...
Shiro can use multi-realm authentication and authorization - for example, authentication and authorization against a shiro.ini account and one or more LDAP accounts or against one or more LDAP accounts. Realms can also be grouped together and logical operators used to regulate authentication.
Scope
This article describes multi-realm authentication in detail - example simple configurations showing multi-realm authentication and authorization have already been presented in the Authentication and Authorization - Configuration and LDAP Configuration articles.
A
...
Basic Multi-Realm Example
Consider the case of a user account that is registered for both the Shiro ini realm and an LDAP realm. Such a simple example configuration is shown in the listing below. A publicly accessible LDAP server (here, the server from forumsys.com) is used in this example to allow the configuration to be implemented by 'cut and paste' and a minimum of modification.
...
- If the authorization occurs through the ini realm then the user account will only be assigned the roles specified for the ini realm. The LDAP realm(s) will be ignored.
- If the authorization occurs through an LDAP realm then, regardless of whether or not the same password is used in each realm:
- The user account will be assigned the role(s) specified for the account in the (first) authorizing realm.
- The user account will also be assigned the role(s) specified for the account in the ini realm.
- This behavior ensures that a login is possible in the event of problems with the LDAP realm(s).
- The order in which the realms are specified in the
securityManager.realms
parameter is not significant here. - The roleAssignmentFromIni=false setting (default true) can be used to modify the behavior of the First Successful strategy so that roles from the ini realm are not assigned. See the Suppressing assignment of the ini Realm section below.
Show If | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||
When the SOS Authenticator is used with the At Least One Successful strategy:
When the SOS Authenticator is used with the All Successful strategy:
|
Suppressing assignment of the ini Realm
...
authcStrategy = com.sos.auth.shiro.SOSFirstSuccessfulGroupStrategy
Finally all group realms are to be named following the syntax:
...