Currently I've a swing app and I wan't to implement Apache Shiro in order to Authenticate and delegate permissions to certain roles. I've already managed myself to read the users from the Shiro.ini file that I've created for tests, it looks something like this
admin = 123456, Administrator
Administrator = *:*:*
Realm interface is a
security component that can access application-specific security entities such as users, roles, and permissions to determine authentication and authorization operations.
You can implement it to interact with any source for finding users and their permissions. If you want to interact with an SQL-based database, you can do that. If you want to interact with a text file, you can do that. If you want to interact with a web service, you can do that, too.
There are two useful (almost necessary) extensions of
Realm which are
AuthorizingRealm. They provide an interface for authentication and authorization services, respectively.
AuthenticatingRealm. You should extend
AuthorizingRealm to implement your own authenticating and authorizing logic.
Take an example: You have a database with a table
username | password | role
permission_id | permission_name
and a table
username | permission_id
In other words, an
Account can have one role, but multiple permissions. With JDBC you can very easily query such a database and retrieve usernames, passwords, roles, and permissions. Your implementation of
AuthorizingRealm would do just that and construct objects expected by Shiro's API.
Read this document on Shiro's authentication sequence to understand where the
AuthenticatingRealm comes in.
As for the
INI file, depending on how you implement your
Realm, you would need to declare it as
myRealm = com.company.security.shiro.YourDatabaseRealm
possibly settings some properties
myRealm.databaseName = account_database
Shiro provides its own
JdbcRealm class which extends
AuthorizingRealm. This class makes some assumptions on the structure of your database, but you can customize it.