Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 21

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 22

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Clean up

...

Shiro can use multi-realm authentication and authorization - for example, authentication and authorization against a shiro.ini account and one or more LDAP accounts or against one or more LDAP accounts. Realms can also be grouped together and logical operators used to regulate authentication.

Scope

This article describes multi-realm authentication in detail - example simple configurations showing multi-realm authentication and authorization have already been presented in the Authentication and Authorization - Configuration and LDAP Configuration articles.

A

...

Basic Multi-Realm Example

Consider the case of a user account that is registered for both the Shiro ini realm and an LDAP realm. Such a simple example configuration is shown in the listing below. A publicly accessible LDAP server (here, the server from forumsys.com) is used in this example to allow the configuration to be implemented by 'cut and paste' and a minimum of modification.

...

  • If the authorization occurs through the ini realm then the user account will only be assigned the roles specified for the ini realm. The LDAP realm(s) will be ignored.
  • If the authorization occurs through an LDAP realm then, regardless of whether or not the same password is used in each realm:
    • The user account will be assigned the role(s) specified for the account in the (first) authorizing realm.
    • The user account will also be assigned the role(s) specified for the account in the ini realm.
      • This behavior ensures that a login is possible in the event of problems with the LDAP realm(s).
    • The order in which the realms are specified in the securityManager.realms parameter is not significant here.
    • The roleAssignmentFromIni=false setting (default true) can be used to modify the behavior of the First Successful strategy so that roles from the ini realm are not assigned. See the Suppressing assignment of the ini Realm section below.

 

Show If
useraa
When the SOS Authenticator is used with the At Least One Successful strategy:
  • ...

When the SOS Authenticator is used with the All Successful strategy:

  • ...
StrategyAuthenticator.........
First Successfulshiro   
First  SuccessfulSOS   
At Least One Successfulshiro/SOS   
All Successfulshiro/SOS   
     

Suppressing assignment of the ini Realm

...

  • authcStrategy = com.sos.auth.shiro.SOSFirstSuccessfulGroupStrategy

Finally all group realms are to be named following the syntax:

...