...
Shiro can use multi-realm authentication and authorization - for example, authentication and authorization against a shiro.ini account and an LDAP account or against one or more of LDAP accounts.
Scope
This article describes multi-realm authentication in detail - example configurations showing multi-realm authentication and authorization have already been presented in the Authentication and Authorization - Configuration and LDAP Configuration articles.
Behavior for Accounts with a Common User Name and Password
Consider the case of a user account that is registered for both a the Shiro ini realm and an LDAP realm. An example configuration is shown in the listing below:. A publicly accessible LDAP server (hosted by forumsys.com) is used in this configuration to allow the configuration to be implemented by 'cut and paste' and a minimum of modification. The LDAP server has an account with name 'newton', password 'password' and this account belongs to the group 'scientists'. In the configuration below members of the 'scientists' LDAP group are assigned the (Shiro) 'it_operator' role. The ini realm 'newton' account has been given the same password as the LDAP realm account.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
[users]
newton = $shiro1$SHA-512$500000$wsJJJJ7cbBpoVi0C...JJ5U5pter6Q==,administrator
[main]
publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com
publicLdapRealm.searchBase = dc=example,dc=com
publicLdapRealm.contextFactory.url = ldap://ldap.forumsys.com:389
publicLdapRealm.groupNameAttribute = ou
publicLdapRealm.userNameAttribute = uid
publicLdapRealm.rolePermissionResolver = $rolePermissionResolver
publicLdapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
publicLdapRealm.groupRolesMap = \
scientists : it_operator, \
mathematicians: all
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
securityManager.realms = $publicLdapRealm, $iniRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager |
In this example:
...
- Both accounts have the same password.If the
securityManager.realmsparameter is specified:- The authorization information provided by the user logging in will be checked against each realm account in the order in which realms are specified in a
securityManager.realmsparameter.(explicit ordering). In the example, this would be first thepublicLdapRealmand then theiniRealm.
- The authorization information provided by the user logging in will be checked against each realm account in the order in which realms are specified in a
- If the
securityManager.realmsparameter is had not been specified:- The authorization information provided by the user logging in will be would have been checked against each realm account in the order in which realms are were listed in the [main] section of the shiro.ini file.(implicit ordering). In the example, this would be first the
iniRealmand then thepublicLdapRealm.
- The authorization information provided by the user logging in will be would have been checked against each realm account in the order in which realms are were listed in the [main] section of the shiro.ini file.(implicit ordering). In the example, this would be first the
...
Note that roles from the iniRealm for authenticated LDAP realm user accounts of the same name are always merged to the list of roles. This happens for all strategies. (This seems to be an error in Shiro.), regardless of whether or not the same password is used for both realm accounts.
The roleAssignmentFromIni = false LDAP realm The ldap.roleAssignmentFromIni = false parameter (default setting is true) can be used to stop this happening, In the example listed above this parameter would then be configured for the publicLdapRealm as:
publicLdapRealm.
roleAssignmentFromIni = false
Multi-Realm Authentication and Authorization up to Release 1.12.3
...