Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 11

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Intermediate save

...

Consider the case of a user account that is registered for both a shiro and an LDAP realm. Such a configuration is shown in the next listing: one below.

  • One "newton" account is configured in the [users] section of the shiro.ini file for the iniRealm and assigned the administrator role.
  • A second "newton" account that accesses a publicly open LDAP server is configured in the the [main] section of the shiro.ini file and assigned the it_operator role

...

  • .
  • Both accounts have the same password.
  • If the securityManager.realms parameter is specified:
    • The authorization information provided by the user logging in will be checked against each realm account in the order in which realms are specified in a securityManager.realms parameter.(explicit ordering)
  • If the securityManager.realms parameter is not specified:
    • The authorization information provided by the user logging in will be checked against each realm account in the order in which realms are listed in the [main] section of the shiro.ini file.(implicit ordering)
Code Block
languagexml
titleConfiguration for ini and LDAP Realms
collapsetrue
[users]
newton = $shiro1$SHA-512$500000$wsJJJJ7cbBpoVi0C...JJ5U5pter6Q==,administrator

[main]
publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
 
publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com
publicLdapRealm.searchBase = dc=example,dc=com
publicLdapRealm.contextFactory.url = ldap://ldap.forumsys.com:389
 
publicLdapRealm.groupNameAttribute = ou
publicLdapRealm.userNameAttribute = uid
 
publicLdapRealm.rolePermissionResolver = $rolePermissionResolver
publicLdapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
publicLdapRealm.groupRolesMap = \
  scientists : it_operator, \
  mathematicians: all
 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
 
securityManager.realms = $iniRealm, $publicLdapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

...

  • org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy (default strategy)
    • If one (or more) Realms authenticate successfully, the overall attempt is considered successful. If none authenticate successfully, the attempt fails.
    • Roles from all authenticated realms are merged.
  • org.apache.shiro.authc.pam.FirstSuccessfulStrategy
    • Only the information returned from the first successfully authenticated Realm will be used. All further Realms will be ignored. If none authenticate successfully, the attempt fails.
    • Roles from the first authenticated realm are used.

  • org.apache.shiro.authc.pam.AllSuccessfulStrategy

    • All Realms listed in the securityManager.realms parameter must authenticate successfully for the overall attempt to be considered successful. If any one does not authenticate successfully, the attempt fails.
    • Roles from all realms are merged.

Note: roles from the  iniRealm for authenticated users are always merged to the list of roles regardless of the strategy specified (This seems to be an error in Shiro.)

See issue JOC-437 for more information.

...