Apache Shiro support for Mule


Have you seen Apache Shiro yet? may not be the sexiest thing on the block, but this little framework is quite nice. It provides a very robust, yet easy to use security mechanism out of the box. Why yet another security framework? There are two reasons that it appealed to me:

  • It is the only security framework out there that I’ve seen that actually has a nice generic permissions framework. In addition to working with the basic role/permission model, it also includes support for wildcard and object permissions, allowing you to lock down your application at a fine grained level.
  • It is extremely easy to understand and use. No complex magic, just a few important concepts which are clearly outlined in the documentation.

I took a stab at writing integrating it with Mule recently and the result is up on github.

Using Shiro with Mule

Using it is pretty simple. First off, you need to declare your basic Shrio security setup:

Could not embed GitHub Gist 764025: Bad credentials. The API can't be accessed using username/password authentication. Please create a personal access token to access this endpoint: http://github.com/settings/tokens

There are a couple items that should be explained here:

  • The Shiro realm – Realms in Shiro map to databases/property files/etc where your users are stored. Shiro contains out of the box support for JDBC, LDAP, and text files. I’ve created my users in the XML file (very handy for testing) using the TextDefinitionRealm. The userDefinitions proeprty contains a list of users with their password and role. The roleDefinitions property contains a list of roles and the permissions that they imply.
  • The Shiro SecurityManager – this is what instantiates Shiro and holds all the realms with which Shiro can do authentication.
  • The Mule security manager definition – we’re simply telling Mule to use the Shrio SecurityManager here.
  • The Shiro bean post processor – this inits/destroys all the Shiro beans properly.

Next up, you can implement authentication or authorization using security filters:

Could not embed GitHub Gist 764027: Bad credentials. The API can't be accessed using username/password authentication. Please create a personal access token to access this endpoint: http://github.com/settings/tokens

The basic-security-filter will perform authentication against your Shiro realm using HTTP Basic authentication. If the authentication fails, you’ll get an HTTP 401 reponse code. The second authorization-filter interceptor will check that the user has the specified permissions (“write” in this case). If the authorization fails you’ll get an HTTP 405 response code.

And now you have easy authentication and authorization in your Mule configuration! Enjoy the module and looking forward to your feedback!

NOTE: During the implementation of this, I made some changes to make authorization much cleaner inside Mule. These changes didn’t make it into the about to be announced 3.1.0 release. As a result, if you’re going to use the Shiro integration, you’ll need to use Mule 3.2.0-SNAPSHOT for the time being. (Scroll to the bottom of the Mule ESB download page for the Mule 3.2.0 SNAPSHOT)

We'd love to hear your opinion on this post

6 Responses to “Apache Shiro support for Mule”

  1. Hi Dan,

    Great writeup – thanks for sharing. As for the line – is that Shiro’s IniShiroFilter? Or a Mule-specific component?


    Les Hazlewood
    Founder, CTO – Katasoft, Inc.
    (Apache Shiro team member)

  2. Ah – I just saw your follow up on the mailing list – it is not a ServletFilter, so it would be a Mule-specific filter. Thanks for clarifying!


  3. What is the url that provides the shiro namespace?

  4. Hi
    It is possible to publish a complete example with source code for people who are started in mule ESB , I would like to use shiro mule in a Rest environments.


  5. Is there a flow var/property set with the user role after the shiro authorization filter. i want to use it further to direct flow on role value.