You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Ali Shahbour <sh...@gmail.com> on 2013/03/01 15:49:58 UTC
Shiro Permission with Active Directory
Hello
I am trying to integrate Shiro with Acitve Directory
Every thing is working perfect , except that I can't check authenticated
user for permission it is always saying no permission below is my
configuration with dynamic web
[main]
# specify login page
authc.loginUrl = /login.zul
activeDirectoryRealm =
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
activeDirectoryRealm.systemUsername = XXXXXXXX\administrator
activeDirectoryRealm.systemPassword = XXXXXXXXX
activeDirectoryRealm.searchBase = cn=Users,dc=XXXXXXXXXXX,dc=co
activeDirectoryRealm.url = ldap://XXX.XXX.155.167:389
activeDirectoryRealm.groupRolesMap =
"CN=Monitor,OU=CDRMonitor,DC=XXXXXXXXXXXXX,DC=co":"cdrmonitor"
#securityManager.realms = $activeDirectoryRealm
builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $builtInCacheManager
# redirect after successful login
authc.successUrl = /index.zul
roles.unauthorizedUrl = /unauthorized.zul
[urls]
/login.zul = anon
/View/** = authc,roles[cdrmonitor]
[roles]
cdrmonitor = search:*
As for the code
UsernamePasswordToken token = new
UsernamePasswordToken("XXXXXXXX@XXXXXXXXXX.co", "XXXXXX");
try {
Subject subject = SecurityUtils.getSubject();
subject.login(token);
token.clear();
subject.hasRole("cdrmonitor"); // this is completed as successful
subject.checkPermission("search"); // it is always failing with no
permission while it it got the role cdrmonitor
} catch (UnknownAccountException ex) {
//username provided was not found
ex.printStackTrace();
} catch (IncorrectCredentialsException ex) {
//password provided did not match password found in database
//for the username provided
ex.printStackTrace();
} catch (AuthenticationException ex) {
ex.printStackTrace();
}
catch (Exception ex) {
ex.printStackTrace();
}
Any idea why is that
Best Regards
Shahbour
Re: Shiro Permission with Active Directory
Posted by Ali Shahbour <sh...@gmail.com>.
Hello
Thanks for your clarification , is there any example that can help me to
start with.
Best Regards
Ali Shahbour
From: Kashyap Paidimarri <ka...@gmail.com>
Reply-To: <us...@shiro.apache.org>
Date: Friday, March 1, 2013 4:56 PM
To: <us...@shiro.apache.org>
Subject: Re: Shiro Permission with Active Directory
> The active directory realm does not use the role->permission mapping from the
> Ini file. You'll have to extend the active directory realm and override the
> 'buildAuthorizationInfo' method. In this method you'll have to write custom
> code to resolve roles to permissions.
>
>
> On Fri, Mar 1, 2013 at 8:19 PM, Ali Shahbour <sh...@gmail.com> wrote:
>> Hello
>>
>> I am trying to integrate Shiro with Acitve Directory
>>
>> Every thing is working perfect , except that I can't check authenticated user
>> for permission it is always saying no permission below is my configuration
>> with dynamic web
>>
>> [main]
>>
>> # specify login page
>>
>> authc.loginUrl = /login.zul
>>
>> activeDirectoryRealm =
>> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
>>
>> activeDirectoryRealm.systemUsername = XXXXXXXX\administrator
>>
>> activeDirectoryRealm.systemPassword = XXXXXXXXX
>>
>> activeDirectoryRealm.searchBase = cn=Users,dc=XXXXXXXXXXX,dc=co
>>
>> activeDirectoryRealm.url = ldap://XXX.XXX.155.167:389
>>
>> activeDirectoryRealm.groupRolesMap =
>> "CN=Monitor,OU=CDRMonitor,DC=XXXXXXXXXXXXX,DC=co":"cdrmonitor"
>>
>>
>>
>> #securityManager.realms = $activeDirectoryRealm
>>
>>
>>
>> builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>>
>> securityManager.cacheManager = $builtInCacheManager
>>
>>
>>
>> # redirect after successful login
>>
>> authc.successUrl = /index.zul
>>
>> roles.unauthorizedUrl = /unauthorized.zul
>>
>>
>>
>> [urls]
>>
>> /login.zul = anon
>>
>> /View/** = authc,roles[cdrmonitor]
>>
>>
>>
>> [roles]
>>
>> cdrmonitor = search:*
>>
>>
>>
>>
>>
>> As for the code
>>
>>
>>
>> UsernamePasswordToken token = new
>> UsernamePasswordToken("XXXXXXXX@XXXXXXXXXX.co", "XXXXXX");
>>
>> try {
>>
>>
>>
>> Subject subject = SecurityUtils.getSubject();
>>
>> subject.login(token);
>>
>>
>>
>> token.clear();
>>
>> subject.hasRole("cdrmonitor"); // this is completed as successful
>>
>> subject.checkPermission("search"); // it is always failing with no
>> permission while it it got the role cdrmonitor
>>
>>
>>
>>
>>
>> } catch (UnknownAccountException ex) {
>>
>> //username provided was not found
>>
>> ex.printStackTrace();
>>
>> } catch (IncorrectCredentialsException ex) {
>>
>> //password provided did not match password found in database
>>
>> //for the username provided
>>
>> ex.printStackTrace();
>>
>> } catch (AuthenticationException ex) {
>>
>> ex.printStackTrace();
>>
>> }
>>
>> catch (Exception ex) {
>>
>> ex.printStackTrace();
>>
>> }
>>
>>
>>
>>
>>
>> Any idea why is that
>>
>>
>>
>>
>>
>> Best Regards
>>
>> Shahbour
>>
>>
>>
>
>
>
> --
> ³ The difference between ramen and varelse is not in the creature judged, but
> in the creature judging. When we declare an alien species to be ramen, it does
> not mean that they have passed a threshold of moral maturity. It means that we
> have. Demosthenes, Letter to the Framlings ²
Re: Shiro Permission with Active Directory
Posted by Kashyap Paidimarri <ka...@gmail.com>.
The active directory realm does not use the role->permission mapping from
the Ini file. You'll have to extend the active directory realm and override
the 'buildAuthorizationInfo' method. In this method you'll have to write
custom code to resolve roles to permissions.
On Fri, Mar 1, 2013 at 8:19 PM, Ali Shahbour <sh...@gmail.com> wrote:
> Hello
>
> I am trying to integrate Shiro with Acitve Directory
>
> Every thing is working perfect , except that I can't check authenticated
> user for permission it is always saying no permission below is my
> configuration with dynamic web
>
> [main]
>
> # specify login page
>
> authc.loginUrl = /login.zul
>
> activeDirectoryRealm =
> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
>
> activeDirectoryRealm.systemUsername = XXXXXXXX\administrator
>
> activeDirectoryRealm.systemPassword = XXXXXXXXX
>
> activeDirectoryRealm.searchBase = cn=Users,dc=XXXXXXXXXXX,dc=co
>
> activeDirectoryRealm.url = ldap://XXX.XXX.155.167:389
>
> activeDirectoryRealm.groupRolesMap = "CN=Monitor,OU=CDRMonitor,DC=
> XXXXXXXXXXXXX,DC=co":"cdrmonitor"
>
>
> #securityManager.realms = $activeDirectoryRealm
>
>
> builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>
> securityManager.cacheManager = $builtInCacheManager
>
>
>
> # redirect after successful login
>
> authc.successUrl = /index.zul
>
> roles.unauthorizedUrl = /unauthorized.zul
>
>
> [urls]
>
> /login.zul = anon
>
> /View/** = authc,roles[cdrmonitor]
>
>
> [roles]
>
> cdrmonitor = search:*
>
>
>
> As for the code
>
>
> UsernamePasswordToken token = new UsernamePasswordToken("
> XXXXXXXX@XXXXXXXXXX.co", "XXXXXX");
>
> try {
>
>
> Subject subject = SecurityUtils.getSubject();
>
> subject.login(token);
>
>
> token.clear();
>
> subject.hasRole("cdrmonitor"); // this is completed as successful
>
> subject.checkPermission("search"); // it is always failing with no
> permission while it it got the role cdrmonitor
>
>
>
> } catch (UnknownAccountException ex) {
>
> //username provided was not found
>
> ex.printStackTrace();
>
> } catch (IncorrectCredentialsException ex) {
>
> //password provided did not match password found in database
>
> //for the username provided
>
> ex.printStackTrace();
>
> } catch (AuthenticationException ex) {
>
> ex.printStackTrace();
>
> }
>
> catch (Exception ex) {
>
> ex.printStackTrace();
>
> }
>
>
>
> Any idea why is that
>
>
>
> Best Regards
>
> Shahbour
>
>
--
“ The difference between ramen and varelse is not in the creature judged,
but in the creature judging. When we declare an alien species to be ramen,
it does not mean that *they* have passed a threshold of moral maturity. It
means that *we* have.
—Demosthenes, *Letter to the Framlings*
”