Apache Shiro logo

Apache Shiro

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. It provides a clean API for securing applications from the smallest mobile applications to the largest enterprise systems.

1 APIs 5 Capabilities 7 Features 42.1 / 100 thin
AuthenticationAuthorizationCryptographyJavaSecurityApacheOpen Source

API Rating

42.1/ 100
thin
Scored 2026-05-20 · rubric v0.3
Discoverability80.0
Contract Quality59.8
Governance39.5
Operational Transparency36.8
Developer Ergonomics8.7
Commercial Clarity39.5

APIs

Apache Shiro

Shiro provides a Java API for authentication (login/logout), authorization (access control), cryptography (hashing/encryption), and session management, with support for web appl...

Capabilities

Apache Shiro REST API — Authentication

Apache Shiro REST API — Authentication. 3 operations. Lead operation: Apache Shiro Login. Self-contained Naftiko capability covering one Apache Shiro business surface.

Run with Naftiko

Apache Shiro REST API — Authorization

Apache Shiro REST API — Authorization. 2 operations. Lead operation: Apache Shiro Check Permission. Self-contained Naftiko capability covering one Apache Shiro business surface.

Run with Naftiko

Apache Shiro REST API — Cryptography

Apache Shiro REST API — Cryptography. 1 operations. Lead operation: Apache Shiro Hash Password. Self-contained Naftiko capability covering one Apache Shiro business surface.

Run with Naftiko

Apache Shiro REST API — Sessions

Apache Shiro REST API — Sessions. 2 operations. Lead operation: Apache Shiro Get Session. Self-contained Naftiko capability covering one Apache Shiro business surface.

Run with Naftiko

Apache Shiro REST API — Users

Apache Shiro REST API — Users. 2 operations. Lead operation: Apache Shiro List Users. Self-contained Naftiko capability covering one Apache Shiro business surface.

Run with Naftiko

Features

Authentication

Pluggable authentication with username/password, remember-me, and token support

Authorization

Role-based and permission-based access control with wildcard permissions

Session Management

Native session management independent of HTTP containers

Cryptography

Password hashing with salt, bcrypt, Argon2, and SHA-256

Multiple Realms

JDBC, LDAP, properties file, and custom realm support

Web Integration

Filter-based web application security with URL pattern matching

Annotations

AOP and annotation-based security for method-level authorization

Use Cases

Web Application Security

Secure Java web applications with authentication and URL-based access control

REST API Security

Protect REST APIs with token authentication and permission checks

Microservice Auth

Stateless JWT authentication for microservice architectures

Admin Portal Security

Role-based admin interface with fine-grained permissions

Integrations

Spring Framework

Shiro Spring integration for bean-level security

Jakarta EE

Java EE web filter integration for servlet containers

LDAP/Active Directory

LDAP realm for enterprise user directory authentication

JDBC

Database-backed realm for user and permission storage

Hazelcast

Distributed session management with Hazelcast

Semantic Vocabularies

Apache Shiro Context

12 classes · 26 properties

JSON-LD

API Governance Rules

Apache Shiro API Rules

6 rules · 4 errors 2 warnings

SPECTRAL

Resources

👥
GitHubOrganization
GitHubOrganization
🔗
Documentation
Documentation
🔗
SpectralRules
SpectralRules
🔗
Vocabulary
Vocabulary
🔗
JSONLD
JSONLD

Sources

Raw ↑ 
aid: apache-shiro
name: Apache Shiro
description: Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization,
  cryptography, and session management. It provides a clean API for securing applications from the smallest mobile applications
  to the largest enterprise systems.
type: Index
position: Consumer
access: 3rd-Party
image: https://kinlane-productions2.s3.amazonaws.com/apis-json/apis-json-logo.jpg
tags:
- Authentication
- Authorization
- Cryptography
- Java
- Security
- Apache
- Open Source
created: '2026-03-16'
modified: '2026-05-19'
url: https://raw.githubusercontent.com/api-evangelist/apache-shiro/refs/heads/main/apis.yml
specificationVersion: '0.19'
apis:
- aid: apache-shiro:apache-shiro
  name: Apache Shiro
  description: Shiro provides a Java API for authentication (login/logout), authorization (access control), cryptography (hashing/encryption),
    and session management, with support for web applications, REST APIs, and standalone applications.
  humanURL: https://shiro.apache.org/documentation.html
  tags:
  - Authentication
  - Authorization
  - REST
  - Apache
  - Open Source
  properties:
  - type: Documentation
    url: https://shiro.apache.org/documentation.html
  - type: OpenAPI
    url: openapi/apache-shiro-rest-api.yaml
  - type: NaftikoCapability
    url: capabilities/rest-authentication.yaml
  - type: NaftikoCapability
    url: capabilities/rest-authorization.yaml
  - type: NaftikoCapability
    url: capabilities/rest-cryptography.yaml
  - type: NaftikoCapability
    url: capabilities/rest-sessions.yaml
  - type: NaftikoCapability
    url: capabilities/rest-users.yaml
maintainers:
- FN: Kin Lane
  email: [email protected]
common:
- type: GitHubOrganization
  url: https://github.com/apache/shiro
- type: Documentation
  url: https://shiro.apache.org/
- type: SpectralRules
  url: rules/apache-shiro-spectral-rules.yml
- type: Vocabulary
  url: vocabulary/apache-shiro-vocabulary.yaml
- type: JSONLD
  url: json-ld/apache-shiro-context.jsonld
- type: Features
  data:
  - name: Authentication
    description: Pluggable authentication with username/password, remember-me, and token support
  - name: Authorization
    description: Role-based and permission-based access control with wildcard permissions
  - name: Session Management
    description: Native session management independent of HTTP containers
  - name: Cryptography
    description: Password hashing with salt, bcrypt, Argon2, and SHA-256
  - name: Multiple Realms
    description: JDBC, LDAP, properties file, and custom realm support
  - name: Web Integration
    description: Filter-based web application security with URL pattern matching
  - name: Annotations
    description: AOP and annotation-based security for method-level authorization
- type: UseCases
  data:
  - name: Web Application Security
    description: Secure Java web applications with authentication and URL-based access control
  - name: REST API Security
    description: Protect REST APIs with token authentication and permission checks
  - name: Microservice Auth
    description: Stateless JWT authentication for microservice architectures
  - name: Admin Portal Security
    description: Role-based admin interface with fine-grained permissions
- type: Integrations
  data:
  - name: Spring Framework
    description: Shiro Spring integration for bean-level security
  - name: Jakarta EE
    description: Java EE web filter integration for servlet containers
  - name: LDAP/Active Directory
    description: LDAP realm for enterprise user directory authentication
  - name: JDBC
    description: Database-backed realm for user and permission storage
  - name: Hazelcast
    description: Distributed session management with Hazelcast