You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "opticyclic (JIRA)" <ji...@apache.org> on 2016/09/24 05:26:20 UTC

[jira] [Commented] (SHIRO-586) Can't Search For Groups In Active Directory Without A System User

    [ https://issues.apache.org/jira/browse/SHIRO-586?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15518449#comment-15518449 ] 

opticyclic commented on SHIRO-586:
----------------------------------

In order to do this with custom code you need to do something like the following pseudo-code
{code}
public class CustomActiveDirectoryRealm extends ActiveDirectoryRealm {

  /**
   * Done during the log in process
   */
  @Override
  protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory) throws NamingException {
    SimpleAuthenticationInfo authenticationInfo = (SimpleAuthenticationInfo)super.queryForAuthenticationInfo(token, ldapContextFactory);
    getRoleNames;
    createCustomPrincipal;
    addRoleNamesToCustomPrincipal;
    addPrincipalToAuthInfo;

    return authenticationInfo;
  }

  /**
   * Done during checks for hasRole
   */
  @Override
  protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals, LdapContextFactory ldapContextFactory) throws NamingException {
    getAvailablePrincipal(principals);
    getRoleNamesFromCustomPrincipal;

    return buildAuthorizationInfo(roleNames);
  }
}
{code}

However, the key method to get the role names from active directory is private:
{code}
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
    private Set<String> getRoleNamesForUser(String username, LdapContext ldapContext) throws NamingException {
{code}

Right now, the only option seems to be to copy the code into the subclass :(

If this method was protected it would make sub-classing easier.

Obviously, it would be a better if this didn't have to be custom code at all and the main ActiveDirectoryRealm could bind without a system user; but for now, changing from private to protected is a very small change to make this workable.

> Can't Search For Groups In Active Directory Without A System User
> -----------------------------------------------------------------
>
>                 Key: SHIRO-586
>                 URL: https://issues.apache.org/jira/browse/SHIRO-586
>             Project: Shiro
>          Issue Type: Bug
>            Reporter: opticyclic
>            Priority: Blocker
>
> From http://stackoverflow.com/questions/39518150/how-do-i-search-for-ad-groups-in-shiro-without-a-system-user
> I can authenticate with the ActiveDirectoryRealm but I can't search for groups without having a systemUser.
> Most often, clients of my application don't have the system user/password and the admins don't like giving it out so they can't configure it properly.
> Spring Security and GUI clients let you use the username and password that was used to log in with to search for the groups.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)