You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Bradley Beddoes <br...@gmail.com> on 2009/11/17 21:19:03 UTC
LOA and permission assignment
Hi Gang,
As part of some broader SAML 2.x integration work I am doing with
Shiro (and specifically Nimble) I need to determine a method for
assigning permissions to sessions based on a level of assurance
attribute sent down from the users IDP via a SAML 2 assertion. Infact
just generically I need to assign roles/permissions for the currently
active session only so when the session dies so does the relationship.
Obviously I am going to need to look at the Nimble implementation for
isPermitted/hasRole etc and do something to suit this case base but I
figured perhaps someone else was doing something in this space as a
starting point.
cheers
Bradley
Re: LOA and permission assignment
Posted by Les Hazlewood <lh...@apache.org>.
I personally haven't done any work on this, but I'd love to hear/see
some solutions.
One idea is that the easiest thing to do is to check the session in
the Realm method implementations in addition to the underlying data
source. Or, instead of doing both checks in a single Realm, you could
instead have an additional SessionRealm configured that does not do
any authentication - just the authorization operations. The latter is
more 'clean' I think from a 'pluggability' perspective, but also is
slightly more complex.
Bradley, please feel free to brainstorm and/or post your findings on
the list - I'd love to hear your progress! I personally feel that
Shiro should support SAML as it is being adopted more and more by
companies - anything you might find along the way would be helpful!
Best,
Les
On Tue, Nov 17, 2009 at 3:19 PM, Bradley Beddoes
<br...@gmail.com> wrote:
> Hi Gang,
> As part of some broader SAML 2.x integration work I am doing with
> Shiro (and specifically Nimble) I need to determine a method for
> assigning permissions to sessions based on a level of assurance
> attribute sent down from the users IDP via a SAML 2 assertion. Infact
> just generically I need to assign roles/permissions for the currently
> active session only so when the session dies so does the relationship.
>
> Obviously I am going to need to look at the Nimble implementation for
> isPermitted/hasRole etc and do something to suit this case base but I
> figured perhaps someone else was doing something in this space as a
> starting point.
>
> cheers
> Bradley
>