...
Shiro can use multi-realm authentication and authorization - for example, authentication and authorization against a shiro.ini account and an LDAP account and one or more LDAP accounts or against one or more LDAP accounts.
...
This article describes multi-realm authentication in detail - example configurations showing multi-realm authentication and authorization have already been presented in the Authentication and Authorization - Configuration and LDAP Configuration articles.
A Simple Multi-Realm Example
Consider the case of a user account that is registered for both the Shiro ini realm and an LDAP realm. An Such a simple example configuration is shown in the listing below. A publicly accessible LDAP server (hosted by here, the server from forumsys.com) is used in this example to allow the configuration to be implemented by 'cut and paste' and a minimum of modification.
...
- If the authorization occurs through the ini realm then the user account will only be assigned the roles specified for the ini realm. The LDAP realm(s) will be ignored.
- If the authorization occurs through an LDAP realm then, regardless of whether or not the same password is used in each realm:
- The user account will be assigned the role(s) specified for the account in the (first) authorizing realm.
- The user account will also be assigned the role(s) specified for the account in the ini realm.
- This behavior ensures that a login is possible in the event of problems with the LDAP realm(s).
- The order in which the realms are specified in the
securityManager.realms
parameter is not significant here. - The roleAssignmentFromIni=false setting (default true) can be used to modify the behavior of the First Successful strategy so that roles from the ini realm are not assigned. See the Suppressing assignment of the ini Realm section below.
When the SOS Authenticator is used with the At Least One Successful strategy:
...
Strategy | Authenticator | ... | ... | ... |
---|---|---|---|---|
First Successful | shiro | |||
First Successful | SOS | |||
At Least One Successful | shiro/SOS | |||
All Successful | shiro/SOS | |||
Suppressing assignment of the ini Realm
Display feature availability | ||
---|---|---|
|
When the First Successful strategy is used when an ini realm and one or more LDAP realms have accounts with common user names and separate passwords, the roles for the ini realm will be assigned by default when the login is carried out for one of the LDAP realms. This behavior can be suppressed by setting the roleAssignmentFromIni parameter to false for the LDAP realms in the environment. This is shown in the code example below:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
[users]
newton = $shiro1$SHA-512$500000$wsJJJJ7cbBpoVi0C...JJ5U5pter6Q==,administrator
[main]
publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com
publicLdapRealm.searchBase = dc=example,dc=com
publicLdapRealm.contextFactory.url = ldap://ldap.forumsys.com:389
publicLdapRealm.groupNameAttribute = ou
publicLdapRealm.userNameAttribute = uid
publicLdapRealm.rolePermissionResolver = $rolePermissionResolver
publicLdapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
publicLdapRealm.groupRolesMap = \
scientists : it_operator, \
mathematicians: all
publicLdapRealm.roleAssignmentFromIni = false
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
securityManager.realms = $publicLdapRealm, $iniRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager |
With the above configuration:
- When the user name newton is used together with the password for the ini realm then the account will be assigned the administrator role.
- When the user name newton is used together with the password for the LDAP realm then the account will be assigned the it_operator role.