I think you need to poke around some more in this stuff to get a better understanding of the design. shiro.ini is not the appropriate place to keep actual user data, and Shiro isn’t designed to do this in production.
> On Jan 28, 2016, at 3:39 PM, midiman <[email protected]> wrote: > > I would certainly agree the ini file method isn't the most secure place to > store roles (note I don't don't use it for authentication, only > authorization). > But the storage medium is surely independant from Shiro's > reading/[re]loading of that medium. After all, a database can be hacked just > as easily as an ini file. > So are you saying that if I used a datastore instead of an ini file Shiro > will automatically update itself when the datastore roles/permissions change > within that datastore?? > > With regards Realms (as opposed to config), I have noticed that the docs say > a default Realm (in my case an IniRealm) is created if none is explicitly > specified. But I have found that when I query the SecurityManager, there are > no realms returned from getRealms() (returns null). Maybe the 'default' one > is hidden (name is meant to be 'iniRealm' according to the docs for Shiro > 1.2). > I tried creating an explicit IniRealm in the ini file [main] section, but it > failed. Maybe org.apache.shiro.realm.text.IniRealm is stopped from being > loaded for some reason. > > Thanks > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Change-Shiro-configuration-at-runtime-tp7580921p7580926.html > Sent from the Shiro User mailing list archive at Nabble.com. >
