The upcoming Shiro 1.0 release will have improved Spring application support, especially for Spring web applications.
In Shiro-enabled Spring web apps today, there was often a hybrid configuration - you would usually define an INI-based Shiro Filter in web.xml and configure it via INI mechanisms. But often you would configure the SecurityManager and its dependencies (Realms, etc) in applicationContext.xml. In Shiro 1.0, you will be able to configure all of Shiro in your Spring files and only touch web.xml only when setting up Shiro for the first time. There are many benefits for Spring users when configuring Shiro entirely in Spring instead of in web.xml: 1) Shiro configuration can live along side where you configure the rest of your application - no need to flip back between web.xml and spring files when making configuration changes. 2) Shiro configuration can leverage Spring-specific configuration benefits, such as PropertyPlaceholderConfigurer for properties based configuration at startup, spring-managed lifecycles (init-method, destroy-method), circular dependency checks, and more. 3) Custom javax.servlet.Filters that you could use in Shiro's powerful url-pattern-based filter chain definitions can also be defined in Spring and acquired automatically at startup. The current documentation for all of this is located here: http://cwiki.apache.org/confluence/display/SHIRO/Spring Please feel free to review and offer suggestions/improvements. The mechanisms documented (using Spring's DelegatingFilterProxy and the new ShiroFilterFactoryBean) have been tested and the two spring web sample applications have been updated to use this approach. Early adopters are encouraged to use this newer support before 1.0 is released as there probably won't be any significant changes to this mechanism before then. (SecurityManager configuration might be simplified via a Spring FactoryBean as well, but that won't affect web configuration). Please give it a try and let us know what you think! Best, Les
