You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Christian Schneider <ch...@die-schneider.net> on 2013/07/10 08:56:59 UTC
How to just do authorization with Shiro
Hi All,
I am trying to integrate Shiro into an Apache CXF project. The
Authentication is already done by CXF. I am using a SAML token to
authenticate at the service. Inside the token there already is the subject
name and the role names. CXF establishes a CXF specific
LoginSecuritycontext that contains these details.
Now I want to use a CXF interceptor to read this LoginSecurityContext and
establish an authenticated Shiro subject that also contains subject name
and roles.
I intend to use the Shiro Context then to do normal Shiro authorization
using annotations.
Currently I only know how to log into Shiro using a UserPasswordToken. So I
give Shiro my identity and my credentials and shiro does the authentication
and fetches the roles. How can I change this to work with an already
authenticated subject and given roles?
Christian
RE: How to just do authorization with Shiro
Posted by Michael Chandler <Mi...@onassignment.com>.
I was worried that I might be overcomplicating things. Thanks Kalle.
From: Kalle Korhonen [mailto:kalle.o.korhonen@gmail.com]
Sent: Wednesday, July 10, 2013 8:56 AM
To: user@shiro.apache.org
Subject: Re: How to just do authorization with Shiro
For an authorizing only realm, you can simply return null in doGetAuthenticationInfo() to indicate the realm shouldn't participate in authentication process.
Kalle
On Wed, Jul 10, 2013 at 8:49 AM, Michael Chandler <Mi...@onassignment.com>> wrote:
Christian,
If Authentication is already handled outside of Shiro, it seems like you could be able to handle Authorization only by implementing your own Realm. Here's a rough example of what I'm thinking... The authentication method is implemented to do very little other than appear to be successful, while you do your authorization work as planned. Hopefully I'm not over simplifying the problem here...
public YourRealm extends AuthorizingRealm {
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
// Retrieve your user object by leveraging info from your token
User user = someMethodThatGetsUserFromToken(token);
// Make sure the credentials matcher is always successful since you handle this elsewhere
setCredentialsMatcher(new CredentialsMatcher() {
@Override
public boolean doCredentialsMatch(AuthenticationToken token,
AuthenticationInfo info) {
return true;
}
});
return new SimpleAuthenticationInfo(user, token, "YourRealm");
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// YOUR AUTHORIZATION IMPLEMENTATION GOES HERE!
}
}
From: cschneider111@gmail.com<ma...@gmail.com> [mailto:cschneider111@gmail.com<ma...@gmail.com>] On Behalf Of Christian Schneider
Sent: Tuesday, July 09, 2013 11:57 PM
To: user@shiro.apache.org<ma...@shiro.apache.org>
Subject: How to just do authorization with Shiro
Hi All,
I am trying to integrate Shiro into an Apache CXF project. The Authentication is already done by CXF. I am using a SAML token to authenticate at the service. Inside the token there already is the subject name and the role names. CXF establishes a CXF specific LoginSecuritycontext that contains these details.
Now I want to use a CXF interceptor to read this LoginSecurityContext and establish an authenticated Shiro subject that also contains subject name and roles.
I intend to use the Shiro Context then to do normal Shiro authorization using annotations.
Currently I only know how to log into Shiro using a UserPasswordToken. So I give Shiro my identity and my credentials and shiro does the authentication and fetches the roles. How can I change this to work with an already authenticated subject and given roles?
Christian
Re: How to just do authorization with Shiro
Posted by Kalle Korhonen <ka...@gmail.com>.
For an authorizing only realm, you can simply return null in
doGetAuthenticationInfo() to indicate the realm shouldn't participate in
authentication process.
Kalle
On Wed, Jul 10, 2013 at 8:49 AM, Michael Chandler <
Michael.Chandler@onassignment.com> wrote:
> Christian,****
>
> ** **
>
> If Authentication is already handled outside of Shiro, it seems like you
> could be able to handle Authorization only by implementing your own Realm.
> Here’s a rough example of what I’m thinking… The authentication method is
> implemented to do very little other than appear to be successful, while you
> do your authorization work as planned. Hopefully I’m not over simplifying
> the problem here…****
>
> ** **
>
> public YourRealm extends AuthorizingRealm {****
>
> ****
>
> @Override****
>
> protected AuthenticationInfo doGetAuthenticationInfo(****
>
> AuthenticationToken token)
> throws AuthenticationException {****
>
> ****
>
> // Retrieve your user object by leveraging
> info from your token****
>
> User user =
> someMethodThatGetsUserFromToken(token);****
>
> ****
>
> // Make sure the credentials matcher is
> always successful since you handle this elsewhere****
>
> setCredentialsMatcher(new
> CredentialsMatcher() {****
>
> ** **
>
> @Override****
>
> public boolean
> doCredentialsMatch(AuthenticationToken token,****
>
>
> AuthenticationInfo info) {****
>
> ****
>
> return
> true;****
>
> }****
>
> ****
>
> });****
>
> ****
>
> return new SimpleAuthenticationInfo(user,
> token, "YourRealm");****
>
> }****
>
> ****
>
> @Override****
>
> protected AuthorizationInfo
> doGetAuthorizationInfo(PrincipalCollection principals) {****
>
> // YOUR AUTHORIZATION IMPLEMENTATION GOES
> HERE!****
>
> }****
>
> }****
>
> ** **
>
> *From:* cschneider111@gmail.com [mailto:cschneider111@gmail.com] *On
> Behalf Of *Christian Schneider
> *Sent:* Tuesday, July 09, 2013 11:57 PM
> *To:* user@shiro.apache.org
> *Subject:* How to just do authorization with Shiro****
>
> ** **
>
> Hi All,****
>
> I am trying to integrate Shiro into an Apache CXF project. The
> Authentication is already done by CXF. I am using a SAML token to
> authenticate at the service. Inside the token there already is the subject
> name and the role names. CXF establishes a CXF specific
> LoginSecuritycontext that contains these details. ****
>
> Now I want to use a CXF interceptor to read this LoginSecurityContext and
> establish an authenticated Shiro subject that also contains subject name
> and roles. ****
>
> I intend to use the Shiro Context then to do normal Shiro authorization
> using annotations.****
>
> Currently I only know how to log into Shiro using a UserPasswordToken. So
> I give Shiro my identity and my credentials and shiro does the
> authentication and fetches the roles. How can I change this to work with an
> already authenticated subject and given roles?****
>
> Christian****
>
RE: How to just do authorization with Shiro
Posted by Michael Chandler <Mi...@onassignment.com>.
Christian,
If Authentication is already handled outside of Shiro, it seems like you could be able to handle Authorization only by implementing your own Realm. Here's a rough example of what I'm thinking... The authentication method is implemented to do very little other than appear to be successful, while you do your authorization work as planned. Hopefully I'm not over simplifying the problem here...
public YourRealm extends AuthorizingRealm {
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
// Retrieve your user object by leveraging info from your token
User user = someMethodThatGetsUserFromToken(token);
// Make sure the credentials matcher is always successful since you handle this elsewhere
setCredentialsMatcher(new CredentialsMatcher() {
@Override
public boolean doCredentialsMatch(AuthenticationToken token,
AuthenticationInfo info) {
return true;
}
});
return new SimpleAuthenticationInfo(user, token, "YourRealm");
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// YOUR AUTHORIZATION IMPLEMENTATION GOES HERE!
}
}
From: cschneider111@gmail.com [mailto:cschneider111@gmail.com] On Behalf Of Christian Schneider
Sent: Tuesday, July 09, 2013 11:57 PM
To: user@shiro.apache.org
Subject: How to just do authorization with Shiro
Hi All,
I am trying to integrate Shiro into an Apache CXF project. The Authentication is already done by CXF. I am using a SAML token to authenticate at the service. Inside the token there already is the subject name and the role names. CXF establishes a CXF specific LoginSecuritycontext that contains these details.
Now I want to use a CXF interceptor to read this LoginSecurityContext and establish an authenticated Shiro subject that also contains subject name and roles.
I intend to use the Shiro Context then to do normal Shiro authorization using annotations.
Currently I only know how to log into Shiro using a UserPasswordToken. So I give Shiro my identity and my credentials and shiro does the authentication and fetches the roles. How can I change this to work with an already authenticated subject and given roles?
Christian