Shiro and LDAP authorization

New to shiro, I want to set up ldap authorization. I was able to authenticate via ldap.

You can store the authorization info anywhere you want, RDBMS, LDAP,
key-value stores etc etc

See the sample realm implementations.

On Thu, Dec 15, 2011 at 4:26 AM, seme <[hidden email]> wrote:


--
http://khangaonkar.blogspot.com/

Hi Seme,

You can use whatever datasource you like to store authorization
information.  In Shiro, this is often represented as two Realms
configured for your application - One Realm for talking to LDAP just
for authentication purposes and another Realm for talking to your
datastore of choice just for authorization purposes.

Once you've tested your Realm used for Authorization needs, you can
just add it to the configured Realms.  For example, in shiro.ini:

securityManager.realms = ldapAuthenticationRealm, mydatasourceAuthorizationRealm

HTH!

Cheers,

--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

On Thu, Dec 15, 2011 at 4:26 AM, seme <[hidden email]> wrote:

Hi Les,

I wanted CAS to do authentication, and Shiro for authorization, you answered my question before I even asked.

Thanks a lot.

Here is my scenario, user gets authenticated via cas and has authorization info in attributes from CAS ldap.
I want to take those attributes and build permissions for authorization, I am trying to extend AuthorizingRealm, but I can't find away to pass those attributes.
Also, I am using shiro for authorization only, when does doGetAuthorizationInfo gets called?

Thanks

On Dec 16, 2011, at 8:03 AM, seme wrote:

> Here is my scenario, user gets authenticated via cas and has authorization
> info in attributes from CAS ldap.
> I want to take those attributes and build permissions for authorization, I
> am trying to extend AuthorizingRealm, but I can't find away to pass those
> attributes.
> Also, I am using shiro for authorization only, when does
> doGetAuthorizationInfo gets called?

It is called the very first time that an authorization operation occurs (e.g. a permission or role check).  If caching is enabled/configured, the AuthorizationInfo will be cached at that time to avoid further continuous 'hits' on the back-end data store.

For Realms that lookup both authentication and authorization information, you could preemptively construct and cache an AuthorizationInfo object during authentication so there is only one perceived 'hit' during login.  You would do this by calling the getAuthorizationInfo(PrincipalCollection principals) method from within your doGetAuthenticationInfo method.

HTH!

--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

Hi Les, is there any chance you could provide an example of how to construct and cache an AuthorizationInfo object during authentication? I"d like to share a piece of my code, perhaps you could help me out.

Page Class,

I get user roles from authenticate as authenticate.getRoles(); I need to pass them into shiro.

            //Remote authentication
            RemoteLoginClient client = new RemoteLoginClient();
            RemoteSubject authenticate = client.authenticate(username, password);

            //tapestry security authentication
            Subject currentUser = SecurityUtils.getSubject();
            System.out.println(currentUser);
            CustomAuthenticationToken token = new CustomAuthenticationToken (authenticate.getUsername());

            System.out.println("roles" + currentUser.hasRoles(authenticate.getRoles()));            
            currentUser.login(token);


This is my realm,

public class CustomRealm extends AuthorizingRealm {

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        CustomAuthenticationToken upToken = (CustomAuthenticationToken ) token;
        String email = upToken.getUsername();

        ApplicationUser applicationUser = (ApplicationUser) session.createCriteria(ApplicationUser.class)
                .add(Restrictions.like("email", email + "%"))
                .uniqueResult();

        if (applicationUser == null) {
            throw new UnknownAccountException("User doesn't exist in EPRS database");
        }

        return buildAuthenticationInfo(applicationUser.getId());
    }


    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

        return new SimpleAuthorizationInfo(roleNames);
    }

Thanks Les.

I answered my own question and wanted to post this in case someone else needed help or for possible improvement on my solution.

Login.class method

    Object onSubmit() {
        try {
            //Remote Authentication
            RemoteLoginClient client = new RemoteLoginClient ();
            RemoteSubject authenticate = client.authenticate(formatUsername(username), password);

            //tapestry security authentication
            Subject currentUser = SecurityUtils.getSubject();
            CustomAuthenticationToken token = new CustomAuthenticationToken(authenticate.getUsername(), authenticate.getRoles());
           
            currentUser.login(token);
        } //catch errors
    }


//Custom token used to hold username and roles which are set from remote authentication service.
public class CustomAuthenticationToken implements AuthenticationToken {

    private String username;
    private List<String> roles;
       
    public CustomAuthenticationToken(String username, List<String> roles) {
        this.username = username;
        this.roles = roles;
    }

getters/setters

//Custom Realm used to handle local authentication and authorization.
public class CustomRealm extends AuthorizingRealm {

    //Hibernate Session
    private final Session session;
    public static final String EMPTY_PASSWORD = "";

    public CustomRealm(Session session) {
        this.session = session;
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
        setAuthenticationTokenClass(CustomAuthenticationToken.class);
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        CustomAuthenticationToken customToken = (CustomAuthenticationToken) token;
        String email = customToken .getUsername();
        List<String> roles = customToken .getRoles();

        User user = (User) session.createCriteria(User.class)
                .add(Restrictions.like("email", emai l+ "%"))
                .uniqueResult();
       
        if (user == null) {
            throw new UnknownAccountException("User doesn't exist in local database");
        }

        return new SimpleAuthenticationInfo(new HRIPrincipal(user, roles), EMPTY_PASSWORD, getName());
    }

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        Set<String> roleNames = new LinkedHashSet<String>();
       
        CustomPrincipal primaryPrincipal = (CustomPrincipal) principals.getPrimaryPrincipal();

        for(String role : primaryPrincipal.getRoles()) {
            roleNames.add(role);
        }    
       
        return new SimpleAuthorizationInfo(roleNames);
    }
}

//Custom principal used to hold user object and roles
public class CustomPrincipal {
   
    private User user;
    private List<String> roles;

    public CustomPrincipal() {
    }

    public CustomPrincipal(User user, List<String> roles) {
        this.user = user;
        this.roles = roles;
    }

getters/setters