You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by seme <di...@gmail.com> on 2011/12/15 13:26:30 UTC
Shiro and LDAP authorization
New to shiro, I want to set up ldap authorization. I was able to
authenticate via ldap.
In shiro, where I can store my user authorization info and how I can
retrieve them?
Any help or sample code will be appreciated.
Thanks
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-LDAP-authorization-tp7096956p7096956.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro and LDAP authorization
Posted by seme <di...@gmail.com>.
Hi Les,
I wanted CAS to do authentication, and Shiro for authorization, you answered
my question before I even asked.
Thanks a lot.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-LDAP-authorization-tp7096956p7100446.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro and LDAP authorization
Posted by gchristman <gc...@cardaddy.com>.
I answered my own question and wanted to post this in case someone else
needed help or for possible improvement on my solution.
Login.class method
Object onSubmit() {
try {
//Remote Authentication
RemoteLoginClient client = new RemoteLoginClient ();
RemoteSubject authenticate =
client.authenticate(formatUsername(username), password);
//tapestry security authentication
Subject currentUser = SecurityUtils.getSubject();
CustomAuthenticationToken token = new
CustomAuthenticationToken(authenticate.getUsername(),
authenticate.getRoles());
currentUser.login(token);
} //catch errors
}
//Custom token used to hold username and roles which are set from remote
authentication service.
public class CustomAuthenticationToken implements AuthenticationToken {
private String username;
private List<String> roles;
public CustomAuthenticationToken(String username, List<String> roles) {
this.username = username;
this.roles = roles;
}
getters/setters
//Custom Realm used to handle local authentication and authorization.
public class CustomRealm extends AuthorizingRealm {
//Hibernate Session
private final Session session;
public static final String EMPTY_PASSWORD = "";
public CustomRealm(Session session) {
this.session = session;
setCredentialsMatcher(new AllowAllCredentialsMatcher());
setAuthenticationTokenClass(CustomAuthenticationToken.class);
}
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
token) throws AuthenticationException {
CustomAuthenticationToken customToken = (CustomAuthenticationToken)
token;
String email = customToken .getUsername();
List<String> roles = customToken .getRoles();
User user = (User) session.createCriteria(User.class)
.add(Restrictions.like("email", emai l+ "%"))
.uniqueResult();
if (user == null) {
throw new UnknownAccountException("User doesn't exist in local
database");
}
return new SimpleAuthenticationInfo(new HRIPrincipal(user, roles),
EMPTY_PASSWORD, getName());
}
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
principals) {
Set<String> roleNames = new LinkedHashSet<String>();
CustomPrincipal primaryPrincipal = (CustomPrincipal)
principals.getPrimaryPrincipal();
for(String role : primaryPrincipal.getRoles()) {
roleNames.add(role);
}
return new SimpleAuthorizationInfo(roleNames);
}
}
//Custom principal used to hold user object and roles
public class CustomPrincipal {
private User user;
private List<String> roles;
public CustomPrincipal() {
}
public CustomPrincipal(User user, List<String> roles) {
this.user = user;
this.roles = roles;
}
getters/setters
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-LDAP-authorization-tp7096956p7523553.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro and LDAP authorization
Posted by gchristman <gc...@cardaddy.com>.
Hi Les, is there any chance you could provide an example of how to construct
and cache an AuthorizationInfo object during authentication? I"d like to
share a piece of my code, perhaps you could help me out.
Page Class,
I get user roles from authenticate as authenticate.getRoles(); I need to
pass them into shiro.
//Remote authentication
RemoteLoginClient client = new RemoteLoginClient();
RemoteSubject authenticate = client.authenticate(username,
password);
//tapestry security authentication
Subject currentUser = SecurityUtils.getSubject();
System.out.println(currentUser);
CustomAuthenticationToken token = new CustomAuthenticationToken
(authenticate.getUsername());
System.out.println("roles" +
currentUser.hasRoles(authenticate.getRoles()));
currentUser.login(token);
This is my realm,
public class CustomRealm extends AuthorizingRealm {
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
token) throws AuthenticationException {
CustomAuthenticationToken upToken = (CustomAuthenticationToken )
token;
String email = upToken.getUsername();
ApplicationUser applicationUser = (ApplicationUser)
session.createCriteria(ApplicationUser.class)
.add(Restrictions.like("email", email + "%"))
.uniqueResult();
if (applicationUser == null) {
throw new UnknownAccountException("User doesn't exist in EPRS
database");
}
return buildAuthenticationInfo(applicationUser.getId());
}
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
principals) {
return new SimpleAuthorizationInfo(roleNames);
}
Thanks Les.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-LDAP-authorization-tp7096956p7520967.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro and LDAP authorization
Posted by Les Hazlewood <lh...@apache.org>.
On Dec 16, 2011, at 8:03 AM, seme wrote:
> Here is my scenario, user gets authenticated via cas and has authorization
> info in attributes from CAS ldap.
> I want to take those attributes and build permissions for authorization, I
> am trying to extend AuthorizingRealm, but I can't find away to pass those
> attributes.
> Also, I am using shiro for authorization only, when does
> doGetAuthorizationInfo gets called?
It is called the very first time that an authorization operation occurs (e.g. a permission or role check). If caching is enabled/configured, the AuthorizationInfo will be cached at that time to avoid further continuous 'hits' on the back-end data store.
For Realms that lookup both authentication and authorization information, you could preemptively construct and cache an AuthorizationInfo object during authentication so there is only one perceived 'hit' during login. You would do this by calling the getAuthorizationInfo(PrincipalCollection principals) method from within your doGetAuthenticationInfo method.
HTH!
--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com
Re: Shiro and LDAP authorization
Posted by seme <di...@gmail.com>.
Here is my scenario, user gets authenticated via cas and has authorization
info in attributes from CAS ldap.
I want to take those attributes and build permissions for authorization, I
am trying to extend AuthorizingRealm, but I can't find away to pass those
attributes.
Also, I am using shiro for authorization only, when does
doGetAuthorizationInfo gets called?
Thanks
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-LDAP-authorization-tp7096956p7101087.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro and LDAP authorization
Posted by Les Hazlewood <lh...@apache.org>.
Hi Seme,
You can use whatever datasource you like to store authorization
information. In Shiro, this is often represented as two Realms
configured for your application - One Realm for talking to LDAP just
for authentication purposes and another Realm for talking to your
datastore of choice just for authorization purposes.
Once you've tested your Realm used for Authorization needs, you can
just add it to the configured Realms. For example, in shiro.ini:
securityManager.realms = ldapAuthenticationRealm, mydatasourceAuthorizationRealm
HTH!
Cheers,
--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com
On Thu, Dec 15, 2011 at 4:26 AM, seme <di...@gmail.com> wrote:
> New to shiro, I want to set up ldap authorization. I was able to
> authenticate via ldap.
> In shiro, where I can store my user authorization info and how I can
> retrieve them?
>
> Any help or sample code will be appreciated.
>
> Thanks
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-LDAP-authorization-tp7096956p7096956.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro and LDAP authorization
Posted by Manoj Khangaonkar <kh...@gmail.com>.
You can store the authorization info anywhere you want, RDBMS, LDAP,
key-value stores etc etc
See the sample realm implementations.
On Thu, Dec 15, 2011 at 4:26 AM, seme <di...@gmail.com> wrote:
> New to shiro, I want to set up ldap authorization. I was able to
> authenticate via ldap.
> In shiro, where I can store my user authorization info and how I can
> retrieve them?
>
> Any help or sample code will be appreciated.
>
> Thanks
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-LDAP-authorization-tp7096956p7096956.html
> Sent from the Shiro User mailing list archive at Nabble.com.
--
http://khangaonkar.blogspot.com/