shiro.ini

[user]
# This is needed

[main]
# GitHub OAuth2
oauth2Config = org.pac4j.oauth.config.OAuth20Configuration
oauth2Config.scope = user
oauth2Config.key = enter_your_github_oauth_client_id
oauth2Config.secret = enter_your_github_oauth_client_secret

githubClient = org.pac4j.oauth.client.GitHubClient
githubClient.configuration = $oauth2Config

# Common

## Core
# `clients` var name cannot be changed, else will get the following in logs/zeppelin-xxx.log
# org.apache.shiro.config.UnresolveableReferenceException: The object with id [xxx] has not yet been defined and therefore cannot be referenced.  Please ensure objects are defined in the order in which they should be created and made available for future reference.
clients = org.pac4j.core.client.Clients
clients.callbackUrl = http://localhost:8080/api/shiro/callback
clients.clients = $githubClient

# `config` var name also cannot be changed
config = org.pac4j.core.config.Config
config.clients = $clients

## Filters to protect urls
securityFilter = io.buji.pac4j.filter.SecurityFilter
securityFilter.config = $config

logoutFilter = io.buji.pac4j.filter.LogoutFilter
logoutFilter.config = $config

callbackFilter = io.buji.pac4j.filter.CallbackFilter
callbackFilter.defaultUrl = /
callbackFilter.config = $config

## Realm
realm = io.buji.pac4j.realm.Pac4jRealm
securityManager.realms = $realm

## Cache
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager

## Cookie
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = JSESSIONID
cookie.httpOnly = true

## Session Manager
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionIdCookie = $cookie

## Security Manager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
securityManager.cacheManager = $cacheManager

## Shiro
shiro.loginUrl = /api/login

[roles]
admin = *
user = *

[urls]
# For some reason, URLs that are not under /api/**
# are not authenticated / intercepted by Shiro.
# Therefore we need to park all login API calls under /api/shiro/*

/api/shiro/callback = callbackFilter
/api/shiro/callback* = callbackFilter
/api/shiro/logout = logoutFilter
/api/shiro/callback/** = callbackFilter
/api/shiro/logout/** = logoutFilter

/api/version = anon

# Allow all authenticated users to restart interpreters on a notebook page.
# Comment out the following line if you would like to authorize only admin users to restart interpreters.
/api/interpreter/setting/restart/** = securityFilter
/api/interpreter/** = securityFilter, roles[admin]
/api/configurations/** = securityFilter, roles[admin]
/api/credential/** = securityFilter, roles[admin]
/** = securityFilter