You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by 0xsven <0x...@gmail.com> on 2010/09/23 13:48:10 UTC
How to add a role to the subject
Hello,
I am a total newbie to shiro and I am wondering how to add a role
dynamically while lifecicle?
Something like: currentUser.addRole("Admin");
The main problem I have: My ldap only provides credentials, but no roles, so
I want to save roles and relative usernames in a database next to my data
:-)
Thank you for help/ideas
--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-add-a-role-to-the-subject-tp5562700p5562700.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: How to add a role to the subject
Posted by armandoxxx <ar...@dropchop.com>.
hey
to tell you the truth I'm haven't digged in that much to know when exactly
that happens, cause I didn't have to. And I think you don't have to either.
>From my understanding realms are called when framework needs to authenticate
principal. And realms should load "user stuff".
So if you're using instance of AuthenticatingRealm then only authentication
info must be set by your realm but if you use instance of AuthorizingRealm,
then authorizing info must be set.
This is to help you understand the what each class does: (but I think you
allready read it)
http://incubator.apache.org/shiro/architecture.html
Kind regards
Armando
--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-add-a-role-to-the-subject-tp5562700p5563065.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: How to add a role to the subject
Posted by Les Hazlewood <lh...@apache.org>.
Hi Sven,
It works like this:
Subject.login(authenticationToken) calls the SecurityManager. The SM
then delegates to the Authenticator. The Authenticator is almost
always an instance of ModularRealmAuthenticator This authenticator
coordinates with the Realm instances you have configured and will call
any Realm that supports the incoming AuthenticationToken (see
Realm#supports javadoc). If your realm supports the inbound token, it
will call Realm#getAuthenticationInfo. If you have more than one
Realm configured, the ModularRealmAuthenticator knows how to aggregate
the return values
A nearly identical process occurs during authorization
(Subject#isPermitted, Subject#hasRole, etc). If you subclass
AuthorizingRealm, you return valid information in the
AuthorizingRealm#doGgetAuthorizationInfo method.
Shiro supports dynamic changes to your security model at runtime. But
it caches Authorization information for better performance. So, if
you change that data, you have to invalidate the cache for that
particular user that has changed. To do that, call the
'clearCachedAuthorizationInfo' method any time you change a user's
roles/permissions. The very next authorization check that occurs for
that user will acquire the new authorization info and cache the new
data for efficient re-use later.
A good approach would be to have your realm listen for some type of
user application event and then call the clearCachedAuthorizationInfo
method based on the user identity associated with the event.
HTH,
Les
On Thu, Sep 23, 2010 at 6:24 AM, 0xsven <0x...@gmail.com> wrote:
>
> Thank you for that.
>
> I have another question about the realm in common. When registering a realm
> in the ini section. when does it get used ? any time a user is
> authenticated? I have a little bit problems with understanding the whole
> thing... :-/
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-add-a-role-to-the-subject-tp5562700p5563015.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: How to add a role to the subject
Posted by 0xsven <0x...@gmail.com>.
Thank you for that.
I have another question about the realm in common. When registering a realm
in the ini section. when does it get used ? any time a user is
authenticated? I have a little bit problems with understanding the whole
thing... :-/
--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-add-a-role-to-the-subject-tp5562700p5563015.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: How to add a role to the subject
Posted by armandoxxx <ar...@dropchop.com>.
my classes .. the important thing is this code
in doGetAuthorizationInfo method:
//THIS IS THE MAIN CODE YOU NEED TO DO !!!!
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roles);
info.setRoles(roles); //fill in roles (set of string)
info.setObjectPermissions(permissions); //add permisions ... custom
objects (MUST IMPLEMENT SHIRO PERMISSION INTERFACE)
bye
Armando
--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-add-a-role-to-the-subject-tp5562700p5562986.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: How to add a role to the subject
Posted by 0xsven <0x...@gmail.com>.
User and Role, are that objects written by yourself or parts of the shiro
framework?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-add-a-role-to-the-subject-tp5562700p5562888.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: How to add a role to the subject
Posted by armandoxxx <ar...@dropchop.com>.
Hey ...
What I did was to create my custom realm that loads user roles from data
source. It's not dynamic and user must first logout for new roles to become
accepted.
public class MyRealm extends AuthorizingRealm {
/**
code for this realm was removed, cause it's not needed
**/
/**
WHEN USER LOGS IN !!!
**/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(final
AuthenticationToken token) {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
User user = null;
try {
this.userManager.beginTransaction();
user = this.userManager.loadUserByLoginName(upToken.getUsername());
this.userManager.commitTransaction();
} catch (InvalidDataException idEx) {
throw new AuthenticationException(idEx);
} catch (ResourceException rEx) {
throw new AuthenticationException(rEx);
}
if (user == null) {
throw new AuthenticationException("Login name [" + upToken.getUsername()
+ "] not found!");
}
log.info("Found user with username [{}]", upToken.getUsername());
return new SimpleAuthenticationInfo(user, user.getPassword(), getName());
}
/**
this function loads user authorization data from "userManager" data source
(database)
User, Role are custom POJOs (beans) and are loaded from database.
WildcardPermission implements shiros Permission interface, so my permissions
in database gets accepted by shiro security
**/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(final
PrincipalCollection principals) {
Set<String> roles = new HashSet<String>();
Set<Permission> permissions = new HashSet<Permission>();
Collection<User> principalsList = principals.byType(User.class);
if (principalsList.isEmpty()) {
throw new AuthorizationException("Empty principals list!");
}
//LOADING STUFF FOR PRINCIPAL
for (User userPrincipal : principalsList) {
try {
this.userManager.beginTransaction();
User user = this.userManager.loadById(userPrincipal.getId());
Set<Role> userRoles = user.getRoles();
for (Role r : userRoles) {
roles.add(r.getName());
Set<WildcardPermission> userPermissions = r.getPermissions();
for (WildcardPermission permission : userPermissions) {
if (!permissions.contains(permission)) {
permissions.add(permission);
}
}
}
this.userManager.commitTransaction();
} catch (InvalidDataException idEx) { //userManger exceptions
throw new AuthorizationException(idEx);
} catch (ResourceException rEx) {
throw new AuthorizationException(rEx);
}
}
//THIS IS THE MAIN CODE YOU NEED TO DO !!!!
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roles);
info.setRoles(roles); //fill in roles
info.setObjectPermissions(permissions); //add permisions (MUST IMPLEMENT
SHIRO PERMISSION INTERFACE)
return info;
}
}
I hope I could help !
Kind regards
Armando
--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-add-a-role-to-the-subject-tp5562700p5562820.html
Sent from the Shiro User mailing list archive at Nabble.com.