Apache Shiro: How would you manage Users?

Question

I want to use Shiro on my next web project but I do not know a good (if not the best) strategy to manage users ([users] in shiro.ini).

Is it best to create Shiro user for every registered member?
Or create a single Shiro user then for every member just store it to some database and acces it via that Shiro user?

If you would go for #1, how would you manage/automate it? Most of the projects I worked on opted for #2.

Thanks

score 10 · Answer 1 · answered Apr 27 '13 at 08:49

Configuring users in shiro.ini is not a good option for production environment. It can be used only if you have a small number of user accounts and you don't need to create or change accounts at runtime. It is mostly used for testing.
It is better for almost all projects to use some storage to keep all user accounts. It can be database or some external authentication engine, like ldap, cas or even oauth.

score 3 · Answer 2 · answered May 01 '13 at 22:31

You can just use Stormpath as your user/group store. Drop in the Shiro integration and boom - instant user/group data store for Shiro-enabled applications with a full management UI and Java SDK.

It even helps automate things like 'forgot password' emails and account email verification. It's free for many usages too. You can see the Shiro sample app using Stormpath as an example.

score 0 · Answer 3 · answered Mar 21 '14 at 23:51

Shiro provides multiple ways to configure users. Take a look at the possible Realm configurations here.

If none of these satisfy your needs, you could even write a custom Realm for your application, that can, say, pull user info from a NoSQL database, or get info from a SAML response, or use OAuth2. It's definitely not advisable to create any user details in shiro.ini in production. To give a notion of what custom realms might look like, here's an example where I created a SAML2 based user authc and authz: shiro-saml2.

score 0 · Answer 4 · answered Jun 11 '14 at 03:02

PLease do not use only one user for everyone. Avoid this option. Much better to use one user(account) per user.

In shiro, you can have the RDMS Realm that allows you to use a simple database like mysql in order to store your user /account / permissions. :)

Clone this project, (that is not mine), and get started in 1 minute! :) shiro/mysql GIT example Enjoy it :)

score 0 · Answer 5 · answered Jun 26 '14 at 07:23

Shiro provide implementing your own realm as per your requirement.

Create a simple realm in which you can manage details, login, permissions and roles. You can use jdbc, Hibernate, or any other authentication manner to manage them.

Configure this realm to your ini or whatever way you using in your project.

Now Shiro will automatically invoke methods of your realm class to look for credential, permissions, roles.

For ex I have a shiro hibernate realm I used my hibernate code to manage users in my db.

import java.util.Collection;
import java.util.Date;
import java.util.HashSet;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;

/**
 * @author Ankit
 * 
 */
public class PortalHibernateRealm extends AuthorizingRealm {

    private static final Logger LOGGER = new Logger(
            PortalHibernateRealm.class.toString());

    /**
     * 
     */
    public PortalHibernateRealm() {
        super();
        /*
         * Set credential matcher on object creation
         */
        setCredentialsMatcher(new CredentialsMatcher() {

            @Override
            public boolean doCredentialsMatch(AuthenticationToken arg0,
                    AuthenticationInfo arg1) {
                UsernamePasswordToken token = (UsernamePasswordToken) arg0;
                String username = token.getUsername();
                String password = new String(token.getPassword());
                /*
                    Check for credential and return true if found valid else false
                */
                return false;
            }
        });
    }

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(
            PrincipalCollection principalCollection) {
        Collection<String> permissionSet;
        SimpleAuthorizationInfo info = null;
        Long userId = (Long) principalCollection.getPrimaryPrincipal();

        //Using thi principle create  SimpleAuthorizationInfo and provide permissions and roles 
            info = new SimpleAuthorizationInfo();

        return info;
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(
            AuthenticationToken authcToken) throws AuthenticationException {
        UsernamePasswordToken token = (UsernamePasswordToken) authcToken;

        /*using this token create a SimpleAuthenticationInfo like 
        User user = UserUtil.findByEmail(token.getUsername());
        */
        SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
                primaryPrin, Password, screenName);

        return authenticationInfo;
    }

}

Apache Shiro: How would you manage Users?

5 Answers5