Using Ki just for Authorization?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Using Ki just for Authorization?

Nishant Jain
Hi,
I have to implement role based Authorization in a web based application. Can I use only authorization from the JSecurity?
I dont need authentication as it is already there provided by the company's common login page. Is there a way I can create a SecurityManager with just the role based permissions like if role is "user" then there are some sets of permission and if role is "admin" then there are some different set of permissions.

Reply | Threaded
Open this post in threaded view
|

Re: Using Ki just for Authorization?

Les Hazlewood-2
Hi Nishant,

Yep, you can do this easily.  Apache Ki's Realm implementations supports both Authentication and Authorization.

Just configure one realm where the Realm.supports(AuthenticationToken) method always returns false.  Then that realm will never be consulted for Authentication, leaving it to only perform Authorization.

Cheers,

Les

On Thu, Apr 30, 2009 at 10:13 AM, Nishant Jain <[hidden email]> wrote:

Hi,
I have to implement role based Authorization in a web based application. Can
I use only authorization from the JSecurity?
I dont need authentication as it is already there provided by the company's
common login page. Is there a way I can create a SecurityManager with just
the role based permissions like if role is "user" then there are some sets
of permission and if role is "admin" then there are some different set of
permissions.


--
View this message in context: http://n2.nabble.com/Using-Ki-just-for-Authorization--tp2747338p2747338.html
Sent from the JSecurity User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: Using Ki just for Authorization?

Nishant Jain
Hi,
Thanks for the reply.

I am trying to implement the example from Bruce Phillips Blog (http://www.brucephillips.name/blog/index.cfm/2009/4/5/An-Introduction-to-Ki-formerly-JSecurity--A-Beginners--Tutorial-Part-4) which does both authentication and authorization. In the code I am trying to override the supports(AuthenticationToken) method to always return false that means it should allow everyone to enter thru the login page rather it is not allowing even the valid user to enter the website.
The code at that login page is doing following thing:
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
Subject subject = SecurityUtils.getSubject();
subject.login(token);
if ( subject.hasRole("admin") ) {
//do something
} else {
//do something
}

It is failing at the subject.login(token) part throwing the following exception - org.jsecurity.authc.pam.UnsupportedTokenException: Realm [name.brucephillips.rolesecurity.dao.RoleSecurityJdbcRealm@1cacaa7] does not support authentication token [org.jsecurity.authc.UsernamePasswordToken - sue@hotmail.com, rememberMe=false].

What is the way to avoid do authentication at this part? Because I want to find that persons role in the subject and then authorize him based on the role.

Thanks!!
Nishant

Les Hazlewood-2 wrote
Hi Nishant,

Yep, you can do this easily.  Apache Ki's Realm implementations supports
both Authentication and Authorization.

Just configure one realm where the Realm.supports(AuthenticationToken)
method always returns false.  Then that realm will never be consulted for
Authentication, leaving it to only perform Authorization.

Cheers,

Les

On Thu, Apr 30, 2009 at 10:13 AM, Nishant Jain
<nishantjain.1984@gmail.com>wrote:

>
> Hi,
> I have to implement role based Authorization in a web based application.
> Can
> I use only authorization from the JSecurity?
> I dont need authentication as it is already there provided by the company's
> common login page. Is there a way I can create a SecurityManager with just
> the role based permissions like if role is "user" then there are some sets
> of permission and if role is "admin" then there are some different set of
> permissions.
>
>
> --
> View this message in context:
> http://n2.nabble.com/Using-Ki-just-for-Authorization--tp2747338p2747338.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>