Need help with shiro-jwt?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

123 Stars 52 Forks MIT License 24 Commits 4 Opened issues

Services available


Need anything else?

Contributors list

# 369,479
21 commits
# 15,567
1 commit


Shiro-jwt is a library that allows to use apache shiro with JWT (Json Web Tokens).


  • shiro-core: Shiro core module
  • shiro-web: Shiro web module
  • pax-shiro-cdi-web: Shiro CDI integration
  • nimbus-jose-jwt: JWT library

Getting Started:

We are gonna add some modifications to the tutorial: Securing Web Applications with Apache Shiro

Step 1: Enable Shiro

1a: Add a shiro.ini file

This is a traditional shiro.ini file, the important information here is the use of the JWTOrFormAuthenticationFilter. This filter receive a property (loginUrl) that will be the endpoint to do the login with an user and password. All the others endpoints are gonna be validated againts a JWT.

Also, it's important to say that there are two realms defined: - $jWTRealm JWTRealm - $formRealm FormRealm

builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager

securityManager.realms = $jWTRealm, $formRealm
securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false
securityManager.cacheManager = $builtInCacheManager

passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordMatcher.passwordService = $passwordService 
formRealm.credentialsMatcher = $passwordMatcher

tokenMatcher = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
jWTRealm.credentialsMatcher = $tokenMatcher

filterInternal = com.github.panchitoboy.shiro.jwt.filter.JWTOrFormAuthenticationFilter
filterInternal.loginUrl = /resources/test/login

/resources/** = filterInternal

1b: Enable Shiro in web.xml

The same file of the tutorial works, but it needs the CdiIniWebEnvironment to enable CDI from pax-shiro-cdi-web ```xml <?xml version="1.0" encoding="UTF-8"?>







Step 2: Implementing UserDefault and UserRepository


UserDefault is the class used to transfer information between your User Store and shiro-jwt. There are only two methods to be implemented:

public Object getPrincipal();
public Object getCredentials();


UserRepository is the class that allows the realms to search into your User Store and get the UserDefault object.

There are two key methods to be implemented:

public UserDefault findByUserId(Object userId);
public UserDefault findById(Object id);

findByUserId is used by FormRealm to get the user's information using the field userId in the json request in the login endpoint

findById is used by JWTRealm to get the user's information from the sub field in the JWT.

What's the difference between the two methods?

The difference is the information that you stock in the field sub in the JWT. If you chose to use the same id that you received in findByUserId (exammple: email address) both methods must be the same. But, if you decide to use another information (example: numeric primary key of the user in the database) you have to implement a specific way to search the user.

Step 3: Generate tokens

UserRepository.createToken has a default implementation to generate the tokens. You can adapt it for you convenience.

Step 4: Log in

To log in using the FormRealm you have to make a POST request in the endpoint configured in the shiro.ini file with a JsonObject with these two fields: - userId - password

The recommendation is that the response from this endpoint is the JWT to be used in the others endpoints of the application.

To log in using the JwtRealm, you have to add the JWT in the Authorization's header of your request.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.