You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Thilo-Alexander Ginkel <th...@ginkel.com> on 2012/06/06 12:47:24 UTC

Forcing second realm authentication even though existing session is already authenticated via other realm

Hi there,

in my web application I have two authentication realms: One for the
regular web interface (called SsoRealm) and another one for the REST
API (called RestRealm) using an API token. The principals
authenticated by both realms have disjunct permissions (and
AuthenticationTokens). If there is no pre-existing session and an API
call arrives via the REST interface everything is fine and the
authentication (and authorization) happens via the RestRealm. However,
if there is an existing session previously authenticated via the
SsoRealm no authentication attempt via the RestRealm happens and the
consecutive authorization check (using Subject.isPermitted) fails as
the subject is from the wrong realm.

The corresponding authentication filters are registered as:
  addFilterChain("/api/x/*/y", REST_AUTH, NO_SESSION_CREATION);
  addFilterChain("/**", SSO_AUTH);

Is there anything I can do to force a re-authentication with the
"correct" realm?

Would a custom AuthenticationStrategy help (i.e., does the
AuthenticationStrategy contract allow the implementation of a strategy
"if RestRealm is involved, the RestRealm authentication needs to be
successful")? AFAICS
ModularRealmAuthenticator.doMultiRealmAuthentication is not called
again if there is an existing authenticated session...

Thanks,
Thilo