Does an overarching concept of a Actor (or similar) exist that combines multiple Subjects?

[gbrits <gb...@gmail.com>]

I'm trying to get a good mental model of Shiro. I'm a 1 day old newbie so
please bare with me :)

What I would like to have is a concept of Person / Actor that gives a
unified view of an Actors permissions over all possible Applications and
Realms. What I'm trying to find out is if such a concept exists within Shiro
or that I would have to model it outside Shiro myself. 

According to my mental model, which may be skewed, this means that I want to
have a Person / Actor concept linked to a bunch of Subjects, where each
Subject actually represents the same Person/ Actor but through a different
means of authentication.

Let me try to explain.

For instance, say I have Application A, Application B, Application C. 

A Subject ( I hope I use this concept correctly) may authenticate to
Application A by the following means: 
- login/password (some local custom datasource local to Application B) 
- social login through Facebook, Twitter, Github

Similarly for Application B: 
- login/password as checked by a custom datasource shared between
Application B and C.
- social login through Twitter

Lastly, Application C: 
- login/password as checked by a custom datasource shared between
Application B and C.

afaik the following are all different Subjects although they may in fact be
the same natural Person (or computer Actor): 
1.  subject that logs in to App A using Facebook
2.  subject that logs in to App A using login/pass
3.  subject that logs in to App B using login/pass
4.  subject that logs in to App C using login/pass (same login/pass as 3.)

What I want is a way to link these Subjects together. I.e: to be able to say
they're in fact the same Person/Actor. 

Does such an overarching concept of Person/Actor exist in Shiro? How do you
handle this?

Thanks, 
Geert-Jan





--
View this message in context: http://shiro-user.582556.n2.nabble.com/Does-an-overarching-concept-of-a-Actor-or-similar-exist-that-combines-multiple-Subjects-tp7579210.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Does an overarching concept of a Actor (or similar) exist that combines multiple Subjects?

[versatec <ro...@versatec.de>]

>From the documentation
http://shiro.apache.org/authentication.html#Authentication-Step1%3ACollecttheSubject%27sprincipalsandcredentials
:
/Shiro has 3 concrete AuthenticationStrategy implementations:
AuthenticationStrategy class 	Description
AtLeastOneSuccessfulStrategy 	If one (or more) Realms authenticate
successfully, the overall attempt is considered successful. If none
authenticate succesfully, the attempt fails.
FirstSuccessfulStrategy 	Only the information returned from the first
successfully authenticated Realm will be used. All further Realms will be
ignored. If none authenticate successfully, the attempt fails.
AllSuccessfulStrategy 	All configured Realms must authenticate successfully
for the overall attempt to be considered successful. If any one does not
authenticate successfully, the attempt fails./

I have not verified whether this applies to authorization, too, but what I
fancy is that a subject is by default authenticated to every configured
realm and for every realm where this succeeds, that realms specific role and
permissions are added to the subjects list of roles and permission. 

example:
realm1 subject authenticates -> role1 and permissions1 from this realm are
added to subject
realm2 subject does not authenticate, role2 and permissions2 are NOT added
to subject
realm3 subject authenticates -> role3 and permissions3 from this realm are
added to subject

So, in shiro you have subjects that are linked to roles and permissions
authenticated and authorized through individual realms, instead of person /
actor linked to multiple subjects.

*If I am writing nonsense here, please people, correct me!*



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Does-an-overarching-concept-of-a-Actor-or-similar-exist-that-combines-multiple-Subjects-tp7579210p7579215.html
Sent from the Shiro User mailing list archive at Nabble.com.