You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Sebastian_K <kw...@gmx.net> on 2008/09/24 00:06:38 UTC
Multiple Realms, one for Authentikation, one for Authorization
Hi,
is it possible to use one Realm for authentifikation (e.g. PropertiesRealm
only with password information) and then after login another Realm for
authorization (e.g. JdbcRealm with no password information but with
user-role-permission information)?
I tried this, but that's definitely wrong:
DefaultSecurityManager securityManager = new DefaultSecurityManager();
securityManager.setRealm(propertiesRealm);
UsernamePasswordToken token = new UsernamePasswordToken("sebastian",
"secret" );
token.setRememberMe(true);
Subject user = securityManager.login(token);
/*...*/ user.isAuthenticated();
securityManager.setRealm(jdbcRealm);
user = SecurityUtils.getSubject();
/*...*/ user.hasRole("clerk");
I get a NoSuchElementExcepition
Exception in thread "main" java.util.NoSuchElementException
at java.util.Collections$EmptySet$1.next(Collections.java:2912)
at
java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
at
org.jsecurity.realm.jdbc.JdbcRealm.doGetAuthorizationInfo(JdbcRealm.java:265)
at
org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:279)
at org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
at
org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
at
org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
at
org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
at JDBCSample.main(JDBCSample.java:54)
Can somebody help me please.
Sebastian
--
View this message in context: http://n2.nabble.com/Multiple-Realms%2C-one-for-Authentikation%2C-one-for-Authorization-tp1113845p1113845.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: Multiple Realms, one for Authentikation, one for Authorization
Posted by Brian Demers <br...@gmail.com>.
There are two basic ways to assign permissions to a subject: through a
realm directly, or the RolePermissionResolver (which basically just maps a
role assigned from a realm to a list of permissions)
This is useful when mapping between user groups and application permissions
(such as "myapp:somefunction:write").
On Fri, Jan 29, 2016 at 1:24 PM, jonathan.labin <jo...@gmail.com>
wrote:
> Ok. But it appears to me that in the context of a multi-realm situation, a
> role that is granted by one realm cannot be used by the second realm to
> impart permissions to the user. Each realm considers only the roles that
> it
> applies to the user when determining permissions?
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580942.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Multiple Realms, one for Authentikation, one for Authorization
Posted by "jonathan.labin" <jo...@gmail.com>.
Ok. But it appears to me that in the context of a multi-realm situation, a
role that is granted by one realm cannot be used by the second realm to
impart permissions to the user. Each realm considers only the roles that it
applies to the user when determining permissions?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580942.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Multiple Realms, one for Authentikation, one for Authorization
Posted by Brian Demers <br...@gmail.com>.
Sorry, I responded to quickly. Just to clear this up... A realm can
assign roles and/or permissions to a subject (user). So you could end up
with roles/permissions from multiple realms (if that is what you are
looking for)
Your application could resolve roles to permissions by using a
RolePermissionResolver
http://shiro.apache.org/authorization.html#Authorization-Configuringaglobal%7B%7BRolePermissionResolver%7D%7D
On Fri, Jan 29, 2016 at 11:44 AM, Brian Demers <br...@gmail.com>
wrote:
> Yes, that was one of the initial reasons I started using Shiro.
>
> On Fri, Jan 29, 2016 at 11:13 AM, jonathan.labin <jonathan.labin@gmail.com
> > wrote:
>
>> Can permissions be defined in one realm while the role that gives those
>> permissions is given a different realm?
>>
>>
>>
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580934.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>
Re: Multiple Realms, one for Authentikation, one for Authorization
Posted by Brian Demers <br...@gmail.com>.
Yes, that was one of the initial reasons I started using Shiro.
On Fri, Jan 29, 2016 at 11:13 AM, jonathan.labin <jo...@gmail.com>
wrote:
> Can permissions be defined in one realm while the role that gives those
> permissions is given a different realm?
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580934.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Multiple Realms, one for Authentikation, one for Authorization
Posted by "jonathan.labin" <jo...@gmail.com>.
Can permissions be defined in one realm while the role that gives those
permissions is given a different realm?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580934.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Multiple Realms, one for Authentikation, one for Authorization
Posted by Brian Demers <br...@gmail.com>.
Yes, for your subclass, just configure the ini file [or for testing you
could just call SecurityManager.setRealms()]
http://shiro.apache.org/authentication.html#Authentication-RealmAuthenticationOrder
On Wed, Jan 27, 2016 at 5:09 PM, jonathan.labin <jo...@gmail.com>
wrote:
> Is this still the recommended approach for a separate authorization realm?
>
> For testing purposes, how would I get Shiro to load my subclassed version
> of
> the the iniRealm?
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580919.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Multiple Realms, one for Authentikation, one for Authorization
Posted by "jonathan.labin" <jo...@gmail.com>.
Is this still the recommended approach for a separate authorization realm?
For testing purposes, how would I get Shiro to load my subclassed version of
the the iniRealm?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580919.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Multiple Realms, one for Authentikation, one for Authorization
Posted by Les Hazlewood <le...@hazlewood.com>.
Hi Sebastian,
Yes, this is possible and usually recommended.
A Realm is essentially a security-specific DAO. Since DAOs usually
use a single datasource API (JDBC or Hibernate or File I/O, etc), it
is common to have one Realm per datasource.
So, using your example, you can use the PropertiesRealm out of the box
for logins. Then you can configure a JdbcRealm. But since you don't
want the JdbcRealm to perform authentication duties (just
authorization), you can subclass it and override the
'supports(AuthenticationToken token)' method to always return false:
public class MyJdbcRealm extends JdbcRealm {
...
public boolean supports( AuthenticationToken token ) {
return false;
}
...
}
This way the JdbcRealm will never attempt to process a login attempt.
Here's how you would set it up for testing or in a _standalone_
environment without a configuration container such as JEE, IoC or web
environments. These environments almost always use the
JSecurityFilter in web.xml instead:
IniConfiguration config = new IniConfiguration();
//the following call will automatically use jsecurity.ini at the root
of the classpath:
config.init();
//This is for Standalone (single-VM) applications that don't use a
configuration container (Spring, JBoss, etc)
//See its JavaDoc for our feelings on this.
SecurityUtils.setSecurityManager(config.getSecurityManager());
/* ** The code below here would be used in all environments - testing,
standalone, JEE, web container, etc: ** */
Subject currentUser = SecurityUtils.getSubject();
//login:
currentUser.login( new UsernamePasswordToken( username, password,
rememberMe ) );
...
currentUser.logout();
Note that with this code, you configure your realms inside of
jsecurity.ini which resides at the root of the classpath. If you
don't want it at the root of the classpath, you can put it somewhere
else and then specify that path to the IniConfiguration object before
calling init().
I hope that helps!
Regards,
Les
On Tue, Sep 23, 2008 at 6:06 PM, Sebastian_K <kw...@gmx.net> wrote:
>
> Hi,
>
> is it possible to use one Realm for authentifikation (e.g. PropertiesRealm
> only with password information) and then after login another Realm for
> authorization (e.g. JdbcRealm with no password information but with
> user-role-permission information)?
>
> I tried this, but that's definitely wrong:
>
> DefaultSecurityManager securityManager = new DefaultSecurityManager();
> securityManager.setRealm(propertiesRealm);
>
> UsernamePasswordToken token = new UsernamePasswordToken("sebastian",
> "secret" );
> token.setRememberMe(true);
> Subject user = securityManager.login(token);
> /*...*/ user.isAuthenticated();
> securityManager.setRealm(jdbcRealm);
> user = SecurityUtils.getSubject();
> /*...*/ user.hasRole("clerk");
>
> I get a NoSuchElementExcepition
> Exception in thread "main" java.util.NoSuchElementException
> at java.util.Collections$EmptySet$1.next(Collections.java:2912)
> at
> java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
> at
> org.jsecurity.realm.jdbc.JdbcRealm.doGetAuthorizationInfo(JdbcRealm.java:265)
> at
> org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:279)
> at org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
> at
> org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
> at
> org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
> at
> org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
> at JDBCSample.main(JDBCSample.java:54)
>
> Can somebody help me please.
>
> Sebastian
>
> --
> View this message in context: http://n2.nabble.com/Multiple-Realms%2C-one-for-Authentikation%2C-one-for-Authorization-tp1113845p1113845.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>
Re: Multiple Realms, one for Authentikation, one for Authorization
Posted by Sebastian_K <kw...@gmx.net>.
Animesh Jain wrote:
>
>
> You could create your own realm implementation to do this (extend
> AuthorizingRealm).
>
> and implement doGetAuthenticationInfo to read values from your property
> file
>
> and implement doGetAuthorizationInfo to read values from your database
>
>
Thanks, I look into that.
--
View this message in context: http://n2.nabble.com/Multiple-Realms%2C-one-for-Authentikation%2C-one-for-Authorization-tp1113845p1114674.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: Multiple Realms, one for Authentikation, one for Authorization
Posted by Animesh Jain <an...@itasveer.com>.
Hi Sebastian
You could create your own realm implementation to do this (extend
AuthorizingRealm).
and implement doGetAuthenticationInfo to read values from your property file
and implement doGetAuthorizationInfo to read values from your database
Kind regards
Animesh
On Wed, Sep 24, 2008 at 3:36 AM, Sebastian_K <kw...@gmx.net> wrote:
>
> Hi,
>
> is it possible to use one Realm for authentifikation (e.g. PropertiesRealm
> only with password information) and then after login another Realm for
> authorization (e.g. JdbcRealm with no password information but with
> user-role-permission information)?
>
> I tried this, but that's definitely wrong:
>
> DefaultSecurityManager securityManager = new DefaultSecurityManager();
> securityManager.setRealm(propertiesRealm);
>
> UsernamePasswordToken token = new UsernamePasswordToken("sebastian",
> "secret" );
> token.setRememberMe(true);
> Subject user = securityManager.login(token);
> /*...*/ user.isAuthenticated();
> securityManager.setRealm(jdbcRealm);
> user = SecurityUtils.getSubject();
> /*...*/ user.hasRole("clerk");
>
> I get a NoSuchElementExcepition
> Exception in thread "main" java.util.NoSuchElementException
> at java.util.Collections$EmptySet$1.next(Collections.java:2912)
> at
> java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
> at
>
> org.jsecurity.realm.jdbc.JdbcRealm.doGetAuthorizationInfo(JdbcRealm.java:265)
> at
>
> org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:279)
> at
> org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
> at
>
> org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
> at
>
> org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
> at
> org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
> at JDBCSample.main(JDBCSample.java:54)
>
> Can somebody help me please.
>
> Sebastian
>
> --
> View this message in context:
> http://n2.nabble.com/Multiple-Realms%2C-one-for-Authentikation%2C-one-for-Authorization-tp1113845p1113845.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>