...
- When the user name newton is used together with the password for the ini realm then the account will be assigned the administrator role.
- When the user name newton is used together with the password for the LDAP realm then the account will be assigned the it_operator role.
Realm Group/Role Mappings
Display feature availability | ||
---|---|---|
|
Logical selection of realm group strategies can also be implemented. These strategies determine, for example, that an account will only be authenticated for one realm when it can also be authenticated for a second.
Configuration
This feature is activated by inserting the following line of code in the [main]
section of the Shiro ini file:
securityManager.authenticator.authenticationStrategy = $authcStrategy
In addition a logical strategy has to be implemented - the following four strategies are available:
- SOSFirstSuccessfulGroupStrategy
- SOSAllSuccessfulGroupStrategy
- SOSAllSuccessfulFirstGroupStrategy
- SOSAtLeastOneSuccessfulGroupStrategy
The strategy to be followed is specified by adding, for example, the following to the [main]
section of the Shiro ini file:
authcStrategy = com.sos.auth.shiro.SOSFirstSuccessfulGroupStrategy
Finally all realms are named following the syntax:
group#name
Example
The following example uses two Groups, each with two realms. An account with a common User Name and Password is configured for all Realms
A#ldap1
roles = a1
A#ldap2
roles = a2
B#ldap1
roles = b1
B#ldap2
roles = b2
Example Behavior with Different Strategies
SOSFirstSuccessfulGroupStrategy
All realms with the same group will be checked group-wise.
In every group there must be one realm that can be authenticated.
The roles from the first realm per group will be merged to the roles the user has.
Example:
- If A#ldap1, A#ldap2 and B#ldap2 can authenticate than the user will have the roles a1 and b2
SOSAllSuccessfulGroupStrategy
All realms with the same group will be checked group-wise.
In at least one group all realms must be authenticated.
The roles from realms in groups where all realms can be authenticated will be merged to the roles the user has.
Examples:
- If A#ldap1, A#ldap2 and B#ldap1, B#ldap2 can authenticate than the user will have the roles a1,a2,b1,b2
SOSAllSuccessfulFirstGroupStrategy
All realms with the same group will be checked group-wise.
In at least one group all realms must be authenticated.
The roles from realms in the first group where all realms can be authenticated will be merged to the roles the user has.
Example:
- If A#ldap1, and B#ldap1, B#ldap2 can authenticate than the user will have the roles b1,b2
SOSAtLeastOneSuccessfulGroupStrategy
All realms with the same group will be checked group-wise.
In all groups at least one realms must be authenticated.
The roles from realms that can be authenticate will be merged to the roles the user has.
Example:
- If A#ldap1, B#ldap1, B#ldap2 can authenticate than the user will have the roles a1,b1,b2