Quantcast

Shiro and LDAP authorization

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Shiro and LDAP authorization

seme
New to shiro, I want to set up ldap authorization. I was able to authenticate via ldap.
In shiro, where I can store my user authorization info and how I can retrieve them?

Any help or sample code will be appreciated.

Thanks
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro and LDAP authorization

Manoj Khangaonkar
You can store the authorization info anywhere you want, RDBMS, LDAP,
key-value stores etc etc

See the sample realm implementations.

On Thu, Dec 15, 2011 at 4:26 AM, seme <[hidden email]> wrote:

> New to shiro, I want to set up ldap authorization. I was able to
> authenticate via ldap.
> In shiro, where I can store my user authorization info and how I can
> retrieve them?
>
> Any help or sample code will be appreciated.
>
> Thanks
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-LDAP-authorization-tp7096956p7096956.html
> Sent from the Shiro User mailing list archive at Nabble.com.



--
http://khangaonkar.blogspot.com/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro and LDAP authorization

Les Hazlewood-2
In reply to this post by seme
Hi Seme,

You can use whatever datasource you like to store authorization
information.  In Shiro, this is often represented as two Realms
configured for your application - One Realm for talking to LDAP just
for authentication purposes and another Realm for talking to your
datastore of choice just for authorization purposes.

Once you've tested your Realm used for Authorization needs, you can
just add it to the configured Realms.  For example, in shiro.ini:

securityManager.realms = ldapAuthenticationRealm, mydatasourceAuthorizationRealm

HTH!

Cheers,

--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

On Thu, Dec 15, 2011 at 4:26 AM, seme <[hidden email]> wrote:

> New to shiro, I want to set up ldap authorization. I was able to
> authenticate via ldap.
> In shiro, where I can store my user authorization info and how I can
> retrieve them?
>
> Any help or sample code will be appreciated.
>
> Thanks
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-LDAP-authorization-tp7096956p7096956.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro and LDAP authorization

seme
Hi Les,

I wanted CAS to do authentication, and Shiro for authorization, you answered my question before I even asked.

Thanks a lot.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro and LDAP authorization

seme
In reply to this post by Les Hazlewood-2

Here is my scenario, user gets authenticated via cas and has authorization info in attributes from CAS ldap.
I want to take those attributes and build permissions for authorization, I am trying to extend AuthorizingRealm, but I can't find away to pass those attributes.
Also, I am using shiro for authorization only, when does doGetAuthorizationInfo gets called?

Thanks
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro and LDAP authorization

Les Hazlewood-2
On Dec 16, 2011, at 8:03 AM, seme wrote:

> Here is my scenario, user gets authenticated via cas and has authorization
> info in attributes from CAS ldap.
> I want to take those attributes and build permissions for authorization, I
> am trying to extend AuthorizingRealm, but I can't find away to pass those
> attributes.
> Also, I am using shiro for authorization only, when does
> doGetAuthorizationInfo gets called?

It is called the very first time that an authorization operation occurs (e.g. a permission or role check).  If caching is enabled/configured, the AuthorizationInfo will be cached at that time to avoid further continuous 'hits' on the back-end data store.

For Realms that lookup both authentication and authorization information, you could preemptively construct and cache an AuthorizationInfo object during authentication so there is only one perceived 'hit' during login.  You would do this by calling the getAuthorizationInfo(PrincipalCollection principals) method from within your doGetAuthenticationInfo method.

HTH!

--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro and LDAP authorization

gchristman
Hi Les, is there any chance you could provide an example of how to construct and cache an AuthorizationInfo object during authentication? I"d like to share a piece of my code, perhaps you could help me out.

Page Class,

I get user roles from authenticate as authenticate.getRoles(); I need to pass them into shiro.

            //Remote authentication
            RemoteLoginClient client = new RemoteLoginClient();
            RemoteSubject authenticate = client.authenticate(username, password);

            //tapestry security authentication
            Subject currentUser = SecurityUtils.getSubject();
            System.out.println(currentUser);
            CustomAuthenticationToken token = new CustomAuthenticationToken (authenticate.getUsername());

            System.out.println("roles" + currentUser.hasRoles(authenticate.getRoles()));            
            currentUser.login(token);


This is my realm,

public class CustomRealm extends AuthorizingRealm {

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        CustomAuthenticationToken upToken = (CustomAuthenticationToken ) token;
        String email = upToken.getUsername();

        ApplicationUser applicationUser = (ApplicationUser) session.createCriteria(ApplicationUser.class)
                .add(Restrictions.like("email", email + "%"))
                .uniqueResult();

        if (applicationUser == null) {
            throw new UnknownAccountException("User doesn't exist in EPRS database");
        }

        return buildAuthenticationInfo(applicationUser.getId());
    }


    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

        return new SimpleAuthorizationInfo(roleNames);
    }

Thanks Les.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shiro and LDAP authorization

gchristman
I answered my own question and wanted to post this in case someone else needed help or for possible improvement on my solution.

Login.class method

    Object onSubmit() {
        try {
            //Remote Authentication
            RemoteLoginClient client = new RemoteLoginClient ();
            RemoteSubject authenticate = client.authenticate(formatUsername(username), password);

            //tapestry security authentication
            Subject currentUser = SecurityUtils.getSubject();
            CustomAuthenticationToken token = new CustomAuthenticationToken(authenticate.getUsername(), authenticate.getRoles());
           
            currentUser.login(token);
        } //catch errors
    }


//Custom token used to hold username and roles which are set from remote authentication service.
public class CustomAuthenticationToken implements AuthenticationToken {

    private String username;
    private List<String> roles;
       
    public CustomAuthenticationToken(String username, List<String> roles) {
        this.username = username;
        this.roles = roles;
    }

getters/setters

//Custom Realm used to handle local authentication and authorization.
public class CustomRealm extends AuthorizingRealm {

    //Hibernate Session
    private final Session session;
    public static final String EMPTY_PASSWORD = "";

    public CustomRealm(Session session) {
        this.session = session;
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
        setAuthenticationTokenClass(CustomAuthenticationToken.class);
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        CustomAuthenticationToken customToken = (CustomAuthenticationToken) token;
        String email = customToken .getUsername();
        List<String> roles = customToken .getRoles();

        User user = (User) session.createCriteria(User.class)
                .add(Restrictions.like("email", emai l+ "%"))
                .uniqueResult();
       
        if (user == null) {
            throw new UnknownAccountException("User doesn't exist in local database");
        }

        return new SimpleAuthenticationInfo(new HRIPrincipal(user, roles), EMPTY_PASSWORD, getName());
    }

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        Set<String> roleNames = new LinkedHashSet<String>();
       
        CustomPrincipal primaryPrincipal = (CustomPrincipal) principals.getPrimaryPrincipal();

        for(String role : primaryPrincipal.getRoles()) {
            roleNames.add(role);
        }    
       
        return new SimpleAuthorizationInfo(roleNames);
    }
}

//Custom principal used to hold user object and roles
public class CustomPrincipal {
   
    private User user;
    private List<String> roles;

    public CustomPrincipal() {
    }

    public CustomPrincipal(User user, List<String> roles) {
        this.user = user;
        this.roles = roles;
    }

getters/setters
Loading...