You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Nishant Jain <ni...@gmail.com> on 2009/04/30 16:13:10 UTC
Using Ki just for Authorization?
Hi,
I have to implement role based Authorization in a web based application. Can
I use only authorization from the JSecurity?
I dont need authentication as it is already there provided by the company's
common login page. Is there a way I can create a SecurityManager with just
the role based permissions like if role is "user" then there are some sets
of permission and if role is "admin" then there are some different set of
permissions.
--
View this message in context: http://n2.nabble.com/Using-Ki-just-for-Authorization--tp2747338p2747338.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: Using Ki just for Authorization?
Posted by Nishant Jain <ni...@gmail.com>.
Hi,
Thanks for the reply.
I am trying to implement the example from Bruce Phillips Blog
(http://www.brucephillips.name/blog/index.cfm/2009/4/5/An-Introduction-to-Ki-formerly-JSecurity--A-Beginners--Tutorial-Part-4)
which does both authentication and authorization. In the code I am trying to
override the supports(AuthenticationToken) method to always return false
that means it should allow everyone to enter thru the login page rather it
is not allowing even the valid user to enter the website.
The code at that login page is doing following thing:
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
Subject subject = SecurityUtils.getSubject();
subject.login(token);
if ( subject.hasRole("admin") ) {
//do something
} else {
//do something
}
It is failing at the subject.login(token) part throwing the following
exception - org.jsecurity.authc.pam.UnsupportedTokenException: Realm
[name.brucephillips.rolesecurity.dao.RoleSecurityJdbcRealm@1cacaa7] does not
support authentication token [org.jsecurity.authc.UsernamePasswordToken -
sue@hotmail.com, rememberMe=false].
What is the way to avoid do authentication at this part? Because I want to
find that persons role in the subject and then authorize him based on the
role.
Thanks!!
Nishant
Les Hazlewood-2 wrote:
>
> Hi Nishant,
>
> Yep, you can do this easily. Apache Ki's Realm implementations supports
> both Authentication and Authorization.
>
> Just configure one realm where the Realm.supports(AuthenticationToken)
> method always returns false. Then that realm will never be consulted for
> Authentication, leaving it to only perform Authorization.
>
> Cheers,
>
> Les
>
> On Thu, Apr 30, 2009 at 10:13 AM, Nishant Jain
> <ni...@gmail.com>wrote:
>
>>
>> Hi,
>> I have to implement role based Authorization in a web based application.
>> Can
>> I use only authorization from the JSecurity?
>> I dont need authentication as it is already there provided by the
>> company's
>> common login page. Is there a way I can create a SecurityManager with
>> just
>> the role based permissions like if role is "user" then there are some
>> sets
>> of permission and if role is "admin" then there are some different set of
>> permissions.
>>
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/Using-Ki-just-for-Authorization--tp2747338p2747338.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://n2.nabble.com/Using-Ki-just-for-Authorization--tp2747338p2749755.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: Using Ki just for Authorization?
Posted by Les Hazlewood <lh...@apache.org>.
Hi Nishant,
Yep, you can do this easily. Apache Ki's Realm implementations supports
both Authentication and Authorization.
Just configure one realm where the Realm.supports(AuthenticationToken)
method always returns false. Then that realm will never be consulted for
Authentication, leaving it to only perform Authorization.
Cheers,
Les
On Thu, Apr 30, 2009 at 10:13 AM, Nishant Jain
<ni...@gmail.com>wrote:
>
> Hi,
> I have to implement role based Authorization in a web based application.
> Can
> I use only authorization from the JSecurity?
> I dont need authentication as it is already there provided by the company's
> common login page. Is there a way I can create a SecurityManager with just
> the role based permissions like if role is "user" then there are some sets
> of permission and if role is "admin" then there are some different set of
> permissions.
>
>
> --
> View this message in context:
> http://n2.nabble.com/Using-Ki-just-for-Authorization--tp2747338p2747338.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>