An Introduction to Shiro (formerly JSecurity) – A Beginner’s Tutorial Part 4

Introduction

NOTE: Updated in November 2013.

In part 3 of this tutorial, I showed how to use Apache Shiro (formerly called JSecurity and Ki) to add security to a web application based on a user's role. In part 4, I demonstrate how to use several of the custom tags Shiro provides. These custom tags enable you to control what content gets displayed to the user in your JSPs.

One of the problems with part 3's example application is that the view pages include links that aren't appropriate. For example, the home page (/index.jsp) includes links for pages in the secure and admin areas. The secure area's home page (secure/index.jsp) includes links for the admin area even if the user logged in doesn't have the admin role.

To fix these issues we can use the custom tags provided with the Shiro library (see: Package org.apache.shiro.web.tags and the tag library descriptor at http://www.brucephillips.name/jsecurity_examples/ki%20(jsecurity)%20tld.pdf ).

Part 4 Example Application

You can download part 4's example application, which is an archived Maven project. This example application builds upon the examples discussed in parts 1-3 of the tutorial (see links at the bottom of this page), so be sure to read those parts first. After you unzip the rolesecuritywithtags.zip file import the Maven project (named rolesecuritywithtags) into Eclipse.

Be sure to update the path to the securityDB in context.xml before building the .war file or running the Maven goal described below.

You can use the Maven Tomcat plugin (see reference below for how to install Maven if you've don't already have Maven) to run the web application if you're not using Eclipse and Tomcat. Just open a command window and navigate to where you unzipped the rolesecuritywithtags.zip download. Make sure you're in the rolesecuritywithtags directory. Then do the following:

mvn -e clean tomcat7:run-war

Once you see [INFO] Started Servlet Engine in the command window, open your web browser and go to this URL: http://localhost:8080/ rolesecuritywithtags/ . You should see the contents of the index.jsp. To stop the Tomcat server type control-c in the command window.

Adding Custom Tags

The only changes to this version of the application occur in the JSPs. Open up the /index.jsp in your IDE and you'll see the Shiro custom tags being used. At the top of the page is the taglib directive:

<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>

If you're not familiar with custom tags, see: Using Custom Tags in the J2EE Tutorial (http://java.sun.com/javaee/5/docs/tutorial/doc/bnaiy.html)

The part 4 example application home page uses three custom tags:

guest – if the current user has not logged in yet, the content between opening and closing guest tag will display. (Note – the content will not display if the user previously set the remember me value to true. I've not discussed the remember me capability of Shiro so consult the references below.)

authenticated – if the user has successfully logged in, the content between the opening and closing authenticated tag will display.

hasRole - this tag takes an attribute of name whose value is the role you want to test for. If the user has logged in and has that role the content between the opening and closing tag will display.

On the secure/index.jsp page I use another Shiro custom tag named principal. This tag will display the String of the user's default principal value. In the example application that will be the username (e.g. bruce@hotmail.com). You can use the type attribute to specify a different principal (see: class PrincipalTag).

Summary

Using custom tags provides a way to control what information is displayed based on the user's state (guest, authenticated, authorized). Shiro provides other tags (see reference below) that you may also find useful.

References:

  1. An Introduction to Shiro (formerly JSecurity) – A Beginner's Tutorial Part 3, http://www.brucephillips.name/blog/index.cfm/2009/4/5/An-Introduction-to-Ki-formerly-JSecurity--A-Beginners--Tutorial-Part-3
  2. Role Security With Tags Example Application, http://www.brucephillips.name/jsecurity_examples/rolesecuritywithtags_mvn.zip
  3. Apache Shiro http://shiro.apache.org/
  4. Apache Shiro API, http://shiro.apache.org/static/current/apidocs/
  5. Apache Shiro Tags API, http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/tags/package-summary.html
  6. Apache Shiro Mailing Lists, http://shiro.apache.org/mailing-lists.html
  7. Presentation on JSecurity to the Charlotte Java Users Group, http://www.jsecurity.org/files/JSecurity.pdf
  8. Shiro Custom Tags TLD, http://www.brucephillips.name/jsecurity_examples/ki%20(jsecurity)%20tld.pdf
  9. Using Custom Tags, J2EE Tutorial, http://java.sun.com/javaee/5/docs/tutorial/doc/bnaiy.html
  10. Apache Derby, http://db.apache.org/derby/
  11. Apache Tomcat, http://tomcat.apache.org/
  12. Jetty, http://jetty.mortbay.org/jetty5/index.html
  13. Apache Software Foundation, Apache incubator, http://incubator.apache.org/projects/ki.html
  14. Maven: The Definitive Guide, http://www.sonatype.com/books/maven-book/reference/public-book.html
  15. Developing with Eclipse and Maven, http://www.sonatype.com/books/m2eclipse-book/reference/index.html

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
In secure/index.jsp had to change jsec:principal to shiro:principal.
# Posted By mark | 7/19/12 6:59 PM
Hi,

I was looking how a new role could be allowed at runtime, but I dont see a way either with annotations or tlds..Is there something I am missing?
# Posted By Priy | 5/23/13 8:28 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1.002. Contact Blog Owner