Multiple Realms for Authentication & Authorization

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple Realms for Authentication & Authorization

jim.piersol@gmail.com
I have multiple Realms configured.  For this argument, lets say I have two
different LDAP Realms setup.  When I attempt login (webapp...) I hit the
queryForAuthenticationInfo(...) method of both Realms. Even when using the
FirstSuccessfulStrategy...  So lets say one of the two Realms passes
Authentication for the user and the 2nd one fails to Authenticate.  

1.) Even if the 1st one succeeds, I still see the 2nd Realm being
attempted...

2.) Then when checking for Authorization, the queryForAuthorizationInfo(...)
method gets called for BOT Realms, even though only one succeeded during
Authentication.

Is there a proper way to control Authorization to only being called on the
Realm that passed Authentication?

This sounds simple from my point of view, but may sound like nonsense to
others.
Thanks.



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Realms for Authentication & Authorization

scSynergy
This should be covered by the
https://shiro.apache.org/static/1.3.2/apidocs/org/apache/shiro/authc/pam/AuthenticationStrategy.html

https://shiro.apache.org/static/1.3.2/apidocs/org/apache/shiro/authc/pam/FirstSuccessfulStrategy.html
should behave the way you need

example shiro.ini:
firstStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $firstStrategy



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Realms for Authentication & Authorization

jim.piersol@gmail.com
Sadly, It doesn't appear to do what it sounds like it should.  I have the
FirstSuccessfulStrategy in place.  When my first Realm is checked,
authentication is successful, but my second Realm is still checked anyway.
It happens to fail, but I am still Authenticated into my App.  So it is good
that I get logged in ok, but odd that it keeps checking both Realms, even
though the first one succeeds.

The 2nd part, and the real issue I have, is that when checking for
Authorization (after getting logged in ok), we check BOTH Realms instead of
ONLY the Realm that I was able to log in successfully on.  I would like it
to SKIP any Realm that did not Authenticate the User successfully.



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Realms for Authentication & Authorization

Brian Demers-2
I cannot find an example off hand but I've had to work around this before.  Your best bet is to create your own AuthenticationStrategy (possibly extend ModularRealmAuthenticator and change/wrap the `doMultiRealmAuthentication` method.

On Fri, Dec 7, 2018 at 10:03 AM [hidden email] <[hidden email]> wrote:
Sadly, It doesn't appear to do what it sounds like it should.  I have the
FirstSuccessfulStrategy in place.  When my first Realm is checked,
authentication is successful, but my second Realm is still checked anyway.
It happens to fail, but I am still Authenticated into my App.  So it is good
that I get logged in ok, but odd that it keeps checking both Realms, even
though the first one succeeds.

The 2nd part, and the real issue I have, is that when checking for
Authorization (after getting logged in ok), we check BOTH Realms instead of
ONLY the Realm that I was able to log in successfully on.  I would like it
to SKIP any Realm that did not Authenticate the User successfully.



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Realms for Authentication & Authorization

scSynergy
In reply to this post by jim.piersol@gmail.com
@Brian: Is this behavior of FirstSuccessfulStrategy by design or is it a bug?
To me it seems wrong that authorization is checked against a realm which was
not authenticated against - after all, that second authentication might
fail, if it were to be tried.



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Realms for Authentication & Authorization

Brian Demers
Agreed, I do think additional realms should NOT be checked after the first successful auth.
I do worry a little that changing this behavior could break things (thinking of use with a ModularRealmAuthorizer)

Thoughts & ideas?



On Mon, Dec 10, 2018 at 3:42 AM scSynergy <[hidden email]> wrote:
@Brian: Is this behavior of FirstSuccessfulStrategy by design or is it a bug?
To me it seems wrong that authorization is checked against a realm which was
not authenticated against - after all, that second authentication might
fail, if it were to be tried.



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Realms for Authentication & Authorization

jim.piersol@gmail.com
So for the first issue of checking all the Realms, even after a successful
Auth takes place...I just extended the ModularRealmAuthenticator to simple
stop checking other Realms once it gets a valid Auth.

I would like to only check Authorization on the Realm that was Authenticated
though.  I am not sure how to do it without digging into the Realm cache to
determine if the given Subject was authenticated with a given Realm.  Seems
like there should be an easier way, especially in the case where caching is
turned off.



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Realms for Authentication & Authorization

Brian Demers
From the PrincipalCollection object, you can get the list of realms the Subject was authenticated from: `getRealmNames()`, and/or use `fromRealm(realmName)` to narrow the collection down to a single realm, from there you can narrow the permission checks to a single realm. (this way you never worry about the cache details)

If you want to change the authorizer it should work the same way, `securityManager.authorizer = your impl`

Does that help?


On Tue, Dec 11, 2018 at 1:01 PM [hidden email] <[hidden email]> wrote:
So for the first issue of checking all the Realms, even after a successful
Auth takes place...I just extended the ModularRealmAuthenticator to simple
stop checking other Realms once it gets a valid Auth.

I would like to only check Authorization on the Realm that was Authenticated
though.  I am not sure how to do it without digging into the Realm cache to
determine if the given Subject was authenticated with a given Realm.  Seems
like there should be an easier way, especially in the case where caching is
turned off.



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Realms for Authentication & Authorization

scSynergy
In reply to this post by Brian Demers
I believe it to be OK if you include the fix in the 1.4 version even if it
breaks some existing applications. After all, the 1.4 release is a major
upgrade -  so changes in behavior  are to be expected.



--
Sent from: http://shiro-user.582556.n2.nabble.com/