Update: BalusC has done an amazing post about Shiro/JSF. Head over there instead!

I know very little about JSF2, and even less about Apache Shiro, but both have been on the learning list for a while, so this blog will document up how to get them working together from beginner’s eyes. Be gentle. I’ve deployed the sample to JBoss OpenShift while I’m experimenting, if you’d like to take it for a spin.

First, you’ll need a basic shiro.ini file which you can dump in your standard /WEB-INF directory. Here’s a scratcher to get you started which will protect our “protected.xhtml” file and redirect the user to the “login.xhtml” file.

authc.loginUrl = /login.xhtml
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
securityManager.rememberMeManager.cookie.name = demoRememberMe

admin = secret

admin = *

/index.xhtml = anon
/protected.xhtml = authc

Couple of bits of magic about. The most important one is that you need to be using the PassThruAuthenticatorFilter when you’re working with JSF (which I found out about here). JSF will do magic stuff with your html INPUT element names, so you won’t be able to use the standard Shiro form filters that know about username, password, rememberMe form elements. I’ve also customised the “rememberMe” cookie name in the above, just because I was keen to explore how you do that!

With our config in place, next stop is to make the changes in web.xml to ensure that the Shiro filter fires. This is all standard Shiro stuff, no special JSF interplace required:



With all our web.xml filters in place, the next step is to write up the basic JSF login form. Here’s my minimalist version of login.xhtml:

<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
<html xmlns="http://www.w3.org/1999/xhtml&quot;
<title>Login Page</title>

    &lt;h:messages /&gt;

    &lt;h2&gt;Login Page&lt;/h2&gt;
    &lt;p&gt;You can use &quot;admin&quot; and &quot;secret&quot; to login.&lt;/p&gt;
    &lt;h:panelGrid columns=&quot;3&quot;&gt;

        &lt;h:outputLabel for=&quot;username&quot; value=&quot;User Name:&quot; /&gt;
        &lt;h:inputText id=&quot;username&quot; value=&quot;#{loginController.username}&quot;
            required=&quot;true&quot; label=&quot;Username&quot; /&gt;
        &lt;h:message for=&quot;username&quot; /&gt;

        &lt;h:outputLabel for=&quot;password&quot; value=&quot;Password:&quot; /&gt;
        &lt;h:inputSecret id=&quot;password&quot; value=&quot;#{loginController.password}&quot;
            label=&quot;Password&quot; /&gt;
        &lt;h:message for=&quot;password&quot; /&gt;

        &lt;h:outputLabel for=&quot;rememberMe&quot; value=&quot;Remember Me:&quot; /&gt;
        &lt;h:selectBooleanCheckbox id=&quot;rememberMe&quot;
            value=&quot;#{loginController.rememberMe}&quot; /&gt;

        &lt;h:commandButton action=&quot;#{loginController.authenticate()}&quot;
            value=&quot;Login&quot; /&gt;


Nothing too special there. We have fields for our username, password and rememberMe, just need to wire it up to our loginController, and life will be good. Here’s what it looks like so far:


Next, we’ll need to whip up our loginController JSF backing bean with elements for our username, password, rememberMe, and, of course, logic to do the actual authentication. Here’s my rough one to get you started:

package au.com.bytecode.controller;

import java.util.logging.Logger;
import javax.enterprise.inject.Model;
import javax.faces.application.FacesMessage;
import javax.faces.context.FacesContext;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;


  • Simple JSF Controller demonstrating Shiro login/logout process.
  • @author Glen Smith
    public class LoginController {

    String username;
    String password;
    boolean rememberMe = false;

    private static final Logger log = Logger.getLogger(LoginController.class


    public String authenticate() {

    // Example using most common scenario of username/password pair:
    UsernamePasswordToken token = new UsernamePasswordToken(username,
    // &quot;Remember Me&quot; built-in:
    Subject currentUser = SecurityUtils.getSubject();
    log.info(&quot;Submitting login with username of &quot; + username
            + &quot; and password of &quot; + password);
    try {
    } catch (AuthenticationException e) {
        // Could catch a subclass of AuthenticationException if you like
                new FacesMessage(&quot;Login Failed: &quot; + e.getMessage(), e
        return &quot;/login&quot;;
    return &quot;protected?faces-redirect=true&quot;;


    public String logout() {

    Subject currentUser = SecurityUtils.getSubject();
    try {
    } catch (Exception e) {
    return &quot;index&quot;;


    public String getUsername() {

    return username;


    public void setUsername(String username) {

    this.username = username;


    public String getPassword() {

    return password;


    public void setPassword(String password) {

    this.password = password;


    public boolean getRememberMe() {

    return rememberMe;


    public void setRememberMe(boolean rememberMe) {

    this.rememberMe = rememberMe;



You probably don’t want to really log usernames and passwords to the console :-), but it’s helpful when you’re learning how things are hanging together. The core part of the deal is the authenticate() method. In here, you’re doing a Shiro authenticate using the standard API hooks.

I’ve also put together a logout() method above too. Helpful when testing your cookies out :-). I call this from the protected.xhtml page via a commandButton to force the logout:

<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
<html xmlns="http://www.w3.org/1999/xhtml&quot;
<title>Secret Page</title>
This is a super secret page.
<h:commandButton action="${loginController.logout()}" value="Logout"/>

So there you have it! Shiro integration with JSF turns out to be pretty straightfoward once you’re aware of that PassThruAuthenticator trick! Next on my explore list is to get Shiro DB realm integration happening with JPA2! Should be some interesting CDI challenges there…

Once again, if you’d like to take it for a spin, I’ve deployed it to the JBoss cloud to see what that experience was like (very straightforward so far, topic for another post). Also good to know that Shiro runs fine on cloud services!

Edit: Even better if you use WebUtils to remember the page that was being intercepted when the user was sent to login as discussed here.

Something like this would do the trick….

log.info("Submitting login with username of " + username

+ &quot; and password of &quot; + password);

try {
FacesContext fc = FacesContext.getCurrentInstance();
HttpServletRequest request = (HttpServletRequest) fc.getExternalContext().getRequest();
HttpServletResponse response = (HttpServletResponse) fc.getExternalContext().getResponse();
String fallbackUrl = "/index.xhtml";
WebUtils.redirectToSavedRequest(request, response, fallbackUrl);
return null;
} catch (Exception e) {
// Could catch a subclass of AuthenticationException if you like
new FacesMessage("Login Failed: " + e.getMessage(), e
return "/login";

Happy JSF/Shiro-ing!