Using Shiro to authenticate users from multiple ADs

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Using Shiro to authenticate users from multiple ADs

Debug82
Hello,

Here is my configuration:
I may have to manage authentication and authorization of multiple
applications. each application may have it's own AD, or several directories.

My question is: What would be the best way to handle this scenario?

Regards



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Using Shiro to authenticate users from multiple ADs

Brian Demers
I'm not 100% what you are asking.  It sounds like each application is configured with a different AD, so that would imply each application is different, meaning we can talk about them separately.

Does each application need to talk to multiple AD instances or are they already federated somehow? 

On Sun, Apr 29, 2018 at 6:54 AM, Debug82 <[hidden email]> wrote:
Hello,

Here is my configuration:
I may have to manage authentication and authorization of multiple
applications. each application may have it's own AD, or several directories.

My question is: What would be the best way to handle this scenario?

Regards



--
Sent from: http://shiro-user.582556.n2.nabble.com/

Reply | Threaded
Open this post in threaded view
|

Re: Using Shiro to authenticate users from multiple ADs

Debug82
Hello Brian,

First, Thank you for your reply.

To be more specific, here are some details:
I am implementing a REST API (security app) that manages authentication and
authorization of multiple applications (mainly web applications) with a
local database to persist managed applications, users, groups, roles and
permissions (roles and permissions are associated with a particular
application)

- User and Group entities have a "isDirectory" field that tells us if the
user/group is created in our security app or is imported from a directory.
When the user/group should be imported from a directory, there are other
fileds that are required in the record (like the url, ...etc) to be able to
connect to this AD instance.

- For authentication purpose, one application may have to talk to multiple
AD instances (not federated) [when a user/group isDirectory=true). The user
can as well be created in my [local] security app database

- If a user is an AD, some of its information will be loaded to the local
database (like username and first name)

- All authorization information (permissions) are created in my local
security app database. That means that the authorization can only be
performed against my local database

Please let me know if it is clear.

Regards



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Using Shiro to authenticate users from multiple ADs

Brian Demers
Got it!

You have a few options, but the most straightforward might be to lump all of this logic into a single Realm (that realm could delegate to a JDBC realm or AD realm)
This new realm would perform a query to see where the user needed to authenticate from (local DB or AD), then add the permission to the user (or delegate that to another DB realm)

CustomRealm
  └ DB Realm or AD Realm (authenticate)
  └ DB Realm (authorize)

Or... getting slightly more involved, but moving the logic. You could create a Shiro `Authenticator` which contains the logic to check if you need to authenticate via your DB or AD. And a Shiro `Authorizor` that just delegates to a DB realm to add the permissions to your Subject.

See DefaultSecurityManager's `setAuthorizator()` and `setAuthenticator()`

Does that help?


On Mon, Apr 30, 2018 at 10:40 AM, Debug82 <[hidden email]> wrote:
Hello Brian,

First, Thank you for your reply.

To be more specific, here are some details:
I am implementing a REST API (security app) that manages authentication and
authorization of multiple applications (mainly web applications) with a
local database to persist managed applications, users, groups, roles and
permissions (roles and permissions are associated with a particular
application)

- User and Group entities have a "isDirectory" field that tells us if the
user/group is created in our security app or is imported from a directory.
When the user/group should be imported from a directory, there are other
fileds that are required in the record (like the url, ...etc) to be able to
connect to this AD instance.

- For authentication purpose, one application may have to talk to multiple
AD instances (not federated) [when a user/group isDirectory=true). The user
can as well be created in my [local] security app database

- If a user is an AD, some of its information will be loaded to the local
database (like username and first name)

- All authorization information (permissions) are created in my local
security app database. That means that the authorization can only be
performed against my local database

Please let me know if it is clear.

Reply | Threaded
Open this post in threaded view
|

Re: Using Shiro to authenticate users from multiple ADs

Debug82
Hi Brian,

Thanks a lot for your prompt reply.
It helps a lot.

Just one question for the first option. How can I create a custom realm that
delegates the authentication process to a JDBC or AD realm?

Thanks again

Regards



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Using Shiro to authenticate users from multiple ADs

Brian Demers
Take a look an existing Realm for more concrete example, basically, you just extend `AuthenticationRealm` and implement the `doGetAuthenticationInfo()` method.

Your custom logic would likely query your db and check to see if authentication should happen from a DB realm or an LDAP realm. You might have some logic like:

if (authViaDB) {
  return dbRealm.getAuthenticationInfo(...);
} else {
  return adRealm.getAuthenticationInfo(...);
}

I'm guessing the AD Realm portion will not be as simple as you have the connection information contained in your database (you would need to figure out how you wanted to manage these connections, connection pool, configure a new AD realm for each auth attempt, etc)


On Mon, Apr 30, 2018 at 11:30 AM, Debug82 <[hidden email]> wrote:
Hi Brian,

Thanks a lot for your prompt reply.
It helps a lot.

Just one question for the first option. How can I create a custom realm that
delegates the authentication process to a JDBC or AD realm?

Thanks again

Reply | Threaded
Open this post in threaded view
|

Re: Using Shiro to authenticate users from multiple ADs

Debug82
Got it,

Thanks a lot for your help

Regards



--
Sent from: http://shiro-user.582556.n2.nabble.com/