...
By default, Shiro authentication uses the authcStrategy = org.apache.shiro.authc.pam.AtLeastOneSuccessful strategyAtLeastOneSuccessfulStrategy . This strategy causes a login to be attempted for all the realms listed in the securityManager.realms parameter or, if this is not set, in all the realms listen in the shiro.ini configuration file. However, note the behavior described below if one of the realms configured is the iniRealm.
The authcStrategy is configured as follows:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
authcStrategy = org.apache.shiro.authc.pam.AtLeastOneSuccessful
securityManager.authenticator.authenticationStrategy = $authcStrategy |
Authentication and Authorization with the FirstSuccessfulStrategy configured
The FirstSuccessfulStrategy strategy is incorrectly implemented in Shiro and a login will be attempted for all the realms, even after a successful login has been noted. In addition Login login attempts carried out after a successful login has been noted will be logged at the [error] level. See issue JOC-437 for more information.
...
When an LDAP realm user account is authenticated and there is an iniRealm with the same user name but this ini realm is not listed in the securityManager.realms parameter, then by default, role(s) configured for the ini realm account will be merged together with those of the LDAP realm account. Note that this will occur regardless of whether or not the same password is used for both realm accounts.
...
Note that this parameter has to be defined for each realm individually.
| Anchor | ||||
|---|---|---|---|---|
|
The following points apply for a multi-realm environment, where one of the realms is the ini realm and when the user accounts have a common name but different passwords:
...