Configure an External LDAP User Store with WSO2 Identity Server - openldap

My Current configuration is
#
<UserManager>
<Realm>
<Configuration>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin</UserName>
<Password>XXXXXX</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in thsi role sees the registry root -->
<!-- <ReadOnly>false</ReadOnly> -->
<MaxUserNameListLength>500</MaxUserNameListLength>
<Property name="url">jdbc:h2:repository/database/WSO2CARBON_DB</Property>
<Property name="userName">wso2carbon</Property>
<Property name="password">wso2carbon</Property>
<Property name="driverName">org.h2.Driver</Property>
<Property name="maxActive">50</Property>
<Property name="maxWait">60000</Property>
<Property name="minIdle">5</Property>
</Configuration>
<UserStoreManager
class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager">
<Property name="ConnectionURL">ldap://localhost:389</Property>
<Property name="ConnectionName">cn=admin,dc=ysd,dc=com</Property>
<Property name="ConnectionPassword">admin32</Property>
<Property name="UserSearchBase">ou=People,dc=ysd,dc=com</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="ReadLDAPGroups">false</Property>
<Property name="GroupSearchBase">ou=People,dc=ysd,dc=com</Property>
<Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
</UserStoreManager>
<AuthorizationManager
class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
</AuthorizationManager>
</Realm>
</UserManager>`
#
Iam geeting following error while starting server.
*ERROR {org.wso2.carbon.user.core.common.DefaultRealm} - Cannot create org.wso2.carbon.user.core.ldap.LDAPUserStoreManager . Error is : null
java.lang.reflect.InvocationTargetException*
..............
............
............
Caused by: org.wso2.carbon.user.core.UserStoreException: LDAPUserStoreManager is unable to operate in Read-Write mode. This is invalid configuration. It can only operate in ReadOnly mode
at org.wso2.carbon.user.core.ldap.LDAPUserStoreManager.(LDAPUserStoreManager.java:97)
... 25 more

What is your exact requirement ? Do you want the Identity Server to do Read-Write operation on the external LDAP or do you want to do only the Read operations ?
You get this exception because you are trying to use the read only ldap user store for both read-write operations. Set the parameter <ReadOnly>false</ReadOnly>to true, then this error would go away.
But if your requirement is to use IS for both read write operations use the ApacheDSUserStoreManager. You can use the LDAPUserStoreManager for that.

Related

Unable to login with users in Active Directory in wso2 api manager

I've configured the wso2 api manager with external LDAP i.e. Microsoft Active Directory. Connectivity is set up and I'm able to see all the users in WSO2 apim user store which are present in AD. I have 4 following users in AD
Users : WSo2 Admin, WSO2 User1, WSO2 User2
But I'm able to login with just one user which I'm assigning the admin role in configuration file like below snippet.
<AdminUser>
<UserName>Wso2 Admin</UserName>
<Password>abcdef#01</Password>
</AdminUser>
Now I'll be only able to login with WSo2 Admin only, same happens for other users if I assign admin role in config file I'll be able to login.
But i want to login with every user which are present in AD i.e. WSo2 Admin, WSO2 User1, WSO2 User2
Here is my configuration file:
<?xml version="1.0" encoding="UTF-8"?>
<UserManager>
<Realm>
<Configuration>
<AddAdmin>false</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>Wso2 Admin</UserName>
<Password>abcdef#01</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<!-- By default users in this role sees the registry root -->
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="initializeNewClaimManager">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ConnectionURL">ldap://test.xxxx.com:389</Property>
<Property name="ConnectionName">CN=Wso2 Admin,OU=wso2test,DC=test,DC=xxxx,DC=com</Property>
<Property name="ConnectionPassword">abcdef#01</Property>
<Property name="AnonymousBind">false</Property>
<Property name="UserSearchBase">OU=wso2test,DC=test,DC=xxxx,DC=com</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">cn</Property>
<Property name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property>
<Property name="UserNameListFilter">(objectClass=user)</Property>
<Property name="DisplayNameAttribute"/>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="GroupSearchBase">OU=wso2test,DC=test,DC=xxxx,DC=com</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute">memberOf</Property>
<Property name="BackLinksEnabled">true</Property>
<Property name="Referral">follow</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._\-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._\-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="IsBulkImportSupported">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="isADLDSRole">false</Property>
<Property name="userAccountControl">512</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MembershipAttributeRange">1500</Property>
<Property name="kdcEnabled">false</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
</UserStoreManager>
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">true</Property>
</AuthorizationManager>
</Realm>
</UserManager>
To the administrative console only admins (members of the admin group) are allowed to log in.
If you want any user to log in, you may try to find role Internal/everyone and add a permission Login to the role.
However the users by default will be able only to change their password (even that's not true until you use ldaps connection instead of ldap)

wso2 am 2.0 ApiKeyValidator Authentication Errors

We've recently upgraded our fully functional WSO2 AM 1.10 to 2.0. The installation process gave no errors and seems to be complete. We can use the Publisher just fine. However, when we go to the Store, and go to a tab that lists all of the user's Applications, it fails, and the page is empty. The log shows:
WARN - CarbonAuthenticationUtil Failed Administrator login attempt 'MyUser[-1234]' at [2017-01-10 09:47:09,380-0500]
WARN - AuthenticationHandler Illegal access attempt at [2017-01-10 09:47:09,0380] from IP address IP-ADDRESS while trying to authenticate access to service APIKeyMgtSubscriberService
ERROR - AMDefaultKeyManagerImpl Can not retrieve OAuth application for the given consumer key : BigLongStringOfStuff org.apache.axis2.AxisFault: Access Denied. Authentication failed - Invalid credentials provided.
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:370)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:445)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.wso2.carbon.apimgt.keymgt.stub.subscriber.APIKeyMgtSubscriberServiceStub.retrieveOAuthApplication(APIKeyMgtSubscriberServiceStub.java:1683)
at org.wso2.carbon.apimgt.keymgt.client.SubscriberKeyMgtClient.getOAuthApplication(SubscriberKeyMgtClient.java:89)
at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.retrieveApplication(AMDefaultKeyManagerImpl.java:234)
at org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getClientOfApplication(ApiMgtDAO.java:2389)
at org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getOAuthApplications(ApiMgtDAO.java:2353)
at org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getApplications(ApiMgtDAO.java:4649)
at org.wso2.carbon.apimgt.impl.APIConsumerImpl.getApplications(APIConsumerImpl.java:3136)
at org.wso2.carbon.apimgt.impl.UserAwareAPIConsumer.getApplications(UserAwareAPIConsumer.java:36)
at org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.jsFunction_getApplications(APIStoreHostObject.java:3225)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
We are using a Read Only LDAP store, the configuration is here:
<UserManager>
<Realm>
<Configuration>
<AddAdmin>False</AddAdmin>
<AdminRole>AdminGroup</AdminRole>
<AdminUser>
<UserName>MyUser</UserName>
<Password>MyPW</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ReadOnly">true</Property>
<Property name="Disabled">false</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="ConnectionURL">ldap://MyServer:389</Property>
<Property name="ConnectionName">CN=MyUser,OU=1,OU=2,DC=a,DC=b,DC=c</Property>
<Property name="ConnectionPassword">MyPW</Property>
<Property name="UserSearchBase">DC=a,DC=b,DC=c</Property>
<Property name="UserNameListFilter">(objectClass=user)(|(memberOf=CN=MyGroup-Subscriber,OU=1,OU=2,DC=a,DC=b,DC=c)(sAMAccountName=MyUser))</Property>
<Property name="UserNameSearchFilter">(|(&(objectClass=person)(sAMAccountName=?)(memberOf=CN=MyGroup-Subscriber,OU=1,OU=2,DC=a,DC=b,DC=c))(sAMAccountName=MyUser))</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="DisplayNameAttribute">displayName</Property>
<Property name="ReadGroups">true</Property>
<Property name="GroupSearchBase">OU=Groups,OU=1,OU=2,DC=a,DC=b,DC=c</Property>
<Property name="GroupNameListFilter">(&(objectClass=group)(cn=MyGroup*))</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=MyGroup?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute">memberOf</Property>
<Property name="MultipleAttributeSeparator">,</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="SCIMEnabled">false</Property>
</UserStoreManager>
<AuthorizationManager
class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
</AuthorizationManager>
</Realm>
</UserManager>
In the Api-Manager.xml configuration for the ApiKeyValidator Key We have:
<APIKeyValidator>
<!-- Server URL of the API key manager -->
<ServerURL>https://MyURL:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
<!-- Admin username for API key manager.
<Username>MyUser</Username>
<!-- Admin password for API key manager. -->
<Password>MyPW</Password>
<KeyValidatorClientType>ThriftClient</KeyValidatorClientType>
<ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
<EnableThriftServer>true</EnableThriftServer>
<ThriftServerHost>localhost</ThriftServerHost>
<KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName>
This error did not occur in 1.10 with the same config file entries. Is there any idea as to why this happens?
So I figured out why this occurred - This will happen if the incorrect provider is listed in the user-mgt.xml file. If you see my file above, I am trying to use ReadOnly LDAP, but I have the RDBMS provider listed instead.
Changed this line and boom, everythign is functional again.

WSO2 API Manager fails when using external ldap

I am setting up wso2 API manager to use an external LDAP so it connects to my company's user base for logins but I am getting the following error which I can't find the reason:
2016-09-09 10:44:32,436 [-] [Start Level Event Dispatcher] ERROR Activator Cannot start User Manager Core bundle
java.lang.NullPointerException
at org.wso2.carbon.user.core.config.RealmConfigXMLProcessor.buildRealmConfiguration(RealmConfigXMLProcessor.java:367)
at org.wso2.carbon.user.core.config.RealmConfigXMLProcessor.buildRealmConfiguration(RealmConfigXMLProcessor.java:281)
at org.wso2.carbon.user.core.common.DefaultRealmService.buildBootStrapRealmConfig(DefaultRealmService.java:136)
at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:84)
at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:113)
at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:68)
at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711)
at java.security.AccessController.doPrivileged(Native Method)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683)
at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381)
at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:390)
at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1176)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340)
Here is my user-mgt.xml:
<UserManager>
<Realm>
<Configuration>
<AddAdmin>false</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>procergs-felipe-schnack</UserName>
<!-- Password>admin</Password -->
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ReadOnly">true</Property>
<Property name="ConnectionURL">ldap://ldap1.procergs.reders:389</Property>
<Property name="ConnectionName">uid=wso2,ou=U4S,ou=PROCERGS,o=estado,c=br</Property>
<Property name="ConnectionPassword">xxxx</Property>
<Property name="UserSearchBase">ou=procergs,o=Estado,c=BR</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="UserNameSearchFilter">uid=?</Property>
<Property name="UserNameListFilter">(objectClass=posixAccount)</Property>
<Property name="DisplayNameAttribute">displayname</Property>
<Property name="ReadGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="BackLinksEnabled">false</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">true</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
</UserStoreManager>
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">false</Property>
</AuthorizationManager>
</Realm>
</UserManager>
What I am missing? I tried to lookup the source code in wso2 SVN repo but I am still lost.
Thanks!
Actually you need to point to a existing user in your LDAP to be the super user of the system. The super user is a special user in the system which has all the permissions to manage the system. Hence this configuration is required. You can use Ciper tool to encrypt your password and store it. You can refer this.

Hibernate Postgres Batch Processing

I am running postgres sql 9.2.1 and for the application I am building I am using Hibernate 4.2.8. I have enabled all the necessary stuffs concerning the batch processing in the hibernate config file. Also in my pojo I am using the GenerationType.SEQUENCE for my ids since I am using POstgres sequence features.
However whenever I am doing bacth update it only executes one request and return this :
o.h.e.j.batch.internal.BatchingBatch - Executing batch size: 1
This is portion of my hibernate config file:
<property name="hibernate.connection.driver_class">org.postgresql.Driver</property>
<property name="hibernate.connection.password">xxx</property>
<property name="hibernate.connection.url">jdbc:postgresql:testdb</property>
<property name="hibernate.connection.username">xxx</property>
<property name="hibernate.dialect">org.hibernate.dialect.PostgreSQL82Dialect</property>
<property name="hibernate.show_sql">true</property>
<property name="hibernate.current_session_context_class">thread</property>
<property name="hibernate.connection.autocommit">false</property>
<property name="hibernate.transaction.auto_close_session">false</property>
<property name="hibernate.transaction.flush_before_completion">false</property>
<property name="hibernate.default_entity_mode">pojo</property>
<property name="hibernate.jdbc.batch_size">40</property>
<property name="hibernate.cache.use_second_level_cache">false</property>
<property name="hibernate.order_updates">true</property>
<property name="hibernate.jdbc.batch_versioned_data">true</property>
<property name="hibernate.cache.use_query_cache">false</property>
<property name="hibernate.order_inserts">true</property>
Please assist me. I have done many searches so far but I have not come accross any that works for me.

Spring MVC and Shiro Configuration using ini files

I'm trying to set up an environment with Spring MVC and Apache Shiro. I'm following articles mentioned in shiro.apache.org.
I'm using Spring's DelegatingFilterProxy as Shiro Filter in web.xml.
The current filtering is done using :
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login"/>
<property name="successUrl" value="/dashboard"/>
<property name="unauthorizedUrl" value="/unauthorized"/>
<property name="filterChainDefinitions">
<value>
/** = authc, user, admin
/admin/** = authc, admin
/login = anon
</value>
</property>
</bean>
Question is, how do I use shiro.ini file defining security settings?
You don't need to use shiro.ini. All of the rest of your configuration can (and should, since you're using ShiroFilterFactoryBean) be done in Spring.
For example, adding a securityManager and ehCache based cache manager to your shiroFilter:
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"/>
<property name="sessionMode" value="native"/>
<property name="sessionManager" ref="sessionManager"/>
<property name="cacheManager" ref="cacheManager"/>
</bean>
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManager" ref="ehCacheManager"/>
</bean>
<bean id="ehCacheManager"
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
<bean id="sessionDAO"
class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO"/>
<bean id="sessionManager"
class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="sessionDAO" ref="sessionDAO"/>
</bean>
<bean id="myRealm" class="com.foo.MyRealm"/>
You can check shiro documentation here http://shiro.apache.org/reference.html, it contains everything, in spring, as Les said, usually define different beans instead of using the shiro.ini file, but also you can use this file for authentication, use IniRealm like:
<bean id="myRealm" class="org.apache.shiro.realm.text.IniRealm">
<property name="resourcePath" value="classpath:/shiro.ini" />
</bean>
more detail refers to here

Resources