Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
authenticator = com.sos.auth.shiro.SOSAuthenticator
securityManager.authenticator=$authenticator
# Please note that you have to assign the realms to the authenticator instead to the securityManager.realms 
authenticator.realms = $iniRealm, $ldapRealm

The SOS authenticator can be used with all three behavior strategies but it only causes the behavior of the First Successful strategy to be modified,

...

Code Block
titleMulti Group Realms
collapsetrue
[main]
A#Ldap1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
 
A#Ldap1.userDnTemplate = uid={0},dc=example,dc=com
A#Ldap1.searchBase = dc=example,dc=com
A#Ldap1.contextFactory.url = ldap://ldap.forumsys.com:389
 
A#Ldap1.groupNameAttribute = ou
A#Ldap1.userNameAttribute = uid
 
A#Ldap1.rolePermissionResolver = $rolePermissionResolver
A#Ldap1.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
A#Ldap1.groupRolesMap = \
  scientists : r1, \
  mathematicians: r2
A#Ldap1.roleAssignmentFromIni = false
 
A#Ldap2 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
...

B#Ldap1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
...

B#Ldap2 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
...

rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
 
authcStrategy = org.apache.shiro.authc.pam.SOSFirstSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
securityManager.realms = $A#Ldap1,$A#Ldap2,$B#Ldap1,$B#Ldap2
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

...


Find a number of examples for the behavior with different strategies from the following chapters.

SOSFirstSuccessfulGroupStrategy

Code Block
authcStrategy = org.apache.shiro.authc.pam.SOSFirstSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy

...

  • All Realms with the same group will be checked group-wise.
  • In every group there must be one Realm that can be authenticated, otherwise authentication will fail for all groups.
  • The roles from the first Realm per group will be added to the roles the user is assigned.
Authentication Matrix
A#Ldap1A#Ldap2B#Ldap1B#Ldap2resultResulting Role Assignments
xxxxA#Ldap1, B#Ldap1
x xxA#Ldap1, B#Ldap1
xx xA#Ldap1, B#Ldap2
xxx A#Ldap1, B#Ldap1
 xxxA#Ldap2, B#Ldap1
xx  fail
x x A#Ldap1, B#Ldap1
x  xA#Ldap1, B#Ldap2
 xx A#Ldap2, B#Ldap1
 x xA#Ldap2, B#Ldap2
  xxfail
x   fail
 x  fail
  x fail
   xfail
    fail


SOSAllSuccessfulGroupStrategy

Code Block
authcStrategy = org.apache.shiro.authc.pam.SOSAllSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy

 

Explanation
  • All realms with the same group will be checked group-wise.
  • In at least one group all Realms must be authenticated.
  • The roles from Realms in groups where all Realms can be authenticated will be merged to the roles the user is assigned.
Authentication Matrix
A#Ldap1A#Ldap2B#Ldap1B#Ldap2resultResulting Role Assignments
xxxxA#Ldap1, A#Ldap2, B#Ldap1, B#Ldap2
x xxB#Ldap1, B#Ldap2
xx xA#Ldap1, A#Ldap2
xxx A#Ldap1, A#Ldap2
 xxxB#Ldap1, B#Ldap2
xx  A#Ldap1, A#Ldap2
x x fail
x  xfail
 xx fail
 x xfail
  xxB#Ldap1, B#Ldap2
x   fail
 x  fail
  x fail
   xfail
    fail



SOSAllSuccessfulFirstGroupStrategy

Code Block
authcStrategy = org.apache.shiro.authc.pam.SOSAllSuccessfulFirstGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy

 

Explanation

...

  • All Realms with the same group will be checked group-wise.
  • In at least one group all Realms must be authenticated.
  • The roles from Realms in the first group where all Realms can be authenticated will be merged with other roles the user may be is assigned.
Authentication Matrix
A#Ldap1A#Ldap2B#Ldap1B#Ldap2resultResulting Role Assignments
xxxxA#Ldap1, A#Ldap2
x xxB#Ldap1, B#Ldap2
xx xA#Ldap1, A#Ldap2
xxx A#Ldap1, A#Ldap2
 xxxB#Ldap1, B#Ldap2
xx  A#Ldap1, A#Ldap2
x x fail
x  xfail
 xx fail
 x xfail
  xxB#Ldap1, B#Ldap2
x   fail
 x  fail
  x fail
   xfail
    fail


SOSAtLeastOneSuccessfulGroupStrategy

Code Block
authcStrategy = org.apache.shiro.authc.pam.SOSAtLeastOneSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy

...

  • All Realms with the same group will be checked group-wise.
  • At least one Realm must be authenticated in every group.
  • The roles from Realms that have been authenticated will be merged with other roles the user may be is assigned.
Authentication Matrix
A#Ldap1A#Ldap2B#Ldap1B#Ldap2resultResulting Role Assignments
xxxxA#Ldap1, A#Ldap2, B#Ldap1, B#Ldap2
x xxA#Ldap1, B#Ldap1, B#Ldap2
xx xA#Ldap1, A#Ldap2, B#Ldap2
xxx A#Ldap1, A#Ldap2, B#Ldap1
 xxxA#Ldap2, B#Ldap1, B#Ldap2
xx  fail
x x A#Ldap1, B#Ldap1
x  xA#Ldap1, B#Ldap2
 xx A#Ldap2, B#Ldap1
 x xA#Ldap2, B#Ldap2
  xxfail
x   fail
 x  fail
  x fail
   xfail
    fail

...