You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by "Daniel M." <da...@yahoo.com> on 2016/05/04 21:29:22 UTC
SAML 1.x almost there!
After trying to use (I am able to login and authenticate ):
Apache Shiro | Java Security Framework
|
| |
Apache Shiro | Java Security Framework
Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, ... | |
|
|
|
|
|
with
casRealm.validationProtocol = SAML
enabled I was able to login to the app. However I did not have permissions or role options.
What does this mean? I could not use:
...
if ( currentUser.hasRole( "schwartz" ) ) {
...
Just to see what Shiro was using I dumped the principal attributes by using:
... public void verify(){
try{
Subject subject = SecurityUtils.getSubject();
if ( subject.isAuthenticated() ){
List<Object> perms = subject.getPrincipals().asList();
for ( Object perm : perms ){
logger.debug(perm.toString());
}
logger.info("Authenticated user: {}", subject.getPrincipal().toString());
...
and got
...
Info: DEBUG [http-listener-1(1)] (StartShiro.java:35) - {samlAuthenticationStatementAuthMethod=urn:oasis:names:tc:SAML:1.0:am:password, authenticationMethod=LdapAuthenticationHandler, displayName=Test User, roles=[cn=user administrator,cn=roles,cn=accounts,dc=mydomain,dc=com, cn=change a user password,cn=permissions,cn=pbac,dc=mydomain,dc=com, cn=user administrators,cn=privileges,cn=pbac,dc=mydomain,dc=com, cn=modify groups,cn=permissions,cn=pbac,dc=mydomain,dc=com, cn=developers,cn=groups,cn=accounts,dc=mydomain,dc=com, ..., cn=cas_admin,cn=roles,cn=accounts,dc=mydomain,dc=com, ..., cn=modify users,cn=permissions,cn=pbac,dc=mydomain,dc=com, cn=add groups,cn=permissions,cn=pbac,dc=mydomain,dc=com, cn=remove groups,cn=permissions,cn=pbac,dc=mydomain,dc=com], successfulAuthenticationHandlers=LdapAuthenticationHandler, email=testuser@mydomain.com}
INFO [http-listener-1(1)] (StartShiro.java:38) - Authenticated user: testuser
...
So I switched to using pac4j-cas
bujiio/buji-pac4j
|
|
|
| | |
|
|
|
|
|
|
| |
|
|
|
| |
bujiio/buji-pac4j
buji-pac4j - Multi protocols (OAuth, OpenID Connect, CAS, SAML, HTTP, GAE) security extension for Shiro | |
|
|
... try{
Subject subject = SecurityUtils.getSubject();
if ( subject.isAuthenticated() ){
CommonProfile commonProfile = (CommonProfile) subject.getPrincipals().asList().get(1);
for ( String role : commonProfile.getRoles() ){
logger.debug(role);
}
// works!
logger.info("Main principal: ", commonProfile.getDisplayName());
// email works!
logger.info("Authenticated user email: {}", commonProfile.getEmail());
...
Info: INFO [http-listener-1(1)] (StartShiro.java:38) - Main principal:
Info: INFO [http-listener-1(1)] (StartShiro.java:40) - Authenticated user email: testuser@mydomain.com
I obviously need roles and permissions. I can feel that I am pretty close but not close enough.I configured the CAS server and control the properties returned by the SAML service on the CAS server with:...<bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler" p:principalIdAttribute="uid" c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<entry key="displayName" value="displayName" />
<entry key="mail" value="email" />
<entry key="memberOf" value="roles" />
</map>
</property>
</bean>...
Still, at this point I feel there is a mapping problem between the SAML document and the Shiro client. Not sure where to proceed from here.
Here are the particulars:
CAS server: 4.2.1Shiro core: 1.2.4Shiro web: 1.2.4pac4j-core: 1.8.8pac4j-cas: 1.8.8