You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Steven Scott (JIRA)" <ji...@apache.org> on 2013/02/05 20:40:11 UTC

[jira] [Commented] (SHIRO-348) Allow ModularRealmAuthorizer to ignore ShiroExceptions thrown by realms when authz is checked.

    [ https://issues.apache.org/jira/browse/SHIRO-348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13571653#comment-13571653 ] 

Steven Scott commented on SHIRO-348:
------------------------------------

I ran into this today. Two realms are configured, the first is LDAP. During authentication LDAP throws an exception, and the subject is authenticated against the second. Its principles is size 1, with the name of the second realm. During an authorization check, all realms are asked (not sure if it should only be asking the subject's principles or not), LDAP throws an exception, and the second realm's isPermitted is never called
                
> Allow ModularRealmAuthorizer to ignore ShiroExceptions thrown by realms when authz is checked.
> ----------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-348
>                 URL: https://issues.apache.org/jira/browse/SHIRO-348
>             Project: Shiro
>          Issue Type: Improvement
>          Components: Authorization (access control) 
>            Reporter: Brian Demers
>
> This is useful, when you have multiple realms configured and one of those realms throws exceptions.  In this case you may not want to stop ALL authz checks because one realm failed.
> <snippet from [here|http://shiro-developer.582600.n2.nabble.com/ExceptionCatchingModularRealmAuthorizer-td6263689.html]>
> From Les:
> {quote}
> Refactoring the ModularRealmAuthorizer to use the Strategy design
> pattern (like the ModularRealmAuthenticator) is probably the best
> approach.  This allows pluggable strategies to be used so you don't
> need to subclass.
> {quote}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Re: [jira] [Commented] (SHIRO-348) Allow ModularRealmAuthorizer to ignore ShiroExceptions thrown by realms when authz is checked.

Posted by Brian Demers <br...@gmail.com>.

Anyone have any thoughts on dusting this off?

https://github.com/apache/shiro/compare/trunk...exceptionCatchingModularRealmAuthorizer

On Tue, Feb 5, 2013 at 2:40 PM, Steven Scott (JIRA) <ji...@apache.org> wrote:

>
>     [
> https://issues.apache.org/jira/browse/SHIRO-348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13571653#comment-13571653]
>
> Steven Scott commented on SHIRO-348:
> ------------------------------------
>
> I ran into this today. Two realms are configured, the first is LDAP.
> During authentication LDAP throws an exception, and the subject is
> authenticated against the second. Its principles is size 1, with the name
> of the second realm. During an authorization check, all realms are asked
> (not sure if it should only be asking the subject's principles or not),
> LDAP throws an exception, and the second realm's isPermitted is never called
>
> > Allow ModularRealmAuthorizer to ignore ShiroExceptions thrown by realms
> when authz is checked.
> >
> ----------------------------------------------------------------------------------------------
> >
> >                 Key: SHIRO-348
> >                 URL: https://issues.apache.org/jira/browse/SHIRO-348
> >             Project: Shiro
> >          Issue Type: Improvement
> >          Components: Authorization (access control)
> >            Reporter: Brian Demers
> >
> > This is useful, when you have multiple realms configured and one of
> those realms throws exceptions.  In this case you may not want to stop ALL
> authz checks because one realm failed.
> > <snippet from [here|
> http://shiro-developer.582600.n2.nabble.com/ExceptionCatchingModularRealmAuthorizer-td6263689.html
> ]>
> > From Les:
> > {quote}
> > Refactoring the ModularRealmAuthorizer to use the Strategy design
> > pattern (like the ModularRealmAuthenticator) is probably the best
> > approach.  This allows pluggable strategies to be used so you don't
> > need to subclass.
> > {quote}
>
> --
> This message is automatically generated by JIRA.
> If you think it was sent incorrectly, please contact your JIRA
> administrators
> For more information on JIRA, see: http://www.atlassian.com/software/jira
>