I am happy to announce the the 0.8.0-RC1 release of our Stormpath-Shiro integration.
This release builds on top of the recent Apache Shiro 1.4.0-RC2 release.

The 1.4.0 Apache Shiro release adds a handful of great features:

Of course that’s not all, in the Stormpath integration we have:

I’ll cover most of these new features in upcoming blog posts, but for today let’s jump into string interpolation.

String Interpolation

This is one of those things that you know either by this term or another (substitution, filtering, etc). Basically, it comes down to evaluating a string containing one or more placeholders.
For example, in the Java world, the most common placeholder looks something like this: ${keyName}. Many Java tools and libraries use this format: Apache Maven, Gradle, Spring, Groovy, etc.

Enabling string interpolation in Apache Shiro is as simple as including a Maven dependency (or the equivalent in Gradle):

This step is not needed for the stormpath-shiro-servlet-plugin, as this dependency is included by default.

Out of the box, system properties, environment variables, and Java constants are available for use.

Using the following shiro.ini example, we can replace the environment specific values with place holders.

Using system properties dbDriver. dbHost, and dbName we end up with a shiro.ini that looks like:

You can even set default value, since we are just using Apache Commons Configuration library,
taking this example one step further we can also define a default value for dbDriver:

Personally, I prefer system properties over environment variables (as they are not inherited by forked processes), but those would work too:

Java constants are handled slightly different, they need to be prefixed with const, so for java.nio.charset.StandardCharsets.UTF_8, you end up with ${const:java.nio.charset.StandardCharsets.UTF_8}.

Easy enough, now you can safely commit your shiro.ini file to source control and not worry about protecting your secrets or dealing with differences between environments.

A couple final points:

  • Do not confuse the ${key} notation with Shiro’s $variable.
  • We recommend against storing passwords in System Properties.
    They work on the same concept, but the first example is a string, and the latter is an object defined in a shiro.ini, in the above example $ds is a JDBC DataSource.
  • If you are using the stormpath-shiro-servlet-plugin you can also use any of the stormpath.* properties, for an example, see the default config.