Apache Shiro: How would you manage Users?

Question

Apache Shiro: How would you manage Users?

I want to use Shiro in my next web project, but I don't know a good (if not better) user management strategy ([users] in shiro.ini).

Is it better to create a Shiro user for each registered member?
Or create one Shiro user so that each member simply stores it in some database and gets access through this Shiro user?

If you go to # 1, how would you manage or automate it? Most of the projects I have been working on have chosen # 2.

thanks

+6

shiro

Quirino gervacio Apr 26 '13 at 15:35

source share

5 answers

sody · Answer 1 · 2013-04-27T08:49:37+0000

Customizing users in shiro.ini is not a good option for a production environment. It can only be used if you have a small number of user accounts and you do not need to create or modify accounts at runtime. It is mainly used for testing.
For almost all projects, it is better to use some storage to store all user accounts. It can be a database or some external authentication mechanism, for example, ldap, cas or even oauth.

Les hazlewood · Answer 2 · 2013-05-01T22:31:43+0000

You can simply use Stormpath as your user / group store. Go to Shiro integration and boom, an instant user / group data warehouse for wide-application applications with a full management interface and Java SDK.

It even helps automate things like forgot password and email. It is free for many customs. As an example, you can see the application for the Shiro example using Stormpath .

Aritra · Answer 3 · 2014-03-21T23:51:30+0000

Shiro provides several ways to customize users. Take a look at the possible Realm configurations here .

If none of them meets your needs, you can even write custom Realm for your application, which can, for example, retrieve user information from a NoSQL database or retrieve information from a SAML response or use OAuth2. It is definitely not recommended to create any user data in shiro.ini in production. To give an idea of what user realms might look like, here is an example where I created an authc user based on SAML2 and authz: shiro -saml2 .

jeorfevre · Answer 4 · 2014-06-11T03:02:44+0000

PLease does not use only one user for all. Avoid this option. It is much better to use one user (user) for each user.

In a broad sense, you can have RDMS Realm which allows you to use a simple database like mysql to store your user / account / permissions. :)

Clone this project (it's not mine) and get started in 1 minute! :) shiro / mysql GIT example Enjoy this :)

Ankit Katiyar · Answer 5 · 2014-06-26T07:23:13+0000

Shiro provides the realization of your own kingdom as per your requirement.

Create a simple area where you can manage parts, inputs, permissions, and roles. You can use jdbc, Hibernate, or any other authentication method to manage them.

Set this area to your ini or any other method that you use in your project.

Now Shiro will automatically call the methods of your realm class to look up credentials, permissions, and roles.

For me, I have a sleep mode. I used my sleeping code to manage users in my db.

import java.util.Collection; import java.util.Date; import java.util.HashSet; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authc.credential.CredentialsMatcher; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; /** * @author Ankit * */ public class PortalHibernateRealm extends AuthorizingRealm { private static final Logger LOGGER = new Logger( PortalHibernateRealm.class.toString()); /** * */ public PortalHibernateRealm() { super(); /* * Set credential matcher on object creation */ setCredentialsMatcher(new CredentialsMatcher() { @Override public boolean doCredentialsMatch(AuthenticationToken arg0, AuthenticationInfo arg1) { UsernamePasswordToken token = (UsernamePasswordToken) arg0; String username = token.getUsername(); String password = new String(token.getPassword()); /* Check for credential and return true if found valid else false */ return false; } }); } @Override protected AuthorizationInfo doGetAuthorizationInfo( PrincipalCollection principalCollection) { Collection<String> permissionSet; SimpleAuthorizationInfo info = null; Long userId = (Long) principalCollection.getPrimaryPrincipal(); //Using thi principle create SimpleAuthorizationInfo and provide permissions and roles info = new SimpleAuthorizationInfo(); return info; } @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken authcToken) throws AuthenticationException { UsernamePasswordToken token = (UsernamePasswordToken) authcToken; /*using this token create a SimpleAuthenticationInfo like User user = UserUtil.findByEmail(token.getUsername()); */ SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo( primaryPrin, Password, screenName); return authenticationInfo; } }

Apache Shiro: How would you manage Users?

More articles: