Build Status Coverage Status Dependency Status

ScalatraShiro is an integration to enable the use of Apache Shiro in Scalatra Application. It is not a replacement for scalatra auth (Scentry) but extends it with a authorization layer ( roles and permissions). Also Shiro provides several implementations for persistence and integrations with SSO systems ( CAS etc.)





libraryDependencies += "com.github.sammyrulez" %% "scalatrashiro" % "1.0.2"


In order to make use of Shiro in our web application we must first define a Shiro servlet filter. Any requests that we want to secure must go through this Shiro filter.



Configure Shiro through an INI file. For complete details refer to Shiro Documentation

This is an example of minimal configuration with two users ( 'testuser' and 'admin' ) and two roles ('user' and 'admin')

[main] = rememberMe
# Create a Session Manager
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager

# Session Timeout = 1 hour (3600000 miliseconds)
securityManager.sessionManager.globalSessionTimeout = 3600000

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO

# Login URL:
user.loginUrl = /login

testUser = password, user
admin = admin, admin

user = BasicAccess
admin = *

Every controller you want to perform security checks must extends the Authentication Trait

class MainServlet extends ScalatraServlet with Authentication with ...

override protected val loginUrl: String = "/login"

You might choose to run the authorization checks in a before() filter in your controller, rather than hitting it in each action, to secure every method. As a best practice you should group routes with same access policies in one controller.

###Login and Logout

If you just have a user/password based authentication a UserAuthServlet is provided by ScalatraShiro. Just register it in your bootstrap class and point to the login/logout routes.

If you have complex / custom authentication you can use Apache Shiro authentication api directly

    val currentUser = SecurityUtils.getSubject()

    try {
      val token = // generate a  org.apache.shiro.authc.AuthenticationToken

      } catch {
            case uae: UnknownAccountException => {
            case ice: IncorrectCredentialsException => {
            case lae: LockedAccountException => {
            case ae: AuthenticationException => {

###Access control methods

You can check both roles and permissions

  • requiresAuthentication: current user must be authenticated

  • requiresRole: current user must have the role specified as parameter ( or at least one of the role if a List[String] is passed )

  • requiresAllRoles: current user must have all the roles in a List[String] specified as parameter

  • requiresPermission: current user must have the permission specified as parameter

  • requiresAllPermissions: current user must have all the permissions in a List[String] specified as parameter


Original work on Scalatra / Apache Shiro integration by Ethan Way (blog post source: