Apache Shiro Features Overview

The easiest to understand Java Security API anywhere. Class and Interface names are intuitive and make sense. Anything is pluggable but good defaults exist for everything.

Support authentication ('logins') across one or more pluggable data sources (LDAPJDBCActiveDirectoryetc).

Perform authorization ('access control') based on roles or fine-grained permissionsalso using pluggable data sources.

First-class caching support for enhanced application performance.

Built-in POJO-based Enterprise Session Management. Use in both web and non-web environments or in any environment where Single Sign On (SSO) or clustered or distributed sessions are desired.

Heterogeneous client session access. You are no longer forced to use only the <tt>httpSession</tt> or Stateful Session Beanswhich often unnecessarily tie applications to specific environments. Flash appletsC# applicationsJava Web Startand Web Applicationsetc. can now all share session state regardless of deployment environment.

Simple Single Sign-On (SSO) support piggybacking the above Enterprise Session Management. If sessions are federated across multiple applicationsthe user’s authentication state can be shared too. Log in once to any application and the others all recognize that log-in.

Secure data with the easiest possible Cryptography APIs availablegiving you power and simplicity beyond what Java provides by default for ciphers and hashes.

An incredibly robust yet low-configuration web framework that can secure any url or resourceautomatically handle logins and logoutsperform Remember Me servicesand more.

Extremely low number of required dependencies. Standalone configuration requires only <tt>slf4j-api.jar</tt> and one of slf4j’s binding .jars. Web configuration additionally requires <tt>commons-beanutils-core.jar</tt>. Feature-based dependencies (Ehcache cachingQuartz-based Session validationSpring dependency injectionetc.) can be added when needed.