An Introduction to Shiro (formerly JSecurity) – A Beginner’s Tutorial Part 4


NOTE: Updated in January 2011.

In part 3 of this tutorial, I showed how to use Apache Shiro (formerly called JSecurity and Ki) to add security to a web application based on a user's role. In part 4, I demonstrate how to use several of the custom tags Shiro provides. These custom tags enable you to control what content gets displayed to the user in your JSPs.

One of the problems with part 3's example application is that the view pages include links that aren't appropriate. For example, the home page (/index.jsp) includes links for pages in the secure and admin areas. The secure area's home page (secure/index.jsp) includes links for the admin area even if the user logged in doesn't have the admin role.

To fix these issues we can use the custom tags provided with the Shiro library (see: Package org.apache.shiro.web.tags and the tag library descriptor at /jsecurity_examples/ki%20(jsecurity)%20tld.pdf ).

Part 4 Example Application

You can download part 4's example application, which is an archived Eclipse web project (uses Maven). This example application builds upon the examples discussed in parts 1-3 of the tutorial (see links at the bottom of this page), so be sure to read those parts first. You can import the downloaded Eclipse archived project (named rolesecuritywithtags) into Eclipse and then run it on a Tomcat server.

You can also use the Maven jetty plugin (see reference below for how to install Maven if you've don't already have Maven) to run the web application if you're not using Eclipse and Tomcat. Just open a command window and navigate to where you unzipped the download. Make sure you're in the rolesecuritywithtags directory. Then do the following (in this example I unzipped rolesecuritywithtags to c:\jsecurity_examples):

c:\jsecurity_examples\ rolesecuritywithtags \mvn clean

c:\jsecurity_examples\ rolesecuritywithtags \mvn jetty:run

Once you see [INFO] Started Jetty Server in the command window, open your web browser and go to this URL: http://localhost:8080/ rolesecuritywithtags/ . You should see the contents of the index.jsp. To stop the Jetty server type control-c in the command window.

Adding Custom Tags

The only changes to this version of the application occur in the JSPs. Open up the /index.jsp in your IDE and you'll see the Shiro custom tags being used. At the top of the page is the taglib directive:

<%@ taglib prefix="shiro" uri="" %>

If you're not familiar with custom tags, see: Using Custom Tags in the J2EE Tutorial (

The part 4 example application home page uses three custom tags:

guest – if the current user has not logged in yet, the content between opening and closing guest tag will display. (Note – the content will not display if the user previously set the remember me value to true. I've not discussed the remember me capability of Shiro so consult the references below.)

authenticated – if the user has successfully logged in, the content between the opening and closing authenticated tag will display.

hasRole - this tag takes an attribute of name whose value is the role you want to test for. If the user has logged in and has that role the content between the opening and closing tag will display.

On the secure/index.jsp page I use another Shiro custom tag named principal. This tag will display the String of the user's default principal value. In the example application that will be the username (e.g. You can use the type attribute to specify a different principal (see: class PrincipalTag).


Using custom tags provides a way to control what information is displayed based on the user's state (guest, authenticated, authorized). Shiro provides other tags (see reference below) that you may also find useful.


  1. An Introduction to Shiro (formerly JSecurity) – A Beginner's Tutorial Part 3, /blog/index.cfm/2009/4/5/An-Introduction-to-Ki-formerly-JSecurity--A-Beginners--Tutorial-Part-3
  2. Role Security With Tags Example Application, /jsecurity_examples/
  3. Apache Shiro
  4. Apache Shiro API,
  5. Apache Shiro Tags API,
  6. Apache Shiro Mailing Lists,
  7. Presentation on JSecurity to the Charlotte Java Users Group,
  8. Shiro Custom Tags TLD, /jsecurity_examples/ki%20(jsecurity)%20tld.pdf
  9. Using Custom Tags, J2EE Tutorial,
  10. Apache Derby,
  11. Apache Tomcat,
  12. Jetty,
  13. Apache Software Foundation, Apache incubator,
  14. Maven: The Definitive Guide,
  15. Developing with Eclipse and Maven,

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
BlogCFC was created by Raymond Camden. This blog is running version Contact Blog Owner