shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lenny Primak <>
Subject Re: Change Shiro configuration at runtime
Date Thu, 28 Jan 2016 21:46:10 GMT
I think you need to poke around some more in this stuff to get a better understanding of the
shiro.ini is not the appropriate place to keep actual user data, and Shiro isn’t designed
to do this in production.

> On Jan 28, 2016, at 3:39 PM, midiman <> wrote:
> I would certainly agree the ini file method isn't the most secure place to
> store roles (note I don't don't use it for authentication, only
> authorization).
> But the storage medium is surely independant from Shiro's
> reading/[re]loading of that medium. After all, a database can be hacked just
> as easily as an ini file.
> So are you saying that if I used a datastore instead of an ini file Shiro
> will automatically update itself when the datastore roles/permissions change
> within that datastore??
> With regards Realms (as opposed to config), I have noticed that the docs say
> a default Realm (in my case an IniRealm) is created if none is explicitly
> specified. But I have found that when I query the SecurityManager, there are
> no realms returned from getRealms() (returns null). Maybe the 'default' one
> is hidden (name is meant to be 'iniRealm' according to the docs for Shiro
> 1.2).
> I tried creating an explicit IniRealm in the ini file [main] section, but it
> failed. Maybe org.apache.shiro.realm.text.IniRealm is stopped from being
> loaded for some reason.
> Thanks
> --
> View this message in context:
> Sent from the Shiro User mailing list archive at

View raw message