You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Marcus Bond <ma...@marcusbond.me.uk> on 2012/06/22 14:00:38 UTC

Delegating credentials matching

Hi, I wondered if anyone has done anything where there has been a need to
pass credentials to a service for authentication?

 

I have a situation where a user gives username and password but there is no
way for me to retrieve the stored credentials to match - what should happen
is that the credentials are sent to a remote service which will in turn say
they are good or otherwise. Is there a "Shiro way" of doing this?

 

Marcus.

RE: Delegating credentials matching

Posted by Marcus Bond <ma...@marcusbond.me.uk>.
Thanks Les,

 

I had previously implemented a quick cludge that effectively did the same
thing, my credentials matcher didn't actually do the matching but instead
attempted to perform HTTP basic authentication against a web server.. it
worked but wasn't pretty code.. I think a refactor using this approach is in
order.

 

Cheers guys,

Marcus.

 

From: Les Hazlewood [mailto:lhazlewood@apache.org] 
Sent: 26 June 2012 21:42
To: user@shiro.apache.org
Subject: Re: Delegating credentials matching

 

Yep, Jared's recommendation is a good one.

 

For added color: the 'AllowAllCredentialsMatcher' is a non-null matcher that
effectively bypasses any credential comparison logic inside Shiro.  You
would only want to enable this matcher if your back-end data store used by
the Realm asserts credentials match directly during an authentication
attempt.

 

Cheers,

 

--

Les Hazlewood

CTO, Stormpath | http://stormpath.com <http://www.stormpath.com/>  |
888.391.5282

twitter: @lhazlewood | http://twitter.com/lhazlewood

blog: http://leshazlewood.com <http://leshazlewood.com/> 

stormpath blog: http://www.stormpath.com/blog
<http://www.stormpath.com/blog/index> 

 

On Sat, Jun 23, 2012 at 1:02 PM, Marcus Bond <ma...@marcusbond.me.uk>
wrote:

Thanks Jared, I will look into that, sounds just the ticket.
Marcus.


-----Original Message-----
From: Jared Bunting [mailto:jared.bunting@peachjean.com]
Sent: 22 June 2012 14:31
To: user@shiro.apache.org
Subject: Re: Delegating credentials matching

One example if this is the JndiLdapRealm.  In doGetAuthenticationInfo, it
passes the credentials to the directory, and if the authentication fails, it
throws an AuthenticationException.  Meanwhile, it sets its
CredentialsMatcher to "AllowAllCredentialsMatcher".

Hope that helps,
Jared

On Fri 22 Jun 2012 07:00:38 AM CDT, Marcus Bond wrote:
> Hi, I wondered if anyone has done anything where there has been a need
> to pass credentials to a service for authentication?
>
>
>
> I have a situation where a user gives username and password but there
> is no way for me to retrieve the stored credentials to match - what
> should happen is that the credentials are sent to a remote service
> which will in turn say they are good or otherwise. Is there a "Shiro
> way" of doing this?
>
>
>
> Marcus.
>

Re: Delegating credentials matching

Posted by Les Hazlewood <lh...@apache.org>.
Yep, Jared's recommendation is a good one.

For added color: the 'AllowAllCredentialsMatcher' is a non-null matcher
that effectively bypasses any credential comparison logic inside Shiro.
 You would only want to enable this matcher if your back-end data store
used by the Realm asserts credentials match directly during an
authentication attempt.

Cheers,

--
Les Hazlewood
CTO, Stormpath | http://stormpath.com <http://www.stormpath.com/> |
888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
blog: http://leshazlewood.com
stormpath blog:
http://www.stormpath.com/blog<http://www.stormpath.com/blog/index>

On Sat, Jun 23, 2012 at 1:02 PM, Marcus Bond <ma...@marcusbond.me.uk>wrote:

> Thanks Jared, I will look into that, sounds just the ticket.
> Marcus.
>
> -----Original Message-----
> From: Jared Bunting [mailto:jared.bunting@peachjean.com]
> Sent: 22 June 2012 14:31
> To: user@shiro.apache.org
> Subject: Re: Delegating credentials matching
>
> One example if this is the JndiLdapRealm.  In doGetAuthenticationInfo, it
> passes the credentials to the directory, and if the authentication fails,
> it throws an AuthenticationException.  Meanwhile, it sets its
> CredentialsMatcher to "AllowAllCredentialsMatcher".
>
> Hope that helps,
> Jared
>
> On Fri 22 Jun 2012 07:00:38 AM CDT, Marcus Bond wrote:
> > Hi, I wondered if anyone has done anything where there has been a need
> > to pass credentials to a service for authentication?
> >
> >
> >
> > I have a situation where a user gives username and password but there
> > is no way for me to retrieve the stored credentials to match – what
> > should happen is that the credentials are sent to a remote service
> > which will in turn say they are good or otherwise. Is there a “Shiro
> > way” of doing this?
> >
> >
> >
> > Marcus.
> >
>
>
>
>

RE: Delegating credentials matching

Posted by Marcus Bond <ma...@marcusbond.me.uk>.
Thanks Jared, I will look into that, sounds just the ticket.
Marcus.

-----Original Message-----
From: Jared Bunting [mailto:jared.bunting@peachjean.com] 
Sent: 22 June 2012 14:31
To: user@shiro.apache.org
Subject: Re: Delegating credentials matching

One example if this is the JndiLdapRealm.  In doGetAuthenticationInfo, it passes the credentials to the directory, and if the authentication fails, it throws an AuthenticationException.  Meanwhile, it sets its CredentialsMatcher to "AllowAllCredentialsMatcher".

Hope that helps,
Jared

On Fri 22 Jun 2012 07:00:38 AM CDT, Marcus Bond wrote:
> Hi, I wondered if anyone has done anything where there has been a need 
> to pass credentials to a service for authentication?
>
>
>
> I have a situation where a user gives username and password but there 
> is no way for me to retrieve the stored credentials to match – what 
> should happen is that the credentials are sent to a remote service 
> which will in turn say they are good or otherwise. Is there a “Shiro 
> way” of doing this?
>
>
>
> Marcus.
>

Re: Delegating credentials matching

Posted by Jared Bunting <ja...@peachjean.com>.
One example if this is the JndiLdapRealm.  In doGetAuthenticationInfo, 
it passes the credentials to the directory, and if the authentication 
fails, it throws an AuthenticationException.  Meanwhile, it sets its 
CredentialsMatcher to "AllowAllCredentialsMatcher".

Hope that helps,
Jared

On Fri 22 Jun 2012 07:00:38 AM CDT, Marcus Bond wrote:
> Hi, I wondered if anyone has done anything where there has been a need
> to pass credentials to a service for authentication?
>
>
>
> I have a situation where a user gives username and password but there
> is no way for me to retrieve the stored credentials to match – what
> should happen is that the credentials are sent to a remote service
> which will in turn say they are good or otherwise. Is there a “Shiro
> way” of doing this?
>
>
>
> Marcus.
>