You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by juminoz <ju...@hotmail.com> on 2011/06/09 04:05:00 UTC
Chicken & Egg Issue on Security
How would you go around this problem?
User case:
1) Application uses Shiro framework to do authentication by connecting
through a data source using a custom realm.
2) That data source is also using Shiro framework to do authentication.
Since you can't access the data source to authenticate, you can't actually
authenticate to use the data source.
Any creative idea?
Thanks,
Jack
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Chicken-Egg-Issue-on-Security-tp6456259p6456259.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Chicken & Egg Issue on Security
Posted by juminoz <ju...@hotmail.com>.
The problem I have is that we are trying to use Shiro for everything, whether
it's application user or end user. Both type of users are stored in data
layer, which is also protected by Shiro. Think of LDAP with Shiro for
security even through LDAP is the data source.
I will probably have to create a token of some kind to introduce exception
in the authentication routine, but still through Shiro, possibly through a
special realm to load the initial core user into the cache and automatically
expires the token. The session then never expires and is kept in the cache.
Do you see any issue with this approach? I'm trying to keep security the
same for every layer if possible. Potentially, I may even go with Realm to
utilize OS-level security info.
Thanks,
Jack
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Chicken-Egg-Issue-on-Security-tp6456259p6471704.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Chicken & Egg Issue on Security
Posted by Les Hazlewood <lh...@apache.org>.
Hi Jack,
I'll just chime in here and add to what everyone has already said:
I use two accounts for this: one account represents an application
(not an end user) - call it account A. That account is used to
communicate with the service (service B) - A authenticates with B for
all service communication. One of those service calls is a 'user
login service': app A bundles up user C's principals/credentials as
the service payload and calls into B. Service B authenticates user C
as a normal user authentication process.
HTH!
Les
Re: Chicken & Egg Issue on Security
Posted by Blaise Gervais <ge...@gmail.com>.
I have the same problem with a "UserService" who is used to authenticate the
user and manage users account. The service is a local implementation who
consume a REST web service protected with Shiro.
1. When I want to use the service to authenticate the user, I use it as
"system" who is a special account.
2. When the user has been authenticated, I create a new instance of this
service who use the user account.
On Thu, Jun 9, 2011 at 4:07 AM, David Woods <dw...@gmail.com> wrote:
> Wouldn't the access to the data source be using the authentication
> details of your *application*, rather than those of the *user*?
>
> On 09/06/2011, at 2:05 PM, juminoz <ju...@hotmail.com> wrote:
>
> > How would you go around this problem?
> >
> > User case:
> > 1) Application uses Shiro framework to do authentication by connecting
> > through a data source using a custom realm.
> > 2) That data source is also using Shiro framework to do authentication.
> >
> > Since you can't access the data source to authenticate, you can't
> actually
> > authenticate to use the data source.
> >
> > Any creative idea?
> >
> > Thanks,
> > Jack
> >
> > --
> > View this message in context:
> http://shiro-user.582556.n2.nabble.com/Chicken-Egg-Issue-on-Security-tp6456259p6456259.html
> > Sent from the Shiro User mailing list archive at Nabble.com.
>
--
Gervais Blaise
<ge...@gmail.com>
Re: Chicken & Egg Issue on Security
Posted by David Woods <dw...@gmail.com>.
Wouldn't the access to the data source be using the authentication
details of your *application*, rather than those of the *user*?
On 09/06/2011, at 2:05 PM, juminoz <ju...@hotmail.com> wrote:
> How would you go around this problem?
>
> User case:
> 1) Application uses Shiro framework to do authentication by connecting
> through a data source using a custom realm.
> 2) That data source is also using Shiro framework to do authentication.
>
> Since you can't access the data source to authenticate, you can't actually
> authenticate to use the data source.
>
> Any creative idea?
>
> Thanks,
> Jack
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Chicken-Egg-Issue-on-Security-tp6456259p6456259.html
> Sent from the Shiro User mailing list archive at Nabble.com.