Apache Shiro: How would you manage Users?

Question

I want to use Shiro on my next web project but I do not know a good (if not the best) strategy to manage users ([users] in shiro.ini).

1. Is it best to create Shiro user for every registered member?
2. Or create a single Shiro user then for every member just store it to some database and acces it via that Shiro user?

If you would go for #1, how would you manage/automate it? Most of the projects I worked on opted for #2.

Thanks

Answer 1

1. Configuring users in shiro.ini is not a good option for production environment. It can be used only if you have a small number of user accounts and you don't need to create or change accounts at runtime. It is mostly used for testing.
2. It is better for almost all projects to use some storage to keep all user accounts. It can be database or some external authentication engine, like ldap, cas or even oauth.

Answer 2

You can just use Stormpath as your user/group store. Drop in the Shiro integration and boom - instant user/group data store for Shiro-enabled applications with a full management UI and Java SDK.

It even helps automate things like 'forgot password' emails and account email verification. It's free for many usages too. You can see the Shiro sample app using Stormpath as an example.