url access against Active Directory group

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

url access against Active Directory group

Manuel Sopena Ballesteros

Dear Apache Shiro community,

 

I am trying to setup Apache Shiro to restrict access to specific urls based on Active Directory:

 

activeDirectoryRealm.groupRolesMap = "CN=my group,OU=Groups,OU=my folder,DC=ad,DC=mydomain,DC=com":"admin"

 

[roles]

role1 = *

role2 = *

role3 = *

admin = *

 

[urls]

/api/version = anon

/api/interpreter/** = authc, roles[admin]

/** = authc

 

Questions:

For some reason this is not working and users members of “my group” cannot access the /api/interpreter/**  websites

Also, do I need to escape white spaces?

 

Thank you

NOTICE
Please consider the environment before printing this email. This message and any attachments are intended for the addressee named and may contain legally privileged/confidential/copyright information. If you are not the intended recipient, you should not read, use, disclose, copy or distribute this communication. If you have received this message in error please notify us at once by return email and then delete both messages. We accept no liability for the distribution of viruses or similar in electronic communications. This notice should not be removed.
Reply | Threaded
Open this post in threaded view
|

Re: url access against Active Directory group

Brian Demers
It's been a while since I've used AD, and it's possible you need to escape the white space, but my first suggestion would be to double-check the roles/groups that are returned for the user.
You could either dump them out from your application or set a breakpoint in `org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm.getRoleNamesForGroups()`

I'm guessing you also _don't_ need the `[roles]` block (though that depends on how your realms are configured)

Please keep us posted!

On Wed, Dec 4, 2019 at 11:31 PM Manuel Sopena Ballesteros <[hidden email]> wrote:

Dear Apache Shiro community,

 

I am trying to setup Apache Shiro to restrict access to specific urls based on Active Directory:

 

activeDirectoryRealm.groupRolesMap = "CN=my group,OU=Groups,OU=my folder,DC=ad,DC=mydomain,DC=com":"admin"

 

[roles]

role1 = *

role2 = *

role3 = *

admin = *

 

[urls]

/api/version = anon

/api/interpreter/** = authc, roles[admin]

/** = authc

 

Questions:

For some reason this is not working and users members of “my group” cannot access the /api/interpreter/**  websites

Also, do I need to escape white spaces?

 

Thank you

NOTICE
Please consider the environment before printing this email. This message and any attachments are intended for the addressee named and may contain legally privileged/confidential/copyright information. If you are not the intended recipient, you should not read, use, disclose, copy or distribute this communication. If you have received this message in error please notify us at once by return email and then delete both messages. We accept no liability for the distribution of viruses or similar in electronic communications. This notice should not be removed.