...
Consider the case of a user account that is registered for both a shiro and an LDAP realm. Such a configuration is shown in the next listing: one below.
- One "newton" account is configured in the
[users]
section of theshiro.ini
file for the iniRealm and assigned the administrator role. - A second "newton" account that accesses a publicly open LDAP server is configured in the the
[main]
section of theshiro.ini
file and assigned the it_operator role
...
- .
- Both accounts have the same password.
- If the
securityManager.realms
parameter is specified:- The authorization information provided by the user logging in will be checked against each realm account in the order in which realms are specified in a
securityManager.realms
parameter.(explicit ordering)
- The authorization information provided by the user logging in will be checked against each realm account in the order in which realms are specified in a
- If the
securityManager.realms
parameter is not specified:- The authorization information provided by the user logging in will be checked against each realm account in the order in which realms are listed in the [main] section of the shiro.ini file.(implicit ordering)
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
[users] newton = $shiro1$SHA-512$500000$wsJJJJ7cbBpoVi0C...JJ5U5pter6Q==,administrator [main] publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com publicLdapRealm.searchBase = dc=example,dc=com publicLdapRealm.contextFactory.url = ldap://ldap.forumsys.com:389 publicLdapRealm.groupNameAttribute = ou publicLdapRealm.userNameAttribute = uid publicLdapRealm.rolePermissionResolver = $rolePermissionResolver publicLdapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com) publicLdapRealm.groupRolesMap = \ scientists : it_operator, \ mathematicians: all rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm securityManager.realms = $iniRealm, $publicLdapRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager |
...
org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy
(default strategy)- If one (or more) Realms authenticate successfully, the overall attempt is considered successful. If none authenticate successfully, the attempt fails.
- Roles from all authenticated realms are merged.
org.apache.shiro.authc.pam.FirstSuccessfulStrategy
- Only the information returned from the first successfully authenticated Realm will be used. All further Realms will be ignored. If none authenticate successfully, the attempt fails.
- Roles from the first authenticated realm are used.
org.apache.shiro.authc.pam.AllSuccessfulStrategy
- All Realms listed in the
securityManager.realms
parameter must authenticate successfully for the overall attempt to be considered successful. If any one does not authenticate successfully, the attempt fails. - Roles from all realms are merged.
- All Realms listed in the
Note: roles from the iniRealm
for authenticated users are always merged to the list of roles regardless of the strategy specified (This seems to be an error in Shiro.)
See issue JOC-437 for more information.
...