You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by "jonathan.labin" <jo...@gmail.com> on 2016/01/27 23:09:29 UTC

Re: Multiple Realms, one for Authentikation, one for Authorization

Is this still the recommended approach for a separate authorization realm?

For testing purposes, how would I get Shiro to load my subclassed version of
the the iniRealm?



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580919.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Multiple Realms, one for Authentikation, one for Authorization

Posted by Brian Demers <br...@gmail.com>.

There are two basic ways to assign permissions to a subject: through a
realm directly, or the RolePermissionResolver (which basically just maps a
role assigned from a realm to a list of permissions)

This is useful when mapping between user groups and application permissions
(such as "myapp:somefunction:write").

On Fri, Jan 29, 2016 at 1:24 PM, jonathan.labin <jo...@gmail.com>
wrote:

> Ok.  But it appears to me that in the context of a multi-realm situation, a
> role that is granted by one realm cannot be used by the second realm to
> impart permissions to the user.  Each realm considers only the roles that
> it
> applies to the user when determining permissions?
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580942.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Re: Multiple Realms, one for Authentikation, one for Authorization

Posted by "jonathan.labin" <jo...@gmail.com>.

Ok.  But it appears to me that in the context of a multi-realm situation, a
role that is granted by one realm cannot be used by the second realm to
impart permissions to the user.  Each realm considers only the roles that it
applies to the user when determining permissions?



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580942.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Multiple Realms, one for Authentikation, one for Authorization

Posted by Brian Demers <br...@gmail.com>.

Sorry, I responded to quickly.   Just to clear this up...  A realm can
assign roles and/or permissions to a subject (user).  So you could end up
with roles/permissions from multiple realms (if that is what you are
looking for)

Your application could resolve roles to permissions by using a
RolePermissionResolver

http://shiro.apache.org/authorization.html#Authorization-Configuringaglobal%7B%7BRolePermissionResolver%7D%7D



On Fri, Jan 29, 2016 at 11:44 AM, Brian Demers <br...@gmail.com>
wrote:

> Yes, that was one of the initial reasons I started using Shiro.
>
> On Fri, Jan 29, 2016 at 11:13 AM, jonathan.labin <jonathan.labin@gmail.com
> > wrote:
>
>> Can permissions be defined in one realm while the role that gives those
>> permissions is given a different realm?
>>
>>
>>
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580934.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>

Re: Multiple Realms, one for Authentikation, one for Authorization

Posted by Brian Demers <br...@gmail.com>.

Yes, that was one of the initial reasons I started using Shiro.

On Fri, Jan 29, 2016 at 11:13 AM, jonathan.labin <jo...@gmail.com>
wrote:

> Can permissions be defined in one realm while the role that gives those
> permissions is given a different realm?
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580934.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Re: Multiple Realms, one for Authentikation, one for Authorization

Posted by "jonathan.labin" <jo...@gmail.com>.

Can permissions be defined in one realm while the role that gives those
permissions is given a different realm?



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580934.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Multiple Realms, one for Authentikation, one for Authorization

Posted by Brian Demers <br...@gmail.com>.

Yes, for your subclass, just configure the ini file [or for testing you
could just call SecurityManager.setRealms()]
http://shiro.apache.org/authentication.html#Authentication-RealmAuthenticationOrder

On Wed, Jan 27, 2016 at 5:09 PM, jonathan.labin <jo...@gmail.com>
wrote:

> Is this still the recommended approach for a separate authorization realm?
>
> For testing purposes, how would I get Shiro to load my subclassed version
> of
> the the iniRealm?
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Multiple-Realms-one-for-Authentikation-one-for-Authorization-tp1113845p7580919.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>