I would certainly agree the ini file method isn't the most secure place to store roles (note I don't don't use it for authentication, only authorization). But the storage medium is surely independant from Shiro's reading/[re]loading of that medium. After all, a database can be hacked just as easily as an ini file. So are you saying that if I used a datastore instead of an ini file Shiro will automatically update itself when the datastore roles/permissions change within that datastore??
With regards Realms (as opposed to config), I have noticed that the docs say a default Realm (in my case an IniRealm) is created if none is explicitly specified. But I have found that when I query the SecurityManager, there are no realms returned from getRealms() (returns null). Maybe the 'default' one is hidden (name is meant to be 'iniRealm' according to the docs for Shiro 1.2). I tried creating an explicit IniRealm in the ini file [main] section, but it failed. Maybe org.apache.shiro.realm.text.IniRealm is stopped from being loaded for some reason. Thanks -- View this message in context: http://shiro-user.582556.n2.nabble.com/Change-Shiro-configuration-at-runtime-tp7580921p7580926.html Sent from the Shiro User mailing list archive at Nabble.com.
