You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Debug82 <na...@hotmail.com> on 2018/04/29 10:54:12 UTC
Using Shiro to authenticate users from multiple ADs
Hello,
Here is my configuration:
I may have to manage authentication and authorization of multiple
applications. each application may have it's own AD, or several directories.
My question is: What would be the best way to handle this scenario?
Regards
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Using Shiro to authenticate users from multiple ADs
Posted by Debug82 <na...@hotmail.com>.
Got it,
Thanks a lot for your help
Regards
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Using Shiro to authenticate users from multiple ADs
Posted by Brian Demers <br...@gmail.com>.
Take a look an existing Realm for more concrete example, basically, you
just extend `AuthenticationRealm` and implement the
`doGetAuthenticationInfo()` method.
Your custom logic would likely query your db and check to see if
authentication should happen from a DB realm or an LDAP realm. You might
have some logic like:
if (authViaDB) {
return dbRealm.getAuthenticationInfo(...);
} else {
return adRealm.getAuthenticationInfo(...);
}
I'm guessing the AD Realm portion will not be as simple as you have the
connection information contained in your database (you would need to figure
out how you wanted to manage these connections, connection pool, configure
a new AD realm for each auth attempt, etc)
On Mon, Apr 30, 2018 at 11:30 AM, Debug82 <na...@hotmail.com> wrote:
> Hi Brian,
>
> Thanks a lot for your prompt reply.
> It helps a lot.
>
> Just one question for the first option. How can I create a custom realm
> that
> delegates the authentication process to a JDBC or AD realm?
>
> Thanks again
>
> Regards
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>
Re: Using Shiro to authenticate users from multiple ADs
Posted by Debug82 <na...@hotmail.com>.
Hi Brian,
Thanks a lot for your prompt reply.
It helps a lot.
Just one question for the first option. How can I create a custom realm that
delegates the authentication process to a JDBC or AD realm?
Thanks again
Regards
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Using Shiro to authenticate users from multiple ADs
Posted by Brian Demers <br...@gmail.com>.
Got it!
You have a few options, but the most straightforward might be to lump all
of this logic into a single Realm (that realm could delegate to a JDBC
realm or AD realm)
This new realm would perform a query to see where the user needed to
authenticate from (local DB or AD), then add the permission to the user (or
delegate that to another DB realm)
CustomRealm
└ DB Realm or AD Realm (authenticate)
└ DB Realm (authorize)
Or... getting slightly more involved, but moving the logic. You could
create a Shiro `Authenticator` which contains the logic to check if you
need to authenticate via your DB or AD. And a Shiro `Authorizor` that just
delegates to a DB realm to add the permissions to your Subject.
See DefaultSecurityManager's `setAuthorizator()` and `setAuthenticator()`
Does that help?
On Mon, Apr 30, 2018 at 10:40 AM, Debug82 <na...@hotmail.com> wrote:
> Hello Brian,
>
> First, Thank you for your reply.
>
> To be more specific, here are some details:
> I am implementing a REST API (security app) that manages authentication and
> authorization of multiple applications (mainly web applications) with a
> local database to persist managed applications, users, groups, roles and
> permissions (roles and permissions are associated with a particular
> application)
>
> - User and Group entities have a "isDirectory" field that tells us if the
> user/group is created in our security app or is imported from a directory.
> When the user/group should be imported from a directory, there are other
> fileds that are required in the record (like the url, ...etc) to be able to
> connect to this AD instance.
>
> - For authentication purpose, one application may have to talk to multiple
> AD instances (not federated) [when a user/group isDirectory=true). The user
> can as well be created in my [local] security app database
>
> - If a user is an AD, some of its information will be loaded to the local
> database (like username and first name)
>
> - All authorization information (permissions) are created in my local
> security app database. That means that the authorization can only be
> performed against my local database
>
> Please let me know if it is clear.
>
> Regards
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>
Re: Using Shiro to authenticate users from multiple ADs
Posted by Debug82 <na...@hotmail.com>.
Hello Brian,
First, Thank you for your reply.
To be more specific, here are some details:
I am implementing a REST API (security app) that manages authentication and
authorization of multiple applications (mainly web applications) with a
local database to persist managed applications, users, groups, roles and
permissions (roles and permissions are associated with a particular
application)
- User and Group entities have a "isDirectory" field that tells us if the
user/group is created in our security app or is imported from a directory.
When the user/group should be imported from a directory, there are other
fileds that are required in the record (like the url, ...etc) to be able to
connect to this AD instance.
- For authentication purpose, one application may have to talk to multiple
AD instances (not federated) [when a user/group isDirectory=true). The user
can as well be created in my [local] security app database
- If a user is an AD, some of its information will be loaded to the local
database (like username and first name)
- All authorization information (permissions) are created in my local
security app database. That means that the authorization can only be
performed against my local database
Please let me know if it is clear.
Regards
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Using Shiro to authenticate users from multiple ADs
Posted by Brian Demers <br...@gmail.com>.
I'm not 100% what you are asking. It sounds like each application is
configured with a different AD, so that would imply each application is
different, meaning we can talk about them separately.
Does each application need to talk to multiple AD instances or are they
already federated somehow?
On Sun, Apr 29, 2018 at 6:54 AM, Debug82 <na...@hotmail.com> wrote:
> Hello,
>
> Here is my configuration:
> I may have to manage authentication and authorization of multiple
> applications. each application may have it's own AD, or several
> directories.
>
> My question is: What would be the best way to handle this scenario?
>
> Regards
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>