Step7

README.md

@@ -1,4 +1,4 @@
 apache-shiro-webapp-tutorial
 ============================
 
-A step-by-step tutorial showing how to secure a web app with Apache Shiro
+A [step-by-step tutorial](http://shiro.apache.org/webapp-tutorial.html) showing how to secure a web app with Apache Shiro.

pom.xml

@@ -26,15 +26,15 @@
     <packaging>war</packaging>
 
     <properties>
-        <shiro.version>1.2.2</shiro.version>
+        <shiro.version>1.3.2</shiro.version>
     </properties>
 
     <build>
         <plugins>
             <plugin>
                 <groupId>org.eclipse.jetty</groupId>
                 <artifactId>jetty-maven-plugin</artifactId>
-                <version>9.1.0.v20131115</version>
+                <version>9.3.11.v20160721</version>
                 <configuration>
                     <webApp>
                         <contextPath>/</contextPath>
@@ -50,18 +50,18 @@
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
-            <version>1.7.5</version>
+            <version>1.7.21</version>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>jcl-over-slf4j</artifactId>
-            <version>1.7.5</version>
+            <version>1.7.21</version>
             <scope>runtime</scope>
         </dependency>
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>
-            <version>1.0.13</version>
+            <version>1.1.7</version>
             <scope>runtime</scope>
         </dependency>
 
@@ -81,12 +81,12 @@
         <dependency>
             <groupId>com.stormpath.shiro</groupId>
             <artifactId>stormpath-shiro-core</artifactId>
-            <version>0.4.0</version>
+            <version>0.7.0</version>
         </dependency>
         <dependency>
             <groupId>com.stormpath.sdk</groupId>
             <artifactId>stormpath-sdk-httpclient</artifactId>
-            <version>0.8.1</version>
+            <version>1.0.4</version>
             <scope>runtime</scope>
         </dependency>
         <dependency>

src/main/webapp/WEB-INF/shiro.ini

@@ -0,0 +1,56 @@
+#
+# Copyright (c) 2013 Les Hazlewood and contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# INI configuration is very powerful and flexible, while still remaining succinct.
+# Please http://shiro.apache.org/configuration.html and
+# http://shiro.apache.org/web.html for more.
+
+[main]
+
+shiro.loginUrl = /login.jsp
+
+# Let's use some in-memory caching to reduce the number of runtime lookups against Stormpath.  A real
+# application might want to use a more robust caching solution (e.g. ehcache or a distributed cache).  When using such
+# caches, be aware of your cache TTL settings: too high a TTL and the cache won't reflect any potential
+# changes in Stormpath fast enough.  Too low and the cache could evict too often, reducing performance.
+cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
+securityManager.cacheManager = $cacheManager
+
+# Configure a Realm to connect to a user datastore.  In this simple tutorial, we'll just point to Stormpath since it
+# takes 5 minutes to set up:
+stormpathClient = com.stormpath.shiro.client.ClientFactory
+stormpathClient.cacheManager = $cacheManager
+
+# (Optional) If you put your apiKey.properties in the non-default location, you set the location here
+#stormpathClient.apiKeyFileLocation = $HOME/.stormpath/apiKey.properties
+
+stormpathRealm = com.stormpath.shiro.realm.ApplicationRealm
+stormpathRealm.client = $stormpathClient
+
+# Find this URL in your Stormpath console for an application you create:
+# Applications -> (choose application name) --> Details --> REST URL
+# (Optional) If you only have one Application
+#stormpathRealm.applicationRestUrl = https://api.stormpath.com/v1/applications/$STORMPATH_APPLICATION_ID
+
+stormpathRealm.groupRoleResolver.modeNames = name
+securityManager.realm = $stormpathRealm
+
+[urls]
+/login.jsp = authc
+/logout = logout
+/account/** = authc
+
+

src/main/webapp/WEB-INF/web.xml

@@ -19,6 +19,24 @@
          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
          version="3.1">
 
+    <listener>
+        <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
+    </listener>
+
+    <filter>
+        <filter-name>ShiroFilter</filter-name>
+        <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>ShiroFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+        <dispatcher>REQUEST</dispatcher>
+        <dispatcher>FORWARD</dispatcher>
+        <dispatcher>INCLUDE</dispatcher>
+        <dispatcher>ERROR</dispatcher>
+    </filter-mapping>
+
     <welcome-file-list>
         <welcome-file>index.jsp</welcome-file>
     </welcome-file-list>

src/main/webapp/account/index.jsp

@@ -0,0 +1,52 @@
+<%--
+  ~ Copyright (c) 2013 Les Hazlewood and contributors
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  --%>
+<jsp:include page="../include.jsp"/>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Apache Shiro Tutorial Webapp : Login</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <!-- Add some nice styling and functionality.  We'll just use Twitter Bootstrap -->
+    <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.0.2/css/bootstrap.min.css">
+    <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.0.2/css/bootstrap-theme.min.css">
+    <style>
+        body{padding: 0 20px;}
+    </style>
+</head>
+<body>
+
+    <h2>For authenticated users only!</h2>
+
+    <p>This page simulates a restricted part of a web application intended for authenticated users only.</p>
+
+    <p>You are currently logged in.</p>
+
+    <p><a href="<c:url value="/home.jsp"/>">Return to the home page.</a></p>
+
+    <p><a href="<c:url value="/logout"/>">Log out.</a></p>
+
+    <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
+    <script src="https://code.jquery.com/jquery.js"></script>
+    <script src="//netdna.bootstrapcdn.com/bootstrap/3.0.2/js/bootstrap.min.js"></script>
+    <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
+    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
+    <!--[if lt IE 9]>
+    <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
+    <script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
+    <![endif]-->
+</body>
+</html>

src/main/webapp/home.jsp

@@ -1,3 +1,5 @@
+<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
 <%--
   ~ Copyright (c) 2013 Les Hazlewood and contributors
   ~
@@ -22,9 +24,61 @@
     <!-- Add some nice styling and functionality.  We'll just use Twitter Bootstrap -->
     <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.0.2/css/bootstrap.min.css">
     <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.0.2/css/bootstrap-theme.min.css">
+    <style>
+        body{padding:0 20px;}
+    </style>
 </head>
 <body>
-    <h1>Hello, world!</h1>
+
+    <h1>Apache Shiro Tutorial Webapp</h1>
+
+    <p>Hi <shiro:guest>Guest</shiro:guest><shiro:user>
+        <%
+            //This should never be done in a normal page and should exist in a proper MVC controller of some sort, but for this
+            //tutorial, we'll just pull out Stormpath Account data from Shiro's PrincipalCollection to reference in the
+            //<c:out/> tag next:
+
+            request.setAttribute("account", org.apache.shiro.SecurityUtils.getSubject().getPrincipals().oneByType(java.util.Map.class));
+
+        %>
+        <c:out value="${account.givenName}"/></shiro:user>!
+        ( <shiro:user><a href="<c:url value="/logout"/>">Log out</a></shiro:user>
+        <shiro:guest><a href="<c:url value="/login.jsp"/>">Log in</a></shiro:guest> )
+    </p>
+
+    <p>Welcome to the Apache Shiro Tutorial Webapp.  This page represents the home page of any web application.</p>
+
+    <shiro:authenticated><p>Visit your <a href="<c:url value="/account"/>">account page</a>.</p></shiro:authenticated>
+    <shiro:notAuthenticated><p>If you want to access the authenticated-only <a href="<c:url value="/account"/>">account page</a>,
+        you will need to log-in first.</p></shiro:notAuthenticated>
+
+    <h2>Roles</h2>
+
+    <p>Here are the roles you have and don't have. Log out and log back in under different user
+        accounts to see different roles.</p>
+
+    <h3>Roles you have:</h3>
+
+    <p>
+        <shiro:hasRole name="Captains">Captains<br/></shiro:hasRole>
+        <shiro:hasRole name="Officers">Bad Guys<br/></shiro:hasRole>
+        <shiro:hasRole name="Enlisted">Enlisted<br/></shiro:hasRole>
+    </p>
+
+    <h3>Roles you DON'T have:</h3>
+
+    <p>
+        <shiro:lacksRole name="Captains">Captains<br/></shiro:lacksRole>
+        <shiro:lacksRole name="Officers">Officers<br/></shiro:lacksRole>
+        <shiro:lacksRole name="Enlisted">Enlisted<br/></shiro:lacksRole>
+    </p>
+
+    <h2>Permissions</h2>
+
+    <ul>
+        <li>You may <shiro:lacksPermission name="ship:NCC-1701-D:command"><b>NOT</b> </shiro:lacksPermission> command the <code>NCC-1701-D</code> Starship!</li>
+        <li>You may <shiro:lacksPermission name="user:${account.username}:edit"><b>NOT</b> </shiro:lacksPermission> edit the ${account.username} user!</li>
+    </ul>
 
     <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
     <script src="https://code.jquery.com/jquery.js"></script>

src/main/webapp/login.jsp

@@ -0,0 +1,70 @@
+<%--
+  ~ Copyright (c) 2013 Les Hazlewood and contributors
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  --%>
+<jsp:include page="include.jsp"/>
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Apache Shiro Tutorial Webapp : Login</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <!-- Add some nice styling and functionality.  We'll just use Twitter Bootstrap -->
+    <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.0.2/css/bootstrap.min.css">
+    <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.0.2/css/bootstrap-theme.min.css">
+    <style>
+        body{padding-top:20px;}
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="row">
+            <div class="col-md-4 col-md-offset-4">
+                <div class="panel panel-default">
+                    <div class="panel-heading">
+                        <h3 class="panel-title">Please sign in</h3>
+                    </div>
+                    <div class="panel-body">
+                        <form name="loginform" action="" method="POST" accept-charset="UTF-8" role="form">
+                            <fieldset>
+                                <div class="form-group">
+                                    <input class="form-control" placeholder="Username or Email" name="username" type="text">
+                                </div>
+                                <div class="form-group">
+                                    <input class="form-control" placeholder="Password" name="password" type="password" value="">
+                                </div>
+                                <div class="checkbox">
+                                    <label>
+                                        <input name="rememberMe" type="checkbox" value="true"> Remember Me
+                                    </label>
+                                </div>
+                                <input class="btn btn-lg btn-success btn-block" type="submit" value="Login">
+                            </fieldset>
+                        </form>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
+    <script src="https://code.jquery.com/jquery.js"></script>
+    <script src="//netdna.bootstrapcdn.com/bootstrap/3.0.2/js/bootstrap.min.js"></script>
+    <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
+    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
+    <!--[if lt IE 9]>
+    <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
+    <script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
+    <![endif]-->
+</body>
+</html>