Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 15

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 16

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor changes to text

...

By default, Shiro authentication uses the authcStrategy = org.apache.shiro.authc.pam.AtLeastOneSuccessful strategy. This strategy causes a login to be attempted for all the realms listed in the securityManager.realms parameter or, if this is not set, in all the realms listen in the shiro.ini configuration file.

Note that roles from the iniRealm for authenticated LDAP realm user accounts of the same name are always merged to the list of roles, regardless of whether or not the same password is used for both realm accounts.

The roleAssignmentFromIni = false LDAP realm parameter (default setting is true) can be used to stop this happening, In the example listed above this parameter would then be configured for the publicLdapRealm as:

  • publicLdapRealm.roleAssignmentFromIni = false

Multi-Realm Authentication and Authorization up to Release 1.12.3

Authentication and Authorization with the FirstSuccessfulStrategy configured

The Note that the FirstSuccessfulStrategy strategy is incorrectly implemented in Shiro and that a login will be attempted for all the realms, even after a successful login has been noted. In addition Login attempts carried out after a successful login has been noted will be logged at the [error] level. See issue JOC-437 for more information.

...

A new (SOS) authenticator is included in Release 12.4 onwards

...

The to replace the default Shiro authenticator can be replaced by one written by the SOSauthenticator. This authenticator stops the authentication process once a successful login has taken place when the First Successful strategy has been configured.. The SOS authenticator is called configured using the following lines of code:

Code Block
languagexml
authenticator = com.sos.auth.shiro.SOSAuthenticator
securityManager.authenticator=$authenticator

The SOS authenticator stops attempting to authenticate when the FirstSuccessfulStrategy strategy is specified and a successful login has taken place.can be used with all three behavior strategies but it only causes the behavior of the First Successful strategy to be modified,

Passive Authentication and Authorization

When an LDAP realm user account is authenticated and there is an iniRealm with the same user name but this ini realm is not listed in the  securityManager.realms parameter, then by default role(s) configured for the ini realm account will be merged together with those of the LDAP realm account. Note that this will occur, regardless of whether or not the same password is used for both realm accounts.

The roleAssignmentFromIni = false LDAP realm parameter (default setting is true) can be used to suppress this behavior, In the example listed above this parameter would then be configured for the publicLdapRealm as:

  • publicLdapRealm.roleAssignmentFromIni = false

Note that this parameter has to be defined for each realm individually.

 Note: roles from the iniRealm for authenticated users are always merged to the list of roles regardless of the strategy specified (This seems to be an error in Shiro.)

Behavior for Accounts with Differing Passwords

The following points apply for a multi-realm environment, where one of the realms is the iniRealm ini realm and when the user accounts have a common name but different passwords:

...

  • If the authorization occurs through the ini realm then the user account will only be assigned the roles specified for the ini realm. The LDAP realm(s) will be ignored.
  • If the authorization occurs through an LDAP realm then, regardless of whether or not the same password is used in each realm:
    • The user account will be assigned the role(s) specified for the account in the (first) authorizing realm.
    • The user account will also be assigned the role(s) specified for the account in the ini realm.
      • This behavior ensures that a login is possible in the event of problems with the LDAP realm(s).
    • The order in which the realms are specified in the securityManager.realms parameter is not significant here.
    • The ldap.roleAssignmentFromIni=false setting (default true) can be used to modify the behavior of the First Successful strategy so that roles from the ini realm are not assigned.

When the SOS Authenticator is used with the At Least One Successful strategy: