Adding principal information to a web request

[Rob Young <bo...@gmail.com>]

Hi there,

I've been evaluating using Shiro for authorization for a web
application I've been working on.  We have authentication done via
shibboleth, routing traffic through apache to our web application
server (glassfish at the moment).  With this setup, authentication is
done via shibboleth and the user ID (and other info) is passed to
glassfish via server request attributes.  We are then using a separate
service (likely grouper or possibly something custom) to manage user
roles/groups/permissions.  I have half of the puzzle done, in that
I've written a custom authentication realm that will be used to talk
to grouper.  The other thing I would like to do is to intercept each
request and attach to the SecurityUtils.getSubject() any principal
information shibboleth has passed along, so then in backing beans I
can do tests against this user and/or specify conditional rendering of
page elements based on whether the current subject/principal has
authorization to see the info.

Currently my shiro.ini is very sparse:

[main]
# Objects and their properties are defined here,
# Such as the securityManager, Realms and anything
# else needed to build the SecurityManager
grouperRealm = my.org.TestRealm

[users]
# The 'users' section is for simple deployments
# when you only need a small number of statically-defined
# set of User accounts.

[roles]
# The 'roles' section is for simple deployments
# when you only need a small number of statically-defined
# roles.

[urls]
# The 'urls' section is used for url-based security
# in web applications.  We'll discuss this section in the
# Web documentation

And I have a JSF page with a backing bean that calls this code on each load:
org.apache.shiro.mgt.
SecurityManager sm = SecurityUtils.getSecurityManager();
System.out.println(sm);
final Subject subject = SecurityUtils.getSubject();
System.out.println(subject);


I would like to have the subject here have principal information set
if it's available from shibboleth - is this the correct way to access
the security manager from a backing bean/JSF?


I figure I need to extend some kind of filter to add the shibboleth
info, any push in the right direction would be great.


Cheers!

Re: Adding principal information to a web request

[versatec <ro...@versatec.de>]

I am not familiar with shibboleth, but I wrote a shiro filter to do SPNEGO
SSO authentication to active directory by extending AccessControlFilter and
then implementing the 
@Override protected boolean preHandle(ServletRequest request,
ServletResponse response) throws Exception 
method. Within this method I return 'false' when I directly manipulate the
http response and do not want shiro to proceed through the other filters. I
return 'true' when I want shiro to follow through with its entire stack. 

@Override protected boolean isAccessAllowed(ServletRequest request,
ServletResponse response, Object o) throws Exception 
always returns true because my filter only does automatic authentication
through SPNEGO and leaves the path-matching etc. to authc filter.

So in effect I have chained two filters together: My filter goes first and
tries to do an automatic authentication through SPNEGO. If SPNEGO succeeds
the subject's principal is retrieved from kerberos token and bound to shiro
stack:
String principal = context.getSrcName().toString().toLowerCase();
PrincipalCollection principals = new SimplePrincipalCollection(principal,
getRealmName());
WebSubject.Builder builder = new WebSubject.Builder(request, response);
builder.principals(principals).authenticated(true);
WebSubject webSubject = builder.buildWebSubject();
ThreadContext.bind(webSubject);


After my filter comes authc filter which blocks access based on whether the
subject is authenticated or not, path-matching etc.



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Adding-principal-information-to-a-web-request-tp7579196p7579218.html
Sent from the Shiro User mailing list archive at Nabble.com.