Another solution is to completely ignore ini.file for access tokens and read tokens and IPs from another data source (our case database).
we have the same issue: we must give acces to users if they have token and are in allowed IP range. We did this by implementing custom shiro authenticating filter with corresponding realm StringToken code Token filter Token realm (please note that this is spring-boot-hibernate implementation Regards Armando -- Sent from: http://shiro-user.582556.n2.nabble.com/
