Re: Tynamo Tapestry-Security - Multiple Realms - How to Change Authentication Strategy

[Kalle Korhonen <ka...@gmail.com>]

On Sun, Dec 21, 2014 at 8:55 AM, Charles Karow <ch...@karow.com> wrote:

> I'm using Tynamo Tapestry-Security 0.6.0 with Tapestry 5.4, and finding it
> a very useful tool!!
> I am implementing two realms for two different classes of users that are
> stored in different tables in the database; both will use username/password
> authentication, and thus the same authentication token type. They are
> mutually exclusive - any given user will be found in one realm and not
> found in the other, so I will always have one realm that fails to
> authenticate.
> I see that in Tynamo the default authentication strategy has been replaced
> with a custom FirstExceptionStrategy, which improves the exception
> handling, but will only work if there is only one Realm per Token type.
> (See http://jira.codehaus.org/browse/TYNAMO-154) While I appreciate and
> value the ability to get the original exceptions, right now it seems more
> important to me to be able to have the two realms.
> So it seems to me that I should change the authentication strategy to one
> of Shiro's (e.g. "First Successful" or "At Least One Successful"), or
> eventually create my own custom strategy that would give me the best of
> both worlds, by passing on the correct exceptions, while allowing multiple
> realms using the same token type.
>

If you know the type of the user at login time (for example, your users
have different entry points or they pick a specific domain), it'd be far
easier to create separate tokens for each realm. The type of the token
tells the realm whether it should participate in the authentication of that
token, so if you use the same token for both realms, it'll always try and
fail one.


> I have tried to change the authentication strategy in my AppModule with
> the following code in addRealms():
>
>         SecurityManager sm = SecurityUtils.getSecurityManager();
>         DefaultWebSecurityManager wsm = (DefaultWebSecurityManager)sm;  //
> <<---- Class cast fails
>         ModularRealmAuthenticator mra = (ModularRealmAuthenticator)
> wsm.getAuthenticator();
>         mra.setAuthenticationStrategy(new FirstSuccessfulStrategy());
>
> It fails because the returned SecurityManager is actually the IOC
> ServiceProxy and not the SecurityManager object. I tried similar code in
> the Realm's constructor, with a similar failure.
>

Yeah, I've never liked that part of Shiro's native api myself (that in
multiple places you are required to downcast to specific types to reveal
more functionality). However, I've tried to publish enough of the security
api as services, so you don't have to navigate through Shiro's object tree
(native Shiro doesn't have such luxuries as an IoC container). In this case
as well, ModularRealmAuthenticator is a service, so you can just obtain it
directly and set a different authentication strategy. See the source for
SecurityModule to find out what exactly is published as a service (
https://github.com/tynamo/tapestry-security/blob/master/src/main/java/org/tynamo/security/services/SecurityModule.java
).

Kalle

Re: Tynamo Tapestry-Security - Multiple Realms - How to Change Authentication Strategy

[Charles Karow <ch...@karow.com>]

Thanks Kalle -- you've made it easy for me!!!

I added this to my AppModule and it works perfectly:

     @Startup
     public static void 
specifyAuthenticationStrategy(@InjectService("ModularRealmAuthenticator") ModularRealmAuthenticator 
mra)
         {
         mra.setAuthenticationStrategy(new FirstSuccessfulStrategy());
         }

I will give some thought to creating separate token types in the future, 
but for now all the logins come through one login page.

Thank you very much for your help!!!
Charles




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org