SoftwareEngineering

AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals)

Returns an account's authorization-specific information for the specified principals, or null if no account could be found

automatically perform access control checks for the corresponding Subject

JdbcRealm

A Realm is a security component that can access application-specific security entities such as users, roles, and permissions to determine authentication and authorization operations

security-specific DAOs

If for some reason you don't want your Realm implementation to perform authentication duties, you should override the supports(org.apache.shiro.authc.AuthenticationToken) method to always return false

does not require you to implement or extend any User, Group or Role interfaces or classes

Shiro tries to maintain a non-intrusive development philosophy

represents data submitted for any given login attempt

implementations represent already-verified and stored account data

Since Shiro sometimes logs authentication operations, please

as these might be viewable to someone reading your logs

Permissions are provided in two ways: A Collection of Strings, where each String can usually be converted into Permission objects by a Realm's PermissionResolver A Collection of Permission objects

most Realms store both sets of data for a Subject

a Realm implementation to utilize an implementation of the Account interface instead, which is a convenience interface that combines both AuthenticationInfo and AuthorizationInfo

Step 2 securing some content

create a database that will hold the list of the authorized users along with their password

Create a new directory “auth” and add a new JSP under it, let’s call it “BackOffice.jsp“

enable Shiro into our project by adding a ServletFilter into our Web.xml

 <filter-class>05            org.apache.shiro.web.servlet.IniShiroFilter06        </filter-class>

10    <filter-mapping>11         <filter-name>ShiroFilter</filter-name>12         <url-pattern>/*</url-pattern>13    </filter-mapping>

classpath:shiro.ini

shiro-core

shiro-web

create shiro.ini under resource dir

07ds.jdbcUrl=jdbc:derby://localhost:1527/shiro_schema08ds.username = APP09ds.password = APP

15/auth/** = authcBasic16/** = anon

jdbcRealm.authenticationQuery

jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm

setup the jdbc realm, this is where Shiro will find the authorized users

map the URLs to be protected, all the url under /auth should be authenticated with basic HTTP authentication

All the other URLs should be accessed without authentication

Add a new directory under src let’s call it production we will create a new shiro configuration file compatible with MySQL

06ds.serverName = localhost07ds.user = ADM08ds.password = secret12309ds.databaseName = shiro_schema

jdbcRealm which use a MySQL driver

added the appropriate dependency to maven pom.xml

mysql-connector-java

environment.type

staging

13                <jdbc.user>APP</jdbc.user>14                <jdbc.passwd>APP</jdbc.passwd>15                <jdbc.url>jdbc:derby://localhost:1527/shiro_schema</jdbc.url>16                <jdbc.driver>org.apache.derby.jdbc.ClientDriver</jdbc.driver>

src/main/resources

derbyclient

production

environment.type

45                <jdbc.user>ADM</jdbc.user>46                <jdbc.passwd>secret123</jdbc.passwd>47                <jdbc.ds>com.mysql.jdbc.jdbc2.optional.MysqlDataSource</jdbc.ds>48                <jdbc.serverName>localhost</jdbc.serverName>49                <jdbc.databaseName>shiro_schema</jdbc.databaseName>

src/production/resources

To build and run for staging

To build for production

-Denvironment.type=prod