Implementing authorization
The preceding section shows you how to implement authentication—making sure that users are prompted for username and password. But in many cases, you want more than just knowing who your users are. This section describes how to implement authorization to limit what various users can do with the application.
Can I see some ID, please?
The simplest type of authorization is to divide the application into a public part that can be accessed by anyone and an authorized part that is only accessible to users with a valid username and password.
To implement this, you simply configure the [urls] section of the shiro.ini file. This section is evaluated in the order it is written, so you can place your publicly accessible pages first and assign the security method anon to these. This method means that everyone can access those URLs. Below your specifically public pages, place a URL pattern that secures the rest of the application. This could look like this:
[urls]Â /faces/welcome...
