.info(<span class="code-quote">"Hello, mere mortal."</span>); + //say who they are: + //print their identifying principal (in this case, a username): + log.info("User [" + currentUser.getPrincipal() + "] logged in successfully."); + + //test a role: + if (currentUser.hasRole("schwartz")) { + log.info("May the Schwartz be with you!"); + } else { + log.info("Hello, mere mortal."); } - <span class="code-comment">//test a typed permission (not instance-level) -</span> <span class="code-keyword">if</span> (currentUser.isPermitted(<span class="code-quote">"lightsaber:weild"</span>)) { - log.info(<span class="code-quote">"You may use a lightsaber ring. Use it wisely."</span>); - } <span class="code-keyword">else</span> { - log.info(<span class="code-quote">"Sorry, lightsaber rings are <span class="code-keyword">for</span> schwartz masters only."</span>); + //test a typed permission (not instance-level) + if (currentUser.isPermitted("lightsaber:weild")) { + log.info("You may use a lightsaber ring. Use it wisely."); + } else { + log.info("Sorry, lightsaber rings are for schwartz masters only."); } - <span class="code-comment">//a (very powerful) Instance Level permission: -</span> <span class="code-keyword">if</span> (currentUser.isPermitted(<span class="code-quote">"winnebago:drive:eagle5"</span>)) { - log.info(<span class="code-quote">"You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'. "</span> + - <span class="code-quote">"Here are the keys - have fun!"</span>); - } <span class="code-keyword">else</span> { - log.info(<span class="code-quote">"Sorry, you aren't allowed to drive the 'eagle5' winnebago!"</span>); + //a (very powerful) Instance Level permission: + if (currentUser.isPermitted("winnebago:drive:eagle5")) { + log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'. " + + "Here are the keys - have fun!"); + } else { + log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!"); } - <span class="code-comment">//all done - log out! -</span> currentUser.logout(); + //all done - log out! + currentUser.logout(); - <span class="code-object">System</span>.exit(0); + System.exit(0); } } -</pre> -</div></div> - -<h3><a name="Tutorial-Summary"></a>Summary</h3> - -<p>Hopefully this introduction tutorial helped you understand how to set-up Shiro in a basic application as well Shiro's primary design concepts, the <tt>Subject</tt> and <tt>SecurityManager</tt>.</p> - -<p>But this was a fairly simple application. You might have asked yourself, "What if I don't want to use INI user accounts and instead want to connect to a more complex user data source?"</p> - -<p>To answer that question requires a little deeper understanding of Shiro's architecture and supporting configuration mechanisms. We'll cover Shiro's <a href="architecture.html" title="Architecture">Architecture</a> next.</p> - +</code></pre> +<a name="Tutorial-Summary"></a> +<h3><a href="#summary" name="summary">Summary</a></h3> +<p>Hopefully this introduction tutorial helped you understand how to set-up Shiro in a basic application as well Shiro’s primary design concepts, the <code>Subject</code> and <code>SecurityManager</code>.</p> +<p>But this was a fairly simple application. You might have asked yourself, “What if I don’t want to use INI user accounts and instead want to connect to a more complex user data source?”</p> +<p>To answer that question requires a little deeper understanding of Shiro’s architecture and supporting configuration mechanisms. We’ll cover Shiro’s <a href="architecture.html" title="Architecture">Architecture</a> next.</p> </div>
Modified: shiro/site/publish/version-2-brainstorming.html URL: http://svn.apache.org/viewvc/shiro/site/publish/version-2-brainstorming.html?rev=1766414&r1=1766413&r2=1766414&view=diff ============================================================================== --- shiro/site/publish/version-2-brainstorming.html (original) +++ shiro/site/publish/version-2-brainstorming.html Mon Oct 24 14:33:52 2016 @@ -78,205 +78,154 @@ <div id="content"> - <div> -<ul><li><a href="#Version2Brainstorming-RenameAuthenticationInfotoAccount">Rename AuthenticationInfo to Account</a></li><li><a href="#Version2Brainstorming-Realmrefactoring">Realm refactoring</a></li><li><a href="#Version2Brainstorming-Splitshirocoreintomodules">Split shiro-core into modules</a></li><li><a href="#Version2Brainstorming-Eventdrivendesign">Event-driven design</a></li><li><a href="#Version2Brainstorming-SubjectPrincipalCollection">Subject PrincipalCollection</a></li><li><a href="#Version2Brainstorming-ComponentNames">Component Names</a></li><li><a href="#Version2Brainstorming-AuthorizationANTLRGrammar">Authorization ANTLR Grammar</a></li><li><a href="#Version2Brainstorming-AuthorizationRequest%2FResponse">AuthorizationRequest/Response</a></li><li><a href="#Version2Brainstorming-ReinforcecustomizationviaOODelegation%28compositionoverinheritance%29">Reinforce customization via OO Delegation (composition over inheritance)</a></li><li><a href="#Version2Brainstorming-MultiSt ageAuthenticationviarequest%2Fresponse">Multi-Stage Authentication via request/response</a></li><li><a href="#Version2Brainstorming-CaptchaSupport">Captcha Support</a></li><li><a href="#Version2Brainstorming-Configurationperfilterinstanceandnopathmatching">Configuration per filter instance and no path matching</a></li><li><a href="#Version2Brainstorming-Webmodulerepackaging.">Web module repackaging.</a></li></ul></div> - -<p>There is currently no timeline for a version 2, but this space represents any brainstorming efforts that the community wishes to address that may be major feature enhancements that can't be backwards compatible. Typically discussions from the dev list resulting in some form of consensus will probably make it into this page. Actionable items will go into Jira, potentially referencing this page for clarity.</p> - -<ul class="alternate" type="square"><li>(I know this isn't a feature but its equally is not more important) Deeper and more accessible documentation and how-tos.</li><li>management system for long lived hashes</li><li>token/ticket system</li><li>more generalized way to handle unauthorized exceptions</li><li>lower level crypto toolkit to facilitate customizations</li><li>unauthorizedUrl per path filter</li></ul> - - -<h3><a name="Version2Brainstorming-RenameAuthenticationInfotoAccount"></a>Rename AuthenticationInfo to Account</h3> - -<p>The existing <tt>AuthenticationInfo</tt> name is less intuitive and is essentially the same thing.</p> - -<h3><a name="Version2Brainstorming-Realmrefactoring"></a>Realm refactoring</h3> - -<p>Most Realms differ little in their implementations - mostly by the protocols they use. Create a 'DefaultRealm' implementation (or something similar) that allows pluggable AccountResolver and AuthorizationResolver interfaces that abstract away interaction with the data stores and the rest of the internal Realm logic (e.g. authc and authz caching, etc) can be shared by most Realm implementation.</p> - -<h3><a name="Version2Brainstorming-Splitshirocoreintomodules"></a>Split shiro-core into modules</h3> - -<p>Maybe shiro-core should be split up into separate modules (e.g. shiro-crypto, shiro-authc, shiro-authz, etc) if possible. This may or may not be possible due to the tight integration of APIs (e.g. Shiro authentication depends on shiro hashing (crypto) etc). A cursory investigation should be made if possible.</p> - -<h3><a name="Version2Brainstorming-Eventdrivendesign"></a>Event-driven design</h3> -<p><b>This can be in 1.3+ as these would be all new packages/classes and do not require signature changes to existing code</b></p> - -<p>Utilize events significantly and more effectively. Base on Akka's event model and <a class="external-link" href="http://code.google.com/p/guava-libraries/wiki/EventBusExplained"; rel="nofollow">Guava's EventBus</a>. This enables ideal loose coupling/high cohesion plugins/integration/customization.</p> - -<p>Package: <tt>org.apache.shiro.event</tt></p> - + <ul> + <li><a href="#Version2Brainstorming-RenameAuthenticationInfotoAccount">Rename AuthenticationInfo to Account</a></li> + <li><a href="#Version2Brainstorming-Realmrefactoring">Realm refactoring</a></li> + <li><a href="#Version2Brainstorming-Splitshirocoreintomodules">Split shiro-core into modules</a></li> + <li><a href="#Version2Brainstorming-Eventdrivendesign">Event-driven design</a></li> + <li><a href="#Version2Brainstorming-SubjectPrincipalCollection">Subject PrincipalCollection</a></li> + <li><a href="#Version2Brainstorming-ComponentNames">Component Names</a></li> + <li><a href="#Version2Brainstorming-AuthorizationANTLRGrammar">Authorization ANTLR Grammar</a></li> + <li><a href="#Version2Brainstorming-AuthorizationRequest%2FResponse">AuthorizationRequest/Response</a></li> + <li><a href="#Version2Brainstorming-ReinforcecustomizationviaOODelegation%28compositionoverinheritance%29">Reinforce customization via OO Delegation (composition over inheritance)</a></li> + <li><a href="#Version2Brainstorming-MultiStageAuthenticationviarequest%2Fresponse">Multi-Stage Authentication via request/response</a></li> + <li><a href="#Version2Brainstorming-CaptchaSupport">Captcha Support</a></li> + <li><a href="#Version2Brainstorming-Configurationperfilterinstanceandnopathmatching">Configuration per filter instance and no path matching</a></li> + <li><a href="#Version2Brainstorming-Webmodulerepackaging.">Web module repackaging.</a></li> +</ul> +<p>There is currently no timeline for a version 2, but this space represents any brainstorming efforts that the community wishes to address that may be major feature enhancements that can’t be backwards compatible. Typically discussions from the dev list resulting in some form of consensus will probably make it into this page. Actionable items will go into Jira, potentially referencing this page for clarity.</p> +<ul> + <li>(I know this isn’t a feature but its equally is not more important) Deeper and more accessible documentation and how-tos.</li> + <li>management system for long lived hashes</li> + <li>token/ticket system</li> + <li>more generalized way to handle unauthorized exceptions</li> + <li>lower level crypto toolkit to facilitate customizations</li> + <li>unauthorizedUrl per path filter</li> +</ul> +<a name="Version2Brainstorming-RenameAuthenticationInfotoAccount"></a> +<h3><a href="#rename-authenticationinfo-to-account" name="rename-authenticationinfo-to-account">Rename AuthenticationInfo to Account</a></h3> +<p>The existing <code>AuthenticationInfo</code> name is less intuitive and is essentially the same thing.</p> +<a name="Version2Brainstorming-Realmrefactoring"></a> +<h3><a href="#realm-refactoring" name="realm-refactoring">Realm refactoring</a></h3> +<p>Most Realms differ little in their implementations - mostly by the protocols they use. Create a ‘DefaultRealm’ implementation (or something similar) that allows pluggable AccountResolver and AuthorizationResolver interfaces that abstract away interaction with the data stores and the rest of the internal Realm logic (e.g. authc and authz caching, etc) can be shared by most Realm implementation.</p> +<a name="Version2Brainstorming-Splitshirocoreintomodules"></a> +<h3>Split shiro-core into modules</h3> +<p>Maybe shiro-core should be split up into separate modules (e.g. shiro-crypto, shiro-authc, shiro-authz, etc) if possible. This may or may not be possible due to the tight integration of APIs (e.g. Shiro authentication depends on shiro hashing (crypto) etc). A cursory investigation should be made if possible.</p> +<a name="Version2Brainstorming-Eventdrivendesign"></a> +<h3>Event-driven design</h3> +<p><strong>This can be in 1.3+ as these would be all new packages/classes and do not require signature changes to existing code</strong></p> +<p>Utilize events significantly and more effectively. Base on Akka’s event model and <a href="http://code.google.com/p/guava-libraries/wiki/EventBusExplained";>Guava’s EventBus</a>. This enables ideal loose coupling/high cohesion plugins/integration/customization.</p> +<p>Package: <code>org.apache.shiro.event</code></p> <p>Potential classes:</p> +<pre><code class="java">public class ShiroEvent extends EventObject { -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">public</span> class ShiroEvent <span class="code-keyword">extends</span> EventObject { - - <span class="code-keyword">private</span> <span class="code-keyword">final</span> <span class="code-object">long</span> timestamp; <span class="code-comment">//millis since Epoch (UTC time zone). -</span> - <span class="code-keyword">public</span> ShiroEvent(<span class="code-object">Object</span> source) { - <span class="code-keyword">super</span>(source); - <span class="code-keyword">this</span>.timestamp = <span class="code-keyword">new</span> Date().getTime(); + private final long timestamp; //millis since Epoch (UTC time zone). + public ShiroEvent(Object source) { + super(source); + this.timestamp = new Date().getTime(); } - <span class="code-keyword">public</span> <span class="code-object">long</span> getTimestamp() { - <span class="code-keyword">return</span> timestamp; + public long getTimestamp() { + return timestamp; } } -</pre> -</div></div> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">public</span> <span class="code-keyword">interface</span> Publisher { +</code></pre> +<pre><code class="java"><br/>public interface Publisher { - void publish(<span class="code-object">Object</span> event); + void publish(Object event); } -</pre> -</div></div> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> - -/** Marker annotation <span class="code-keyword">for</span> a method that wishes to receive a particular event instance. */ -<span class="code-keyword">public</span> @<span class="code-keyword">interface</span> Subscribe { +</code></pre> +<pre><code class="java">/** Marker annotation for a method that wishes to receive a particular event instance. */ +public @interface Subscribe { } -</pre> -</div></div> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> - -/** +</code></pre> +<pre><code class="java">/** * Listener implementations just annotate a method as @Subscribe. * The single method argument determines the type of event received. */ -<span class="code-keyword">public</span> class MyListener { +public class MyListener { @Subscribe - <span class="code-keyword">public</span> void doSomething(SomeEvent event) { + public void doSomething(SomeEvent event) { ... } } +</code></pre> +<pre><code class="java">public interface SubscriberRegistry { -</pre> -</div></div> + void register(Object subscriber); -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">public</span> <span class="code-keyword">interface</span> SubscriberRegistry { - - void register(<span class="code-object">Object</span> subscriber); - - void unregister(<span class="code-object">Object</span> subscriber); + void unregister(Object subscriber); } -</pre> -</div></div> - +</code></pre> <p>An EventBus can be created based on Publisher + SubscriberRegistry:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -<span class="code-keyword">public</span> class SynchronousEventBus <span class="code-keyword">implements</span> Publisher, SubscriberRegistry { +<pre><code class="java">public class SynchronousEventBus implements Publisher, SubscriberRegistry { ... } -</pre> -</div></div> - -<h3><a name="Version2Brainstorming-SubjectPrincipalCollection"></a>Subject PrincipalCollection</h3> - +</code></pre> +<a name="Version2Brainstorming-SubjectPrincipalCollection"></a> +<h3><a href="#subject-principalcollection" name="subject-principalcollection">Subject PrincipalCollection</a></h3> <p>Convert this to be a sub-interface of Map with additional per-Realm utility methods.</p> - -<p>See the <a class="external-link" href="https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/subject/PrincipalMap.java";>PrincipalMap</a> concept for ideas (experimental, not referenced in Shiro 1.x at the moment).</p> - -<p>Maybe rename this to 'attributes'? i.e. <tt>subject.getAttributes()</tt>?</p> - -<h3><a name="Version2Brainstorming-ComponentNames"></a>Component Names</h3> - +<p>See the <a href="https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/subject/PrincipalMap.java";>PrincipalMap</a> concept for ideas (experimental, not referenced in Shiro 1.x at the moment).</p> +<p>Maybe rename this to ‘attributes’? i.e. <code>subject.getAttributes()</code>?</p> +<a name="Version2Brainstorming-ComponentNames"></a> +<h3><a href="#component-names" name="component-names">Component Names</a></h3> <p>Change classes named FooDAO to FooStore instead.</p> - -<h3><a name="Version2Brainstorming-AuthorizationANTLRGrammar"></a>Authorization ANTLR Grammar</h3> - +<a name="Version2Brainstorming-AuthorizationANTLRGrammar"></a> +<h3><a href="#authorization-antlr-grammar" name="authorization-antlr-grammar">Authorization ANTLR Grammar</a></h3> <p>Ideally, we can have a single annotation:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -@Secured(<span class="code-quote">"authz expression here"</span>) -<span class="code-keyword">public</span> void someMethod(){...} -</pre> -</div></div> - -<p>Where the 'authz expression here' is authorization assertion statement backed by an ANTLR lexer/parser, for example:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -@Secured(<span class="code-quote">"(role(admin) || role(developer)) || perm(account:12345:open)"</span>) -</pre> -</div></div> - +<pre><code class="java">@Secured("authz expression here") +public void someMethod(){...} +</code></pre> +<p>Where the ‘authz expression here’ is authorization assertion statement backed by an ANTLR lexer/parser, for example:</p> +<pre><code class="java">@Secured("(role(admin) || role(developer)) || perm(account:12345:open)") +</code></pre> <p>This would translate the expression into the relevant hasRole/isPermitted calls.</p> - -<h3><a name="Version2Brainstorming-AuthorizationRequest%2FResponse"></a>AuthorizationRequest/Response</h3> - -<p>Employing the same grammar as mentioned above, instead of multiple subject.isPermitted/hasRole calls, the same thing could be achieved with an AuthorizationRequest/Response scheme. For example:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -AuthorizationRequest request = <span class="code-comment">//create request w/ expression -</span>AuthorizationResponse response = subject.authorize(authorizationRequest); -<span class="code-keyword">if</span> (response.isAuthorized()) { +<a name="Version2Brainstorming-AuthorizationRequest%2FResponse"></a> +<h3><a href="#authorizationrequest-response" name="authorizationrequest-response">AuthorizationRequest/Response</a></h3> +<p>Employing the same grammar as mentioned above, instead of multiple subject.isPermitted/hasRole calls, the same thing could be achieved with an AuthorizationRequest/Response scheme. For example:</p> +<pre><code class="java">AuthorizationRequest request = //create request w/ expression +AuthorizationResponse response = subject.authorize(authorizationRequest); +if (response.isAuthorized()) { ... -} <span class="code-keyword">else</span> { +} else { ... } -</pre> -</div></div> - -<h3><a name="Version2Brainstorming-ReinforcecustomizationviaOODelegation%28compositionoverinheritance%29"></a>Reinforce customization via OO Delegation (composition over inheritance)</h3> - -<ul class="alternate" type="square"><li>Any of the features provided by PathMatchingFilter would be provided for any configured filter via a proxy mechanism. The proxy would likely support the PathMatchingFilter features, setting request attributes as necessary for the wrapped filter to react to. This eliminates the need to subclass PathMatchingFilter to utilize these features.</li><li>The same principal would be probably be applied for realms. A DefaultRealm could be created that delegates to an AuthenticationInfoAccessor and AuthorizationInfoAccessor (or whatever we want to call them) that performs the same behavior as AuthenticatingRealm#doGetAuthenticationInfo and AuthorizingRealm#doGetAuthorizationInfo. The end result is no more subclassing realms for 95% of use cases, and instead providing accessors.</li></ul> - - -<h3><a name="Version2Brainstorming-MultiStageAuthenticationviarequest%2Fresponse"></a>Multi-Stage Authentication via request/response</h3> - -<p>In applications that need to authenticate via multiple mechanisms (e.g. multi-factor authentication), a Request/Response protocol for login would probably be easier to use to support such workflows. For example:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -LoginRequest request = <span class="code-comment">//create login request -</span>LoginResponse response = subject.login(request); -<span class="code-keyword">if</span> (!response.isComplete()) { +</code></pre> +<a name="Version2Brainstorming-ReinforcecustomizationviaOODelegation%28compositionoverinheritance%29"></a> +<h3>Reinforce customization via OO Delegation (composition over inheritance)</h3> +<ul> + <li>Any of the features provided by PathMatchingFilter would be provided for any configured filter via a proxy mechanism. The proxy would likely support the PathMatchingFilter features, setting request attributes as necessary for the wrapped filter to react to. This eliminates the need to subclass PathMatchingFilter to utilize these features.</li> + <li>The same principal would be probably be applied for realms. A DefaultRealm could be created that delegates to an AuthenticationInfoAccessor and AuthorizationInfoAccessor (or whatever we want to call them) that performs the same behavior as AuthenticatingRealm#doGetAuthenticationInfo and AuthorizingRealm#doGetAuthorizationInfo. The end result is no more subclassing realms for 95% of use cases, and instead providing accessors.</li> +</ul> +<a name="Version2Brainstorming-MultiStageAuthenticationviarequest%2Fresponse"></a> +<h3>Multi-Stage Authentication via request/response</h3> +<p>In applications that need to authenticate via multiple mechanisms (e.g. multi-factor authentication), a Request/Response protocol for login would probably be easier to use to support such workflows. For example:</p> +<pre><code class="java">LoginRequest request = //create login request +LoginResponse response = subject.login(request); +if (!response.isComplete()) { LoginRequest secondRequest = response.nextRequest(); - <span class="code-comment">//populate w/ data <span class="code-keyword">for</span> 2nd phase -</span> response = subject.login(secondRequest); + //populate w/ data for 2nd phase + response = subject.login(secondRequest); } -<span class="code-keyword">if</span> (response.hasException()) { - <span class="code-keyword">throw</span> response.getException(); +if (response.hasException()) { + throw response.getException(); } ... -</pre> -</div></div> - +</code></pre> <p>Additionally probably change the Authenticator signature to be as follows:</p> - -<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> -<pre class="code-java"> -AuthenticationResult authenticate(AuthenticationRequest) <span class="code-keyword">throws</span> AuthenticationException; -</pre> -</div></div> - -<h3><a name="Version2Brainstorming-CaptchaSupport"></a>Captcha Support</h3> - +<pre><code class="java">AuthenticationResult authenticate(AuthenticationRequest) throws AuthenticationException; +</code></pre> +<a name="Version2Brainstorming-CaptchaSupport"></a> +<h3><a href="#captcha-support" name="captcha-support">Captcha Support</a></h3> <p>Captcha support would assist in human being verification (during login, during form submission, etc).</p> - -<h3><a name="Version2Brainstorming-Configurationperfilterinstanceandnopathmatching"></a>Configuration per filter instance and no path matching</h3> -<p><a name="Version2Brainstorming-filterperinstance"></a><br clear="none"> -<a class="external-link" href="https://issues.apache.org/jira/browse/SHIRO-256";>SHIRO-256</a> is opened for this and <a class="external-link" href="http://tynamo.org"; rel="nofollow">Tynamo.org</a> already has an implementation for it. This would both simplify the filter logic and result in better performance.</p> - -<h3><a name="Version2Brainstorming-Webmodulerepackaging."></a>Web module repackaging.</h3> - -<p>The Web module is largely Servlet-specific at the moment. As such, its packaging should reflect this, in the same way that all other support modules are named, e.g. <br clear="none"> -module name: <tt>shiro-servlet</tt><br clear="none"> -package base: <tt>org.apache.shiro.servlet.*</tt></p> +<a name="Version2Brainstorming-Configurationperfilterinstanceandnopathmatching"></a> +<h3><a href="#configuration-per-filter-instance-and-no-path-matching" name="configuration-per-filter-instance-and-no-path-matching">Configuration per filter instance and no path matching</a></h3> +<a name="Version2Brainstorming-filterperinstance"></a> +<p><a href="https://issues.apache.org/jira/browse/SHIRO-256";>SHIRO-256</a> is opened for this and <a href="http://tynamo.org";>Tynamo.org</a> already has an implementation for it. This would both simplify the filter logic and result in better performance.</p> +<a name="Version2Brainstorming-Webmodulerepackaging."></a> +<h3>Web module repackaging.</h3> +<p>The Web module is largely Servlet-specific at the moment. As such, its packaging should reflect this, in the same way that all other support modules are named, e.g.<br/>module name: <code>shiro-servlet</code><br/>package base: <code>org.apache.shiro.servlet.*</code></p> </div>
