You can use whatever datasource you like to store authorization
information. In Shiro, this is often represented as two Realms
configured for your application - One Realm for talking to LDAP just
for authentication purposes and another Realm for talking to your
datastore of choice just for authorization purposes.
Once you've tested your Realm used for Authorization needs, you can
just add it to the configured Realms. For example, in shiro.ini:
Here is my scenario, user gets authenticated via cas and has authorization info in attributes from CAS ldap.
I want to take those attributes and build permissions for authorization, I am trying to extend AuthorizingRealm, but I can't find away to pass those attributes.
Also, I am using shiro for authorization only, when does doGetAuthorizationInfo gets called?
> Here is my scenario, user gets authenticated via cas and has authorization
> info in attributes from CAS ldap.
> I want to take those attributes and build permissions for authorization, I
> am trying to extend AuthorizingRealm, but I can't find away to pass those
> Also, I am using shiro for authorization only, when does
> doGetAuthorizationInfo gets called?
It is called the very first time that an authorization operation occurs (e.g. a permission or role check). If caching is enabled/configured, the AuthorizationInfo will be cached at that time to avoid further continuous 'hits' on the back-end data store.
For Realms that lookup both authentication and authorization information, you could preemptively construct and cache an AuthorizationInfo object during authentication so there is only one perceived 'hit' during login. You would do this by calling the getAuthorizationInfo(PrincipalCollection principals) method from within your doGetAuthenticationInfo method.
Hi Les, is there any chance you could provide an example of how to construct and cache an AuthorizationInfo object during authentication? I"d like to share a piece of my code, perhaps you could help me out.
I get user roles from authenticate as authenticate.getRoles(); I need to pass them into shiro.