You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 60 Next »

Welcome to Apache Shiro

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

We recommend you start with the [10 Minute Tutorial] which gives you a feel for Shiro and its API. Then feel free to get started using Shiro in your own applications.

If you have any questions, please check out our documentation or contact the user [mailing list].

And if you’re a fan of Shiro and would like to help it grow, we invite you become a contributor to the project. Please check out the [New Contributor Guide].

Feature Overview

Apache Shiro aims to be the most comprehensive and usable Java security framework available. Below are the framework's major features.

Unknown macro: {div}

[Authentication]

Support logins across one or more pluggable data sources (LDAP, JDBC, ActiveDirectory, etc).
[Read More >>]

Unknown macro: {div}

[Authorization]

Perform access control based on roles or fine-grained permissions, also using pluggable data sources.
[Read More >>]

Unknown macro: {div}

[Cryptography]

Secure data with the easiest possible Cryptography APIs available, giving you power and simplicity beyond what Java provides by default.
[Read More >>]

Unknown macro: {div}

[Session Management]

Use sessions in any environment, even outside web or EJB containers. Easily cluster sessions in large scale applications.
[Read More >>]

Unknown macro: {div}

[Web Integration]

Save development time with innovative approaches that easily handle web-specific security out-of-the-box.
[Read More >>]

Error formatting macro: include: java.lang.IllegalArgumentException: No link could be created for 'SHIRO:sharing block'.

Follow Us on Twitter

Download

The latest release is 1.2.1 (Release Notes | Resolved Issues)

apache-shiro-1.2.1.zip


Other download options

Communities using Shiro

Spring Framework Apache Wicket Grails Apache Tapestry Tynamo Apache Click Stripes Framework Apache Camel Sonatype MulesoftApache ServiceMix Katasoft Vaadin ZK

Are you using Shiro?

Then show your support and please consider adding yourself to the Powered By Shiro wiki page. By letting others know that you are using Shiro, you help expand the community and in turn improve Shiro. Win/Win!

News

Apache Shiro 1.2.1 Released
Les Hazlewood posted on Jul 29, 2012

Dear Apache Shiro Community,

The Shiro team is pleased to announce the release of Apache Shiro version 1.2.1. This is the first bug fix point release after 1.2.0.

This release includes 11 bug fixes since the 1.2.0 release and is available for Download now.

All binaries (.jars) are available in Maven Central already. Please note that the Apache mirrors are still updating to reflect the source distribution, but some mirrors may not be updated yet. If a mirror download link does not work, please try another or wait another 12 to 24 hours.

For more information on Shiro 1.2, please read the "What's new in Apache Shiro 1.2?" article or the previous 1.2 release announcement.

Enjoy!

The Apache Shiro Team

What's New in Apache Shiro 1.2?
Les Hazlewood posted on Mar 13, 2012

Here's an article covering some of the main features and enhancements in Apache Shiro 1.2:

http://www.stormpath.com/blog/2012/03/12/whats-new-in-apache-shiro-12.html

Apache Shiro 1.2.0 Released!
Les Hazlewood posted on Jan 24, 2012

Dear Apache Shiro Community,

The Shiro team is pleased to announce the release of Apache Shiro version 1.2.0!

This release includes a number of bug fixes and new features since the 1.1.0 release.  The 1.2.0 release is available from the Download page.

All binaries (.jars) are available in Maven Central already.  Please note that the Apache mirrors are still updating to reflect the source distribution, but some mirrors may not be updated yet.  If a mirror download link does not work, please try another or wait another 12 to 24 hours.

New Features

  • The ability to disable sessions per filter chain or entirely for an application.
  • Servlet Context Listener initialization in web apps (to allow components to utilize Shiro before Filter initialization)
  • A command line program to securely hash passwords (or any url, file or stream input for that matter).
  • New secure password hash formats that adhere to Modular Crypt Format conventions.  These secure password hashes can be computed with the above named command line program and saved in text config (e.g. shiro.ini) directly.  Plaintext passwords should never be stored.  For those familiar with the Apache HTTPD passwd program, this achieves the same benefits.
  • A new LogoutFilter, as many apps don't need to show a view during logout (just logout and redirect to some known location).
  • Shiro filters can be enabled or disabled without removing them from the filter chain - useful in development (e.g. turn ssl requirement off in dev, but keep it on in production).
  • A lot of work has gone into making secure password hash storage and comparison a much simpler task in Shiro, focused around the new concept of a PasswordService.  You can use a PasswordService directly in your application code to hash passwords securely.  You can then configure a PasswordMatcher on your Realm(s) to use the same PasswordService for password comparisons.  See the PasswordService JavaDoc for example .ini configuration:

More complete PasswordService and related config documentation will be added to the Shiro website in the next few days - it was better to release now for the many who are waiting on the release, and follow up with this part of the documentation shortly.

And even more new features!  See the 'Resolved Issues' below for a complete list.

Backwards-incompatible or potential breaking changes

There are only a few small cases where breakage could occur - please view the release notes to ensure you mitigate any potential breaking change - particularly if you are using the SecureRandomNumberGenerator
or Shiro's Block Cipher Services (AES, Blowfish):

https://svn.apache.org/repos/asf/shiro/tags/shiro-root-1.2.0/RELEASE-NOTES

Resolved Issues

Jira resolved issue report:

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310950&version=12315478

Enjoy!

The Apache Shiro Team

Apache Shiro Login Demo
Les Hazlewood posted on Jun 30, 2011

Matt Raible has posted a really nice blog article and video demonstrating a login use case with Apache Shiro. Check out the Java Web Application Security - Part III: Apache Shiro Login Demo blog post and the video:

Apache Shiro Web Demo
Les Hazlewood posted on May 26, 2011

Matt Raible has posted a really great Web Demo with Apache Shiro, showing how to enable HTTP Basic Authentication and Form-based login, as well as easily enforcing SSL. Check it out:

Thanks to Matt for taking the time to put this together and helping the Shiro community!

Stay current with All Apache Shiro News

  • No labels