Designing Microservice Permission Control with Shiro and Redis Session Sharing

The author introduces the need for fine‑grained permission control in a microservice project and compares two popular frameworks, Shiro and Spring Security, ultimately choosing Shiro for its lightweight nature.

Two naive integration ideas are examined and discarded: (1) placing Shiro and the API gateway in the same service, which creates a circular dependency between authentication and user data, and (2) sharing a single Shiro configuration module across all services, which fails because the user service cannot locate the required Shiro providers.

The final design separates the user service from the Shiro module, creates a dedicated Shiro instance for the user service, and shares session information through Redis. The project structure includes common modules ( common-core , common-cache , common-auth ) and individual services such as gateway-service , user-api , user-provider-service , user-consumer-service , video-api , and video-consumer .

Key implementation details:

Custom Redis client ( JedisClient ) with connection pooling, get/set methods, and session cleanup.

Custom cache implementation ( MyCache ) that serializes Shiro SimpleSession objects to byte arrays before storing them in Redis.

Custom CacheManager ( MyCacheManager ) registered via META-INF/spring.factories for automatic Spring Boot configuration.

Shiro realm ( UserRealm ) that fetches roles and permissions from the user service and performs authentication.

Spring configuration ( ShiroConfig ) defines beans for ShiroFilterFactoryBean , DefaultWebSecurityManager , a custom DefaultWebSessionManager with a shared cookie, and the necessary advisors to enable @RequiresRoles and @RequiresPermissions annotations.

The login endpoint creates a UsernamePasswordToken and invokes Subject.login() . After successful authentication, the session ID is stored in a cookie, allowing other microservices (e.g., video‑consumer) to retrieve the same session from Redis and enforce role‑based access control.

Testing demonstrates that unauthenticated requests are redirected to Shiro’s login page, authenticated users can access protected endpoints, and role checks work across services when the user has the required role. The shared session mechanism enables seamless permission enforcement in a distributed architecture.

Overall, the article provides a complete, production‑ready guide for implementing centralized authentication and authorization in a Java microservice ecosystem using Shiro, Redis, and Spring Boot.