Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 19

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 20

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: ''Realm ...Mappings' added

...

  • When the user name newton is used together with the password for the ini realm then the account will be assigned the administrator role.
  • When the user name newton is used together with the password for the LDAP realm then the account will be assigned the it_operator role.

Realm Group/Role Mappings

Display feature availability
StartingFromRelease1.12.4

Logical selection of realm group strategies can also be implemented. These strategies determine, for example, that an account will only be authenticated for one realm when it can also be authenticated for a second.

Configuration

This feature is activated by inserting the following line of code in the [main] section of the Shiro ini file:

  • securityManager.authenticator.authenticationStrategy = $authcStrategy

In addition a logical strategy has to be implemented - the following four strategies are available:

  • SOSFirstSuccessfulGroupStrategy
  • SOSAllSuccessfulGroupStrategy
  • SOSAllSuccessfulFirstGroupStrategy
  • SOSAtLeastOneSuccessfulGroupStrategy

The strategy to be followed is specified by adding, for example, the following to the [main] section of the Shiro ini file:

  • authcStrategy = com.sos.auth.shiro.SOSFirstSuccessfulGroupStrategy

Finally all realms are named following the syntax:

  • group#name

Example

The following example uses two Groups, each with two realms. An account with a common User Name and Password is configured for all Realms

A#ldap1
roles = a1

A#ldap2
roles = a2

B#ldap1
roles = b1

B#ldap2
roles = b2

Example Behavior with Different Strategies

SOSFirstSuccessfulGroupStrategy

All realms with the same group will be checked group-wise.
In every group there must be one realm that can be authenticated.
The roles from the first realm per group will be merged to the roles the user has.

Example:
  • If A#ldap1, A#ldap2 and B#ldap2 can authenticate than the user will have the roles a1 and b2
SOSAllSuccessfulGroupStrategy

All realms with the same group will be checked group-wise.
In at least one group all realms must be authenticated.
The roles from realms in groups where all realms can be authenticated will be merged to the roles the user has.

Examples:
  • If A#ldap1, A#ldap2 and B#ldap1, B#ldap2 can authenticate than the user will have the roles a1,a2,b1,b2
SOSAllSuccessfulFirstGroupStrategy

All realms with the same group will be checked group-wise.
In at least one group all realms must be authenticated.
The roles from realms in the first group where all realms can be authenticated will be merged to the roles the user has.

Example:
  • If A#ldap1, and B#ldap1, B#ldap2 can authenticate than the user will have the roles b1,b2
SOSAtLeastOneSuccessfulGroupStrategy

All realms with the same group will be checked group-wise.
In all groups at least one realms must be authenticated.
The roles from realms that can be authenticate will be merged to the roles the user has.

Example:
  • If A#ldap1, B#ldap1, B#ldap2 can authenticate than the user will have the roles a1,b1,b2