...
Shiro can use multi-realm authentication and authorization - for example, authentication and authorization against a shiro.ini account and an LDAP account or against one or more of LDAP accounts.
Scope
This article describes multi-realm authentication in detail - example configurations showing multi-realm authentication and authorization have already been presented in the Authentication and Authorization - Configuration and LDAP Configuration articles.
Behavior for Accounts with a Common User Name and Password
Consider the case of a user account that is registered for both a the Shiro ini realm and an LDAP realm. An example configuration is shown in the listing below:. A publicly accessible LDAP server (hosted by forumsys.com) is used in this configuration to allow the configuration to be implemented by 'cut and paste' and a minimum of modification. The LDAP server has an account with name 'newton', password 'password' and this account belongs to the group 'scientists'. In the configuration below members of the 'scientists' LDAP group are assigned the (Shiro) 'it_operator' role. The ini realm 'newton' account has been given the same password as the LDAP realm account.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
[users] newton = $shiro1$SHA-512$500000$wsJJJJ7cbBpoVi0C...JJ5U5pter6Q==,administrator [main] publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com publicLdapRealm.searchBase = dc=example,dc=com publicLdapRealm.contextFactory.url = ldap://ldap.forumsys.com:389 publicLdapRealm.groupNameAttribute = ou publicLdapRealm.userNameAttribute = uid publicLdapRealm.rolePermissionResolver = $rolePermissionResolver publicLdapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com) publicLdapRealm.groupRolesMap = \ scientists : it_operator, \ mathematicians: all rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm securityManager.realms = $publicLdapRealm, $iniRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager |
In this example:
...
- Both accounts have the same password.If the
securityManager.realms
parameter is specified:- The authorization information provided by the user logging in will be checked against each realm account in the order in which realms are specified in a
securityManager.realms
parameter.(explicit ordering). In the example, this would be first thepublicLdapRealm
and then theiniRealm
.
- The authorization information provided by the user logging in will be checked against each realm account in the order in which realms are specified in a
- If the
securityManager.realms
parameter is had not been specified:- The authorization information provided by the user logging in will be would have been checked against each realm account in the order in which realms are were listed in the [main] section of the shiro.ini file.(implicit ordering). In the example, this would be first the
iniRealm
and then thepublicLdapRealm
.
- The authorization information provided by the user logging in will be would have been checked against each realm account in the order in which realms are were listed in the [main] section of the shiro.ini file.(implicit ordering). In the example, this would be first the
...
Note that roles from the iniRealm
for authenticated LDAP realm user accounts of the same name are always merged to the list of roles. This happens for all strategies. (This seems to be an error in Shiro.), regardless of whether or not the same password is used for both realm accounts.
The roleAssignmentFromIni = false
LDAP realm The ldap.roleAssignmentFromIni = false
parameter (default setting is true) can be used to stop this happening, In the example listed above this parameter would then be configured for the publicLdapRealm
as:
publicLdapRealm.
roleAssignmentFromIni = false
Multi-Realm Authentication and Authorization up to Release 1.12.3
...