Apache Shiro: How would you manage Users?

shiro
Quirino Gervacio picture Quirino Gervacio · Apr 26, 2013 · Viewed 7.3k times · Source

I want to use Shiro on my next web project but I do not know a good (if not the best) strategy to manage users ([users] in shiro.ini).

  1. Is it best to create Shiro user for every registered member?
  2. Or create a single Shiro user then for every member just store it to some database and acces it via that Shiro user?

If you would go for #1, how would you manage/automate it? Most of the projects I worked on opted for #2.

Thanks

Answer

sody picture sody · Apr 27, 2013
  1. Configuring users in shiro.ini is not a good option for production environment. It can be used only if you have a small number of user accounts and you don't need to create or change accounts at runtime. It is mostly used for testing.
  2. It is better for almost all projects to use some storage to keep all user accounts. It can be database or some external authentication engine, like ldap, cas or even oauth.

Related questions

Shiro vs. SpringSecurity

I have currently evaluating Java based security frameworks, I am a Spring 3.0 user so it seemed that SpringSecurity would be the right Choice, but Spring security seems to suffer from excessive complexity, it certainly does not seem like it is …

Read More
Remove jsessionid from URL

I'm working on a project with the following technologies: Spring ShiroFilter PrettyFaces Tomcat server While I'm deploying it on tomcat server, I'm getting a "JSESSIONID 456jghd787aa" added at the end of the URL. I was trying to resolve this …

Read More
NoSuchMethodError: org.slf4j.impl.StaticLoggerBinder.getSingleton()

The issue was caused by one of the dependencies in my pom.xml [cxf-bundle-jaxrs] which internally uses lower version of slf4j. I managed to resolve this issue by upgrading this dependency to the latest release. Thanks everyone. I'm trying …

Read More