You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »


Shiro can use multi-realm authentication and authorization - for example against a shiro.ini account and an LDAP account or against one or more of LDAP accounts.


This article describes multi-realm authentication in detail, examples configurations showing multi-realm authentication and authorization have already been presented in the Authentication and Authorization - Configuration and LDAP Configuration articles.

Multi-Realm authentication and authorization up to Release 1.12.3

Consider the case of a user account that is registered for both a shiro and an LDAP realm.

newton = $shiro1$SHA-512$500000$wsJJJJ7cbBpoVi0C...JJ5U5pter6Q==,administrator

publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com
publicLdapRealm.searchBase = dc=example,dc=com
publicLdapRealm.contextFactory.url = ldap://
publicLdapRealm.groupNameAttribute = ou
publicLdapRealm.userNameAttribute = uid
publicLdapRealm.rolePermissionResolver = $rolePermissionResolver
publicLdapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
publicLdapRealm.groupRolesMap = \
  scientists : it_operator, \
  mathematicians: all
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
securityManager.realms = $iniRealm, $publicLdapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

With the configuration listed above, if different passwords are used for the account on each realm then the login information will be tested for each account in the order listed in the securityManager.realms parameter.until a successful login occurs. In the example configuration listed above, this will be first the iniRealm and then the publicLdapRealm

Note the following behaviours:

  • When the user logs in with the password for the iniRealm account they will be given the role for that account - here the administrator - but if they log in with the password for the  publicLdapRealm account they will be given the roles for both the  iniRealm and  publicLdapRealm accounts - here the administrator and the it_operator accounts.
  • The securityManager.realms used to provide Explicit Ordering of the realms. See 'Realm Authentication' on the Shiro Authentication web site for more information.
  • An error will be noted in the shiro stderrout log file under particular circumstances when a user login attempt is unsuccessful. This will not affect the overall login procedure. See issue JOC-437 for more information.


  • No labels