14

I installed Apache Shiro 1.4.0 and was following this official tutorial in order to set it up.

When I tried to initialize SecurityUtils with SecurityManager using this code from tutorial:

Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);

I got a message that IniSecurityManagerFactory is deprecated now in favor of Shiro's Environment.

I can't find any tutorial that shows how to initialize Shiro using Environment, and its documentation doesn't help much:

An Environment instance encapsulates all of the objects that Shiro requires to function. It is essentially a 'meta' object from which all Shiro components can be obtained for an application.

An Environment instance is usually created as a result of parsing a Shiro configuration file. The environment instance can be stored in any place the application deems necessary, and from it, can retrieve any of Shiro's components that might be necessary in implementing security behavior.

For example, the most obvious component accessible via an Environment instance is the application's securityManager.

So, how do I use this new initialization mechanism?

Vasiliy
  • 16,221
  • 11
  • 71
  • 127
  • 2
    FWIW, it seems that 1.4.0 hasn't been released officially yet. At least, the website says that 1.4.0 is still in "early access mode". So it's probably best to stick with 1.3.2, at least until the website is updated. (`IniSecurityManagerFactory` is not deprecated in 1.3.2.) – amoe Sep 19 '17 at 09:16
  • 1
    FWIW, we are in Shiro 1.4.2 as of today, and the documentation is still outdated. – saygley Nov 24 '19 at 14:37
  • FWI still W, the same happens when following the [10 minute tutorial](https://shiro.apache.org/10-minute-tutorial.html) with Shiro 1.7.1. – aderchox Sep 12 '21 at 02:13

1 Answers1

6

As of Shiro 1.5 there is now BasicIniEnvironment. Its Javadoc suggests to create the SecurityManager like this:

Environment env = new BasicIniEnvironment("classpath:shiro.ini");
SecurityManager securityManager = env.getSecurityManager();

You can then continue:

SecurityUtils.setSecurityManager(securityManager);

That being said, I think when using Shiro in a standard web application, I think one shouldn't be doing this on one's own, but instead configure the EnvironmentLoaderListener in the web.xml file:

<listener>
    <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>

According to the Javadoc this will use the EnvrionmentLoader and load the configuration from a shiro.ini by looking at the following locations:

  1. /WEB-INF/shiro.ini
  2. classpath:shiro.ini

Thus one can simply put the shiro.ini on the classpath, add Shiro will pick the config up itself.

sebkur
  • 658
  • 2
  • 9
  • 18