In my Shiro-in-OSGi-configured-by-code solutions I ended up using the deprecated WebIniSecurityManagerFactory, with some tricks to find the shiro.ini file in the OSGi classpath: https://github.com/steinarb/authservice/blob/master/authservice.web.security/src/main/java/no/priv/bang/authservice/web/security/AuthserviceShiroFilter.java#L73 https://github.com/steinarb/ukelonn/blob/master/ukelonn.web.security/src/main/java/no/priv/bang/ukelonn/web/security/UkelonnShiroFilter.java#L69 https://github.com/steinarb/handlereg/blob/master/handlereg.web.security/src/main/java/no/priv/bang/handlereg/web/security/HandleregShiroFilter.java#L65 https://github.com/steinarb/authservice-sampleclient/blob/master/src/main/java/no/priv/bang/authservice/sampleclient/AuthserviceSampleClientShiroFilter.java#L73
The only thing the shiro.ini is used for is path to user/role/permission mapping inside the webapps. Configuration outside of path access, is a combination of configuration by code in the activate methods of DS components, and OSGi service injections into the same DS components (Realm and SessionDAO are injected). However, the class I use to start the configuration in the activate metods, WebIniSecurityManagerFactory, is deprecated. What should I use instead? Thanks! - Steinar