Looking at your blueprint.xml file, if looks like your ShiroFilterFactoryBean doesn't ever configure the filterChainDefnitions property. This is what Shiro uses to determine exactly which Shiro filters to run requests through.
Shiro's page on Spring support (http://shiro.apache.org/spring.html) shows an example of what this might look like: <bean id="shiroFilter" class= "org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <!-- override these for application-specific URLs if you like: <property name="loginUrl" value="/login.jsp"/> <property name="successUrl" value="/home.jsp"/> <property name="unauthorizedUrl" value="/unauthorized.jsp"/> --> <!-- The 'filters' property is not necessary since any declared javax.servlet.Filter bean --> <!-- defined will be automatically acquired and available via its beanName in chain --> <!-- definitions, but you can perform instance overrides or name aliases here if you like: --> <!-- <property name="filters"> <util:map> <entry key="anAlias" value-ref="someFilter"/> </util:map> </property> --> <property name="filterChainDefinitions"> <value> # some example chain definitions: /admin/** = authc, roles[admin] /docs/** = authc, perms[document:read] /** = authc # more URL-to-FilterChain definitions here </value> </property></bean>
