You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Jonathan MERCIER <jo...@microbiome.studio> on 2023/01/17 16:45:39 UTC
How to manage Role base access using Keycloak
Dear community,
We plan to use keycloak as IAM service for all our application and one
of our tools used (Apache Jena) manage authorization with apache shiro.
So I would like to know if one of below it is possible to :
1. register apache Shiro embeded into Jena into Keycloak? in order to
forward autorization throuhgt a JWT containing encrypted role
2. Detach Jena/shiro, in order to get 1 server for apache shiro (as
IAM service instead of keycloak) and 1 another server for Jena
and all our internal application would use apache shiro to validate an
user Identity/Authorization
To me I would prefer the first one as it imply less devlopment
Thanks for your help and your insight
Best regards
Re: How to manage Role base access using Keycloak
Posted by Brian Demers <br...@gmail.com>.
You may want to ask in one of the Jena lists. But from a quick read of the
docs, it looks like you could provide a custom implementation of a Realm
similar to the example I provided.
I haven't used Jena, and I don't know how these systems are used, so I
don't want to suggest something if they have a better solution.
If you ask on another list, please keep us posted with what you have found!
-Brian
On Wed, Jan 18, 2023 at 4:28 AM Jonathan MERCIER
<jo...@microbiome.studio> wrote:
> Thanks a lot brian for your insight ,
>
> Can you describe your use case a bit more? I'm not 100% sure what you mean
> by "Shiro embedded into Jena into Keycloak"
>
> yes to my understanding shiro is shipped into jena and can be configurer
> through a config file; As describe here:
> -> https://jena.apache.org/documentation/fuseki2/fuseki-security.html
> It is tell to take a look to shiro for sophisticated setup.
> And as you well said I would kie to use the bearer token provided by
> keycloak.
>
> If you just need to validate a JWT passed as a bearer token (i.e. an
> `Authorization` header with the `Bearer` prefix), you can do that.
> Here is an example I created for Okta (you would have to replace the JWT
> parsing logic to fit your own use case)
>
> https://github.com/oktadev/okta-shiro-plugin/blob/1f22f79d2fdb36551e98fc7afd946c43e018c777/core/src/main/java/com/okta/shiro/realm/OktaResourceServerRealm.java
>
> https://github.com/oktadev/okta-shiro-plugin/blob/1f22f79d2fdb36551e98fc7afd946c43e018c777/examples/jaxrs/src/main/resources/shiro.ini
>
>
> So in this case I have to modify fuseki source code in order be
> configurable through the config file, isn't it ?
>
> Thanks a lot
> I wish you a good day
>
Re: How to manage Role base access using Keycloak
Posted by Jonathan MERCIER <jo...@microbiome.studio>.
Thanks a lot brian for your insight ,
> Can you describe your use case a bit more? I'm not 100% sure what you
> mean by "Shiro embedded into Jena into Keycloak"
yes to my understanding shiro is shipped into jena and can be
configurer through a config file; As describe here:
-> <https://jena.apache.org/documentation/fuseki2/fuseki-security.html>
It is tell to take a look to shiro for sophisticated setup.
And as you well said I would kie to use the bearer token provided by
keycloak.
> If you just need to validate a JWT passed as a bearer token (i.e. an
> `Authorization` header with the `Bearer` prefix), you can do that.
> Here is an example I created for Okta (you would have to replace the
> JWT parsing logic to fit your own use case)
> <https://github.com/oktadev/okta-shiro-plugin/blob/1f22f79d2fdb36551e98fc7afd946c43e018c777/core/src/main/java/com/okta/shiro/realm/OktaResourceServerRealm.java>
> <https://github.com/oktadev/okta-shiro-plugin/blob/1f22f79d2fdb36551e98fc7afd946c43e018c777/examples/jaxrs/src/main/resources/shiro.ini>
So in this case I have to modify fuseki source code in order be
configurable through the config file, isn't it ?
Thanks a lot
I wish you a good day
Re: How to manage Role base access using Keycloak
Posted by Brian Demers <br...@gmail.com>.
Can you describe your use case a bit more? I'm not 100% sure what you mean
by "Shiro embedded into Jena into Keycloak"
If you just need to validate a JWT passed as a bearer token (i.e. an
`Authorization` header with the `Bearer` prefix), you can do that.
Here is an example I created for Okta (you would have to replace the JWT
parsing logic to fit your own use case)
https://github.com/oktadev/okta-shiro-plugin/blob/1f22f79d2fdb36551e98fc7afd946c43e018c777/core/src/main/java/com/okta/shiro/realm/OktaResourceServerRealm.java
https://github.com/oktadev/okta-shiro-plugin/blob/1f22f79d2fdb36551e98fc7afd946c43e018c777/examples/jaxrs/src/main/resources/shiro.ini
On Tue, Jan 17, 2023 at 11:46 AM Jonathan MERCIER
<jo...@microbiome.studio> wrote:
> Dear community,
>
> We plan to use keycloak as IAM service for all our application and one of
> our tools used (Apache Jena) manage authorization with apache shiro.
> So I would like to know if one of below it is possible to :
> 1. register apache Shiro embeded into Jena into Keycloak? in order to
> forward autorization throuhgt a JWT containing encrypted role
> 2. Detach Jena/shiro, in order to get 1 server for apache shiro (as IAM
> service instead of keycloak) and 1 another server for Jena
> and all our internal application would use apache shiro to validate an
> user Identity/Authorization
>
> To me I would prefer the first one as it imply less devlopment
>
> Thanks for your help and your insight
>
> Best regards
>
>
>