You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by "jim.piersol@gmail.com" <ji...@gmail.com> on 2018/12/06 20:01:06 UTC
Multiple Realms for Authentication & Authorization
I have multiple Realms configured. For this argument, lets say I have two
different LDAP Realms setup. When I attempt login (webapp...) I hit the
queryForAuthenticationInfo(...) method of both Realms. Even when using the
FirstSuccessfulStrategy... So lets say one of the two Realms passes
Authentication for the user and the 2nd one fails to Authenticate.
1.) Even if the 1st one succeeds, I still see the 2nd Realm being
attempted...
2.) Then when checking for Authorization, the queryForAuthorizationInfo(...)
method gets called for BOT Realms, even though only one succeeded during
Authentication.
Is there a proper way to control Authorization to only being called on the
Realm that passed Authentication?
This sounds simple from my point of view, but may sound like nonsense to
others.
Thanks.
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Multiple Realms for Authentication & Authorization
Posted by Brian Demers <bd...@apache.org>.
I cannot find an example off hand but I've had to work around this before.
Your best bet is to create your own AuthenticationStrategy (possibly
extend ModularRealmAuthenticator and change/wrap the
`doMultiRealmAuthentication` method.
On Fri, Dec 7, 2018 at 10:03 AM jim.piersol@gmail.com <ji...@gmail.com>
wrote:
> Sadly, It doesn't appear to do what it sounds like it should. I have the
> FirstSuccessfulStrategy in place. When my first Realm is checked,
> authentication is successful, but my second Realm is still checked anyway.
> It happens to fail, but I am still Authenticated into my App. So it is
> good
> that I get logged in ok, but odd that it keeps checking both Realms, even
> though the first one succeeds.
>
> The 2nd part, and the real issue I have, is that when checking for
> Authorization (after getting logged in ok), we check BOTH Realms instead of
> ONLY the Realm that I was able to log in successfully on. I would like it
> to SKIP any Realm that did not Authenticate the User successfully.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>
Re: Multiple Realms for Authentication & Authorization
Posted by "jim.piersol@gmail.com" <ji...@gmail.com>.
Sadly, It doesn't appear to do what it sounds like it should. I have the
FirstSuccessfulStrategy in place. When my first Realm is checked,
authentication is successful, but my second Realm is still checked anyway.
It happens to fail, but I am still Authenticated into my App. So it is good
that I get logged in ok, but odd that it keeps checking both Realms, even
though the first one succeeds.
The 2nd part, and the real issue I have, is that when checking for
Authorization (after getting logged in ok), we check BOTH Realms instead of
ONLY the Realm that I was able to log in successfully on. I would like it
to SKIP any Realm that did not Authenticate the User successfully.
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Multiple Realms for Authentication & Authorization
Posted by scSynergy <ro...@scsynergy.de>.
This should be covered by the
https://shiro.apache.org/static/1.3.2/apidocs/org/apache/shiro/authc/pam/AuthenticationStrategy.html
https://shiro.apache.org/static/1.3.2/apidocs/org/apache/shiro/authc/pam/FirstSuccessfulStrategy.html
should behave the way you need
example shiro.ini:
firstStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $firstStrategy
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Multiple Realms for Authentication & Authorization
Posted by Brian Demers <br...@gmail.com>.
From the PrincipalCollection object, you can get the list of realms the
Subject was authenticated from: `getRealmNames()`, and/or use
`fromRealm(realmName)` to narrow the collection down to a single realm,
from there you can narrow the permission checks to a single realm. (this
way you never worry about the cache details)
If you want to change the authorizer it should work the same way,
`securityManager.authorizer = your impl`
Does that help?
On Tue, Dec 11, 2018 at 1:01 PM jim.piersol@gmail.com <ji...@gmail.com>
wrote:
> So for the first issue of checking all the Realms, even after a successful
> Auth takes place...I just extended the ModularRealmAuthenticator to simple
> stop checking other Realms once it gets a valid Auth.
>
> I would like to only check Authorization on the Realm that was
> Authenticated
> though. I am not sure how to do it without digging into the Realm cache to
> determine if the given Subject was authenticated with a given Realm. Seems
> like there should be an easier way, especially in the case where caching is
> turned off.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>
Re: Multiple Realms for Authentication & Authorization
Posted by "jim.piersol@gmail.com" <ji...@gmail.com>.
So for the first issue of checking all the Realms, even after a successful
Auth takes place...I just extended the ModularRealmAuthenticator to simple
stop checking other Realms once it gets a valid Auth.
I would like to only check Authorization on the Realm that was Authenticated
though. I am not sure how to do it without digging into the Realm cache to
determine if the given Subject was authenticated with a given Realm. Seems
like there should be an easier way, especially in the case where caching is
turned off.
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Multiple Realms for Authentication & Authorization
Posted by scSynergy <ro...@scsynergy.de>.
I believe it to be OK if you include the fix in the 1.4 version even if it
breaks some existing applications. After all, the 1.4 release is a major
upgrade - so changes in behavior are to be expected.
--
Sent from: http://shiro-user.582556.n2.nabble.com/
Re: Multiple Realms for Authentication & Authorization
Posted by Brian Demers <br...@gmail.com>.
Agreed, I do think additional realms should NOT be checked after the
first successful auth.
I do worry a little that changing this behavior could break things
(thinking of use with a ModularRealmAuthorizer)
https://xkcd.com/1172/
Thoughts & ideas?
On Mon, Dec 10, 2018 at 3:42 AM scSynergy <ro...@scsynergy.de>
wrote:
> @Brian: Is this behavior of FirstSuccessfulStrategy by design or is it a
> bug?
> To me it seems wrong that authorization is checked against a realm which
> was
> not authenticated against - after all, that second authentication might
> fail, if it were to be tried.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>
Re: Multiple Realms for Authentication & Authorization
Posted by scSynergy <ro...@scsynergy.de>.
@Brian: Is this behavior of FirstSuccessfulStrategy by design or is it a bug?
To me it seems wrong that authorization is checked against a realm which was
not authenticated against - after all, that second authentication might
fail, if it were to be tried.
--
Sent from: http://shiro-user.582556.n2.nabble.com/