Getting Started with Netbeans and Shiro – Part 1

Apache Shiro (formerly known as JSecurity and KI) is a security framework that handles authentication, authorization, enterprise session management and cryptography. With the move from sourceforge to Apache the GPL license turned into the Apache license. The current version is still 0.9 (still JSecurity), but you can build yourself a current version until the version is released. Shiro is NOT basd on JAAS.

Pre-Requirements for this tutorial:

  • Netbeans (any newer version 6.5.1 + already installed)
  • Maven (assuming most people dont use it yet)
  • Shiro code base (via svn)
  • Ubuntu (applies only to the installation of maven)

Installation of maven under Ubuntu:

  • sudo apt-get install maven2 (will result in a substantial 130MB  download)

    Install maven

Download and building Shiro:

  • svn it into a local folder of your choice (preferably called shiro) from with  svn co


    svn shiro

  • Build it with mvn install (which downloads even more pom files and a build and test process that can take some minutes)

    Build Shiro with Maven

Create most simple java project

The shiro package you svn’ed earlier comes with a couple of samples, which really give you a good start, but it is always good to start from the scratch with virtually nothing. This simple application follows pretty much the sample from the Shiro team (link).

Create a new Java Application


Create new application

Add the Shiro (from the core folder that we maven’d), log4J and SLF4J library (from the samples folder)


Import the packages

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.realm.text.PropertiesRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;

Create most basic functionality

 public static void main(String[] args) {

 DefaultSecurityManager securityManager = new DefaultSecurityManager();
 securityManager.setRealm(new PropertiesRealm());
 SecurityUtils.setSecurityManager( securityManager );

 Subject currentUser = SecurityUtils.getSubject();

 if ( !currentUser.isAuthenticated() ) {

 //UsernamePasswordToken token = new UsernamePasswordToken("jamesbond", "007" );
 UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa" );

 try {
 } catch (UnknownAccountException uae) {
 System.out.println("There is no user with username of " + token.getPrincipal() );
 } catch ( IncorrectCredentialsException ice ) {
 System.out.println("Password for account " + token.getPrincipal() + " was incorrect!");
 } catch ( LockedAccountException lae ) {
 System.out.println("The account for username " + token.getPrincipal() + " is locked.  " +
 "Please contact your administrator to unlock it.");
 // ... catch more exceptions here (maybe custom ones specific to your application?
 catch ( AuthenticationException ae ) {
 //unexpected condition?  error?
 System.out.println(" User [" + currentUser.getPrincipal() + "] logged in successfully.");

 //test a role:
 if ( currentUser.hasRole( "agent" ) ) {
 System.out.println("License to kill." );
 } else {
 System.out.println( "Sorry, Martini only." );

 //test a typed permission (not instance-level)
 if ( currentUser.isPermitted( "gadgets:astonmartin" ) ) {
 System.out.println("Keys for your company car.");
 } else {
 System.out.println("Sorry, subway ticket only.");

 //test a typed permission (not instance-level)
 if ( currentUser.isPermitted( "lightsaber:weild" ) ) {
 System.out.println("You may use a lightsaber ring.  Use it wisely.");
 } else {
 System.out.println("Sorry, lightsaber rings are for schwartz masters only.");

 //all done - log out!



  • We dont have a seurity realm, so the sample code play with the default user, password, roles that are part of the Shiro package in core/src/main/resources/org/apache/shiro/realm/text/
    # ------------------------------
    # Users and their assigned roles
    # ------------------------------
    # user 'root' with password 'secret' and the 'root' role
    user.root = secret,root
    # user 'guest' with the password 'guest' and the 'guest' role
    user.guest = guest,guest
    # user 'presidentskroob' with password '12345' ("That's the same combination on my luggage!!!" , and role 'president'
    user.presidentskroob = 12345,president
    # user 'darkhelmet' with password 'ludicrousspeed' and roles 'darklord' and 'schwartz'
    user.darkhelmet = ludicrousspeed,darklord,schwartz
    # user 'lonestarr' with password 'vespa' and roles 'goodguy' and 'schwartz'
    user.lonestarr = vespa,goodguy,schwartz
    # -------------------------------
    # Roles with assigned permissions
    # -------------------------------
    # 'root' role has all permissions, indicated by the wildcard '*'
    role.root = *
    # The 'schwartz' role can do anything (*) with any lightsaber:
    role.schwartz = lightsaber:*
    # The 'goodguy' role is allowed to 'drive' (action) the winnebago (type) with license plate 'eagle5' (instance specific id)
    role.goodguy = winnebago:drive:eagle5
  • Try to exchange the user to the James Bond user, and you will see you cant login.
  • Take note of the very simple use of the security related functions, such as
    currentUser.hasRole( “agent” )
    currentUser.isPermitted( “gadgets:astonmartin” )

In part 2 we will add a text-based security realm.


One thought on “Getting Started with Netbeans and Shiro – Part 1

  1. Hello,

    Nice write up- looking forward to part 2!

    Just a quick note: text-based configuration is much easier with the latest commits to the repository. Do an SVN update and look at the Quickstart. It uses a .ini file resource path, and in that file you can define [users] and [roles] sections in addition to the normal SecurityManager configuration.

    When you use the .ini this way, an IniRealm will be created for you automatically if you define either the [users] or [roles] sections.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s