You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Manuel Sopena Ballesteros <ma...@garvan.org.au> on 2019/12/05 04:31:10 UTC

url access against Active Directory group

Dear Apache Shiro community,

I am trying to setup Apache Shiro to restrict access to specific urls based on Active Directory:

activeDirectoryRealm.groupRolesMap = "CN=my group,OU=Groups,OU=my folder,DC=ad,DC=mydomain,DC=com":"admin"

[roles]
role1 = *
role2 = *
role3 = *
admin = *

[urls]
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/** = authc

Questions:
For some reason this is not working and users members of "my group" cannot access the /api/interpreter/**  websites
Also, do I need to escape white spaces?

Thank you
NOTICE
Please consider the environment before printing this email. This message and any attachments are intended for the addressee named and may contain legally privileged/confidential/copyright information. If you are not the intended recipient, you should not read, use, disclose, copy or distribute this communication. If you have received this message in error please notify us at once by return email and then delete both messages. We accept no liability for the distribution of viruses or similar in electronic communications. This notice should not be removed.

Re: url access against Active Directory group

Posted by Brian Demers <br...@gmail.com>.

It's been a while since I've used AD, and it's possible you need to escape
the white space, but my first suggestion would be to double-check the
roles/groups that are returned for the user.
You could either dump them out from your application or set a breakpoint in
`org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm.getRoleNamesForGroups()`

I'm guessing you also _don't_ need the `[roles]` block (though that depends
on how your realms are configured)

Please keep us posted!

On Wed, Dec 4, 2019 at 11:31 PM Manuel Sopena Ballesteros <
manuel.sb@garvan.org.au> wrote:

> Dear Apache Shiro community,
>
>
>
> I am trying to setup Apache Shiro to restrict access to specific urls
> based on Active Directory:
>
>
>
> activeDirectoryRealm.groupRolesMap = "CN=my group,OU=Groups,OU=my
> folder,DC=ad,DC=mydomain,DC=com":"admin"
>
>
>
> [roles]
>
> role1 = *
>
> role2 = *
>
> role3 = *
>
> admin = *
>
>
>
> [urls]
>
> /api/version = anon
>
> /api/interpreter/** = authc, roles[admin]
>
> /** = authc
>
>
>
> Questions:
>
> For some reason this is not working and users members of “my group” cannot
> access the /api/interpreter/**  websites
>
> Also, do I need to escape white spaces?
>
>
>
> Thank you
> NOTICE
> Please consider the environment before printing this email. This message
> and any attachments are intended for the addressee named and may contain
> legally privileged/confidential/copyright information. If you are not the
> intended recipient, you should not read, use, disclose, copy or distribute
> this communication. If you have received this message in error please
> notify us at once by return email and then delete both messages. We accept
> no liability for the distribution of viruses or similar in electronic
> communications. This notice should not be removed.
>