You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Ryan McKinley <ry...@gmail.com> on 2009/03/30 16:14:44 UTC
Authorization without Authentication?
Hello-
I'm starting to grock how Ki is structured and who is responsible for
what. As mentioned, I am building an app where I want any user to be
able to do anything until security is enabled then I want to check
some configured Realm for authentication etc.
The key thing I realized is that I need to limit access based on
"hasPermission" rather then "isInRole" -- this way an Authorizer could
just return 'new AllPermission()'
I have a SecurityManager configured with a ModularRealmAuthorizer to
grant all permissions:
ArrayList<Realm> realms = new ArrayList<Realm>( 1 );
realms.add( new FullAccessRealm() );
ModularRealmAuthorizer authz = new
ModularRealmAuthorizer( realms );
sm.setAuthorizer( authz );
This seems to work fine *after* the user has authenticated, but I want
this to work *before* they authenticate.
Any pointers? Does Authorization only get called when Authentication
succeeds?
Do I have to automatically authenticate with an 'anonomous' user
account and then use that for Authorization? If so, how to I
automatically authenticate (so the user *never* sees a login box).
thank again
ryan
Re: Authorization without Authentication?
Posted by Les Hazlewood <lh...@apache.org>.
Ah, I see now. The best way to do this would be to use a RealmFactory. The
RealmFactory would generate a Realm based on some configuration.
So, in the localhost-only app, the RealmFactory would return a Realm that
returns 'true' for every security check. In the single-account mode, you
return a normal realm, its just doGetAuthenticationInfo would return that
root user's principals and the 'AllPermission' (assuming the password was
correct of course). The 3rd scenario is normal usage.
This way, all of your security checks remain in place (as they should), and
the results of those checks only change based on which realm is used.
Are you using Spring? If so, this can very easily be achieved by a
FactoryBean implementation. If not, you can do something like this:
RealmFactory factory = //instantiate your specific realm factory - perhaps
it reads a .properties file or system property to tell it what Realm to
return.
Collection<Realm> realms = factory.getRealms(); //in your case the
collection would probably only have a single Realm based on the environment
//non web environment:
SecurityManager securityManager = new DefaultSecurityManager();
//or a web environment: securityManager = new DefaultWebSecurityManager();
securityManager.setRealms(realms);
You can also declare your RealmFactory implementation in a ki.ini file
(jsecurity.ini for 0.9.0), and it will be used to perform essentially what
the above code is doing.
Lemme know if this is enough to get you going, or if you'd like more
suggestions.
Cheers,
Les
On Mon, Mar 30, 2009 at 4:34 PM, Ryan McKinley <ry...@gmail.com> wrote:
> the use case is that i have an application that is packaged in various
> ways.
>
> In one case it is a localhost only app with *no* accounts -- not even the
> concept of accounts (if you can get to the machine you can do anything)
> In another it has a single "root" account.
> In another it has configurable accounts.
>
> The goal is to write UI code targeted for the most complex cases, but
> transparently work even in the absence of accounts.
>
> - - - - - - -
>
> How do people use Ki security to manage authorization for anonymous users?
> How would I allow access to some features for users that come from one IP
> address and block them for another? In some cases, don't even want to have
> a log-in option. I'm wondering if there is an automatic way to give each
> HTTP session/request a default subject (or something like that).
>
> The other option I see is to add a layer in between my app and Ki that
> checks what mode it is in before resolving authorization. Perhaps this
> makes more sense.
>
> ryan
>
>
>
> On Mar 30, 2009, at 4:04 PM, Les Hazlewood wrote:
>
> Ryan, I'm curious: why would you want such a policy?
>
> If you do this, then _any_ anonymous user could do really crazy things,
> like change configuration, create/delete users, or anything else that could
> be considered potentially 'dangerous' allowed by the application. This is
> very odd from a security perspective.
>
> Instead, what is more common, is that you create at least a default 'root'
> account that has one role and that role has the AllPermission assigned to
> it. (or a WildcardPermission equal to "*"). If you're testing features
> enabled/disabled, its easiest just to log in as 'root' rather than expose
> your entire application...
>
> On Mon, Mar 30, 2009 at 2:42 PM, Ryan McKinley <ry...@gmail.com> wrote:
>
>> Ahhh -- that makes sense.
>>
>> ... slowly figuring how the pieces fit together..
>>
>> thanks
>> ryan
>>
>>
>> On Mar 30, 2009, at 2:24 PM, Jeremy Haile wrote:
>>
>> Hey Ryan,
>> How are you trying to check authorization of a user? Are you using the
>> Subject interface or accessing the SecurityManager?
>>
>> If you use the Subject interface, it will not say you are authorized until
>> after you've authenticated - since the Subject isn't associated with any
>> principals until authentication takes place.
>>
>> However you should be able to perform authorization for a user without
>> them being authenticated by accessing the SecurityManager directly. Simply
>> call SecurityManager.isPermitted(PrincipalCollection, permissions),
>> SecurityManager.hasRole(PrincipalCollection, role), etc.
>>
>> Jeremy
>>
>>
>> On Mar 30, 2009, at 10:14 AM, Ryan McKinley wrote:
>>
>> Hello-
>> I'm starting to grock how Ki is structured and who is responsible for
>> what. As mentioned, I am building an app where I want any user to be able
>> to do anything until security is enabled then I want to check some
>> configured Realm for authentication etc.
>>
>> The key thing I realized is that I need to limit access based on
>> "hasPermission" rather then "isInRole" -- this way an Authorizer could just
>> return 'new AllPermission()'
>>
>> I have a SecurityManager configured with a ModularRealmAuthorizer to grant
>> all permissions:
>>
>> ArrayList<Realm> realms = new ArrayList<Realm>( 1 );
>> realms.add( new FullAccessRealm() );
>> ModularRealmAuthorizer authz = new ModularRealmAuthorizer( realms );
>> sm.setAuthorizer( authz );
>>
>> This seems to work fine *after* the user has authenticated, but I want
>> this to work *before* they authenticate.
>>
>> Any pointers? Does Authorization only get called when
>> Authentication succeeds?
>>
>> Do I have to automatically authenticate with an 'anonomous' user account
>> and then use that for Authorization? If so, how to I automatically
>> authenticate (so the user *never* sees a login box).
>>
>> thank again
>> ryan
>>
>>
>>
>>
>
>
Re: Authorization without Authentication?
Posted by Ryan McKinley <ry...@gmail.com>.
the use case is that i have an application that is packaged in various
ways.
In one case it is a localhost only app with *no* accounts -- not even
the concept of accounts (if you can get to the machine you can do
anything)
In another it has a single "root" account.
In another it has configurable accounts.
The goal is to write UI code targeted for the most complex cases, but
transparently work even in the absence of accounts.
- - - - - - -
How do people use Ki security to manage authorization for anonymous
users? How would I allow access to some features for users that come
from one IP address and block them for another? In some cases, don't
even want to have a log-in option. I'm wondering if there is an
automatic way to give each HTTP session/request a default subject (or
something like that).
The other option I see is to add a layer in between my app and Ki that
checks what mode it is in before resolving authorization. Perhaps
this makes more sense.
ryan
On Mar 30, 2009, at 4:04 PM, Les Hazlewood wrote:
> Ryan, I'm curious: why would you want such a policy?
>
> If you do this, then _any_ anonymous user could do really crazy
> things, like change configuration, create/delete users, or anything
> else that could be considered potentially 'dangerous' allowed by the
> application. This is very odd from a security perspective.
>
> Instead, what is more common, is that you create at least a default
> 'root' account that has one role and that role has the AllPermission
> assigned to it. (or a WildcardPermission equal to "*"). If you're
> testing features enabled/disabled, its easiest just to log in as
> 'root' rather than expose your entire application...
>
> On Mon, Mar 30, 2009 at 2:42 PM, Ryan McKinley <ry...@gmail.com>
> wrote:
> Ahhh -- that makes sense.
>
> ... slowly figuring how the pieces fit together..
>
> thanks
> ryan
>
>
> On Mar 30, 2009, at 2:24 PM, Jeremy Haile wrote:
>
>> Hey Ryan,
>>
>> How are you trying to check authorization of a user? Are you using
>> the Subject interface or accessing the SecurityManager?
>>
>> If you use the Subject interface, it will not say you are
>> authorized until after you've authenticated - since the Subject
>> isn't associated with any principals until authentication takes
>> place.
>>
>> However you should be able to perform authorization for a user
>> without them being authenticated by accessing the SecurityManager
>> directly. Simply call
>> SecurityManager.isPermitted(PrincipalCollection, permissions),
>> SecurityManager.hasRole(PrincipalCollection, role), etc.
>>
>> Jeremy
>>
>>
>> On Mar 30, 2009, at 10:14 AM, Ryan McKinley wrote:
>>
>>> Hello-
>>>
>>> I'm starting to grock how Ki is structured and who is responsible
>>> for what. As mentioned, I am building an app where I want any
>>> user to be able to do anything until security is enabled then I
>>> want to check some configured Realm for authentication etc.
>>>
>>> The key thing I realized is that I need to limit access based on
>>> "hasPermission" rather then "isInRole" -- this way an Authorizer
>>> could just return 'new AllPermission()'
>>>
>>> I have a SecurityManager configured with a ModularRealmAuthorizer
>>> to grant all permissions:
>>>
>>> ArrayList<Realm> realms = new ArrayList<Realm>( 1 );
>>> realms.add( new FullAccessRealm() );
>>> ModularRealmAuthorizer authz = new
>>> ModularRealmAuthorizer( realms );
>>> sm.setAuthorizer( authz );
>>>
>>> This seems to work fine *after* the user has authenticated, but I
>>> want this to work *before* they authenticate.
>>>
>>> Any pointers? Does Authorization only get called when
>>> Authentication succeeds?
>>>
>>> Do I have to automatically authenticate with an 'anonomous' user
>>> account and then use that for Authorization? If so, how to I
>>> automatically authenticate (so the user *never* sees a login box).
>>>
>>> thank again
>>> ryan
>>
>
>
Re: Authorization without Authentication?
Posted by Les Hazlewood <lh...@apache.org>.
Ryan, I'm curious: why would you want such a policy?
If you do this, then _any_ anonymous user could do really crazy things, like
change configuration, create/delete users, or anything else that could be
considered potentially 'dangerous' allowed by the application. This is very
odd from a security perspective.
Instead, what is more common, is that you create at least a default 'root'
account that has one role and that role has the AllPermission assigned to
it. (or a WildcardPermission equal to "*"). If you're testing features
enabled/disabled, its easiest just to log in as 'root' rather than expose
your entire application...
On Mon, Mar 30, 2009 at 2:42 PM, Ryan McKinley <ry...@gmail.com> wrote:
> Ahhh -- that makes sense.
>
> ... slowly figuring how the pieces fit together..
>
> thanks
> ryan
>
>
> On Mar 30, 2009, at 2:24 PM, Jeremy Haile wrote:
>
> Hey Ryan,
> How are you trying to check authorization of a user? Are you using the
> Subject interface or accessing the SecurityManager?
>
> If you use the Subject interface, it will not say you are authorized until
> after you've authenticated - since the Subject isn't associated with any
> principals until authentication takes place.
>
> However you should be able to perform authorization for a user without them
> being authenticated by accessing the SecurityManager directly. Simply call
> SecurityManager.isPermitted(PrincipalCollection, permissions),
> SecurityManager.hasRole(PrincipalCollection, role), etc.
>
> Jeremy
>
>
> On Mar 30, 2009, at 10:14 AM, Ryan McKinley wrote:
>
> Hello-
> I'm starting to grock how Ki is structured and who is responsible for what.
> As mentioned, I am building an app where I want any user to be able to do
> anything until security is enabled then I want to check some configured
> Realm for authentication etc.
>
> The key thing I realized is that I need to limit access based on
> "hasPermission" rather then "isInRole" -- this way an Authorizer could just
> return 'new AllPermission()'
>
> I have a SecurityManager configured with a ModularRealmAuthorizer to grant
> all permissions:
>
> ArrayList<Realm> realms = new ArrayList<Realm>( 1 );
> realms.add( new FullAccessRealm() );
> ModularRealmAuthorizer authz = new ModularRealmAuthorizer( realms );
> sm.setAuthorizer( authz );
>
> This seems to work fine *after* the user has authenticated, but I want this
> to work *before* they authenticate.
>
> Any pointers? Does Authorization only get called when
> Authentication succeeds?
>
> Do I have to automatically authenticate with an 'anonomous' user account
> and then use that for Authorization? If so, how to I automatically
> authenticate (so the user *never* sees a login box).
>
> thank again
> ryan
>
>
>
>
Re: Authorization without Authentication?
Posted by Jeremy Haile <jh...@fastmail.fm>.
The Subject interface is basically a proxy to the SecurityManager that
knows "who it is". So it knows what principals are associated with
the Subject and provides convenience methods that when called actually
delegate to the SecurityManager behind the scenes.
Feel free to ask more questions if I can help clear anything up!
On Mar 30, 2009, at 2:42 PM, Ryan McKinley wrote:
> Ahhh -- that makes sense.
>
> ... slowly figuring how the pieces fit together..
>
> thanks
> ryan
>
>
> On Mar 30, 2009, at 2:24 PM, Jeremy Haile wrote:
>
>> Hey Ryan,
>>
>> How are you trying to check authorization of a user? Are you using
>> the Subject interface or accessing the SecurityManager?
>>
>> If you use the Subject interface, it will not say you are
>> authorized until after you've authenticated - since the Subject
>> isn't associated with any principals until authentication takes
>> place.
>>
>> However you should be able to perform authorization for a user
>> without them being authenticated by accessing the SecurityManager
>> directly. Simply call
>> SecurityManager.isPermitted(PrincipalCollection, permissions),
>> SecurityManager.hasRole(PrincipalCollection, role), etc.
>>
>> Jeremy
>>
>>
>> On Mar 30, 2009, at 10:14 AM, Ryan McKinley wrote:
>>
>>> Hello-
>>>
>>> I'm starting to grock how Ki is structured and who is responsible
>>> for what. As mentioned, I am building an app where I want any
>>> user to be able to do anything until security is enabled then I
>>> want to check some configured Realm for authentication etc.
>>>
>>> The key thing I realized is that I need to limit access based on
>>> "hasPermission" rather then "isInRole" -- this way an Authorizer
>>> could just return 'new AllPermission()'
>>>
>>> I have a SecurityManager configured with a ModularRealmAuthorizer
>>> to grant all permissions:
>>>
>>> ArrayList<Realm> realms = new ArrayList<Realm>( 1 );
>>> realms.add( new FullAccessRealm() );
>>> ModularRealmAuthorizer authz = new
>>> ModularRealmAuthorizer( realms );
>>> sm.setAuthorizer( authz );
>>>
>>> This seems to work fine *after* the user has authenticated, but I
>>> want this to work *before* they authenticate.
>>>
>>> Any pointers? Does Authorization only get called when
>>> Authentication succeeds?
>>>
>>> Do I have to automatically authenticate with an 'anonomous' user
>>> account and then use that for Authorization? If so, how to I
>>> automatically authenticate (so the user *never* sees a login box).
>>>
>>> thank again
>>> ryan
>>
>
Re: Authorization without Authentication?
Posted by Ryan McKinley <ry...@gmail.com>.
Ahhh -- that makes sense.
... slowly figuring how the pieces fit together..
thanks
ryan
On Mar 30, 2009, at 2:24 PM, Jeremy Haile wrote:
> Hey Ryan,
>
> How are you trying to check authorization of a user? Are you using
> the Subject interface or accessing the SecurityManager?
>
> If you use the Subject interface, it will not say you are authorized
> until after you've authenticated - since the Subject isn't
> associated with any principals until authentication takes place.
>
> However you should be able to perform authorization for a user
> without them being authenticated by accessing the SecurityManager
> directly. Simply call
> SecurityManager.isPermitted(PrincipalCollection, permissions),
> SecurityManager.hasRole(PrincipalCollection, role), etc.
>
> Jeremy
>
>
> On Mar 30, 2009, at 10:14 AM, Ryan McKinley wrote:
>
>> Hello-
>>
>> I'm starting to grock how Ki is structured and who is responsible
>> for what. As mentioned, I am building an app where I want any user
>> to be able to do anything until security is enabled then I want to
>> check some configured Realm for authentication etc.
>>
>> The key thing I realized is that I need to limit access based on
>> "hasPermission" rather then "isInRole" -- this way an Authorizer
>> could just return 'new AllPermission()'
>>
>> I have a SecurityManager configured with a ModularRealmAuthorizer
>> to grant all permissions:
>>
>> ArrayList<Realm> realms = new ArrayList<Realm>( 1 );
>> realms.add( new FullAccessRealm() );
>> ModularRealmAuthorizer authz = new
>> ModularRealmAuthorizer( realms );
>> sm.setAuthorizer( authz );
>>
>> This seems to work fine *after* the user has authenticated, but I
>> want this to work *before* they authenticate.
>>
>> Any pointers? Does Authorization only get called when
>> Authentication succeeds?
>>
>> Do I have to automatically authenticate with an 'anonomous' user
>> account and then use that for Authorization? If so, how to I
>> automatically authenticate (so the user *never* sees a login box).
>>
>> thank again
>> ryan
>
Re: Authorization without Authentication?
Posted by Jeremy Haile <jh...@fastmail.fm>.
Hey Ryan,
How are you trying to check authorization of a user? Are you using
the Subject interface or accessing the SecurityManager?
If you use the Subject interface, it will not say you are authorized
until after you've authenticated - since the Subject isn't associated
with any principals until authentication takes place.
However you should be able to perform authorization for a user without
them being authenticated by accessing the SecurityManager directly.
Simply call SecurityManager.isPermitted(PrincipalCollection,
permissions), SecurityManager.hasRole(PrincipalCollection, role), etc.
Jeremy
On Mar 30, 2009, at 10:14 AM, Ryan McKinley wrote:
> Hello-
>
> I'm starting to grock how Ki is structured and who is responsible
> for what. As mentioned, I am building an app where I want any user
> to be able to do anything until security is enabled then I want to
> check some configured Realm for authentication etc.
>
> The key thing I realized is that I need to limit access based on
> "hasPermission" rather then "isInRole" -- this way an Authorizer
> could just return 'new AllPermission()'
>
> I have a SecurityManager configured with a ModularRealmAuthorizer to
> grant all permissions:
>
> ArrayList<Realm> realms = new ArrayList<Realm>( 1 );
> realms.add( new FullAccessRealm() );
> ModularRealmAuthorizer authz = new
> ModularRealmAuthorizer( realms );
> sm.setAuthorizer( authz );
>
> This seems to work fine *after* the user has authenticated, but I
> want this to work *before* they authenticate.
>
> Any pointers? Does Authorization only get called when
> Authentication succeeds?
>
> Do I have to automatically authenticate with an 'anonomous' user
> account and then use that for Authorization? If so, how to I
> automatically authenticate (so the user *never* sees a login box).
>
> thank again
> ryan