You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Paul Holding <pa...@pholding.co.uk> on 2013/05/29 14:05:25 UTC
Verify if username exists within a realm without authenticating the
user
Does Shiro provide any functionality out of the box to verify that a username
exists within a realm (without authenticating the user), or is this
something that I would need to check independently of Shiro?
The reason for the question is I'm looking to use Shiro's RunAs feature by
using the following code in a backing bean, however I've found that Shiro
does not check whether the username specified exists before running as the
new identity.
Subject currentUser = SecurityUtils.getSubject();
PrincipalCollection newIdentity = new SimplePrincipalCollection(username,
realmname);
currentUser.runAs(newIdentity);
Also, is there a better way of building the PrincipalCollection for the user
whose identity we want to assume, so that the realm(s) specified in
shiro.ini are used rather than being hard coded?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Verify-if-username-exists-within-a-realm-without-authenticating-the-user-tp7578783.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Verify if username exists within a realm without authenticating
the user
Posted by Les Hazlewood <lh...@apache.org>.
HI Paul,
> Does Shiro provide any functionality out of the box to verify that a username
> exists within a realm (without authenticating the user), or is this
> something that I would need to check independently of Shiro?
If your Realm subclasses AuthenticatingRealm, you can call
doGetAuthenticationInfo if you like. This method (for most realms)
does not perform any credentials comparison - it only does the account
lookup from the underlying data store (Realm implementations are free
to do authentication-specific behavior in this method though, so it
really depends on the Realm implementation if it does a pure lookup
only or if other authc logic executes. Most Shiro default realms only
do account lookups and nothing else, but check your realm
implementation to be sure).
However, this API exists primarily for Shiro's needs. While you could
use it for your own purposes, I usually recommend that such
functionality for your own needs be in a separate component (e.g.
UserStore? UserManager?, etc). Then your realm implementation and
your own code can point to the same component, decoupling you from
Shiro's API for your specific needs.
> The reason for the question is I'm looking to use Shiro's RunAs feature by
> using the following code in a backing bean, however I've found that Shiro
> does not check whether the username specified exists before running as the
> new identity.
>
> Subject currentUser = SecurityUtils.getSubject();
> PrincipalCollection newIdentity = new SimplePrincipalCollection(username,
> realmname);
> currentUser.runAs(newIdentity);
>
> Also, is there a better way of building the PrincipalCollection for the user
> whose identity we want to assume, so that the realm(s) specified in
> shiro.ini are used rather than being hard coded?
If a realm extends CachingRealm (all of Shiro's default Realm
implementations do), you can call realm.getName() and then use that.
Nameable Realms configured in shiro.ini will automatically be named
(realm.setName called) based on the object ID used in shiro.ini.
If you construct the PrincipalCollection inside a realm however, you
can simply call:
new PrincipalCollection(username, getName());
HTH,