Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 9

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: 'roleAssignmentFromIni' added

...

  • org.apache.shiro.authc.pam.FirstSuccessfulStrategyAtLeastOneSuccessfulStrategy (default strategy)
    • If one (or more) Realms authenticate successfully, the overall attempt is considered successful
    • Only the information returned from the first successfully authenticated Realm will be used. All further Realms will be ignored. If none authenticate successfully, the attempt fails.
  • org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategyFirstSuccessfulStrategy
    • Only the information returned from the first successfully authenticated Realm will be used. All further Realms will be ignored
    • If one (or more) Realms authenticate successfully, the overall attempt is considered successful. If none authenticate successfully, the attempt fails.

  • org.apache.shiro.authc.pam.AllSuccessfulStrategy

    • All Realms listed in the securityManager.realms parameter must authenticate successfully for the overall attempt to be considered successful. If any one does not authenticate successfully, the attempt fails.

...

Note that the authorization can come
    • The ldap.roleAssignmentFromIni=false setting (default true) can be used to modify the behavior of the First Successful strategy so that roles from the ini realm are not assigned.

because

  • a) the password is incorrect or
  • b) another realm was listed before the ini realm and could allow the authentication
B) When using the At Least One Successfull strategy:

  • ...

C) When using the All Successfull strategy:

  • ...

 

Info
titleImportant

The following points apply for a multi-realm environment and where one of the realms is the ini realm:

A) When the SOS Authenticator is used with the First Successful strategy:

  • If the authorization occurs through the ini realm then the user account will only be assigned the roles specified for the ini realm.
  • If the authorization occurs through a realm other than the ini realm an LDAP realm then, regardless of whether or not the same password is used in each realm:
    • the The user account will be assigned the role(s) specified for the account in the authorizing realm.
    • the The user account will also be assigned the role(s) specified for the account in the ini realm (from our point of view this is an error in Shiro).
    • the The order in which the realms are specified in the securityManager.realms parameter is will not be not significant here.
Show If
useraa,ur