From Shiro documentation: http://shiro.apache.org/configuration.html#Configuration-%5Cusers%5C The [users] section allows you to define a static set of user accounts. This is mostly useful in environments with a very small number of user accounts or where user accounts don't need to be created dynamically at runtime. Here's an example:
As you can see, the documentation clearly states that specifying users / roles in shiro.ini is not meant to be used in a dynamic environment, which is what you have. On the other hand Jdbc/Custom realm or Stormpath is precisely for that account. The portion of the documentation you are reading is for “quick start” only. > On Jan 28, 2016, at 4:06 PM, midiman <[email protected]> wrote: > > Hi, > Many thanks for the clarification to use JDBC/StormPath etc. I suppose there > must be some implementation reason for having ini being treated differently. >> From a security perspective, there's no real difference between a back-end > jdbc connector and an ini file. Without some strong encryption, they're both > as insecure as each other. > Thanks for your help! > Peter > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Change-Shiro-configuration-at-runtime-tp7580921p7580931.html > Sent from the Shiro User mailing list archive at Nabble.com. >
