Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-437

Shiro multi-realm handling should stop after the first successful realm

    XMLWordPrintable

    Details

    • Type: Feature
    • Status: Released (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.12.3
    • Fix Version/s: 1.12.4
    • Component/s: None
    • Labels:

      Description

      Current Situation

      in a multi-realm environment all realms will be checked. This will produce warnings, e.g. if a user in the ini realm is not known in the ldap realm.

      securityManager.realms = $iniRealm, $ldapRealm

      will show the warning

      WARN                  SOSLdapAuthorizing.java   369        qtp110718392-18  [LDAP: error code 49 - NDS error: failed authentication 
      (-669)]

      Behavior of the Shiro implementation: Even if the FirstSuccessfulStrategy strategy is assigned, all realms will be checked. The cause for this
      problem is the class org.apache.shiro.authc.pam.FirstSuccessfulStrategy that is is not properly implemented.

      authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
      securityManager.authenticator.authenticationStrategy = $authcStrategy
      

      Desired Behavior

      It should be possible to configure the multi-realm behavior in a way that after succesful authentication no more realms are checked.

      To achieve this a new shiro authenticator class should be implemented. This authenticator will stop calling realms if one successul authentication was performed and the strategy org.apache.shiro.authc.pam.FirstSuccessfulStrategy is assigned.

      authenticator = com.sos.auth.shiro.SOSAuthenticator
      securityManager.authenticator=$authenticator
      

      If this new authenticator is not used then messages originating from the NamingException should have the severity INFO instead of WARN or ERROR.

      Behavior in the SOS implementation: Additionally a new strategy class com.sos.auth.shiro.SOSFirstSuccessfulStrategy should be implemented that works with the standard authenticator.

      With this feature there are two alternative ways to get the FirstSuccessfulStrategy behavior:

      A: Via Strategy

      authcStrategy = com.sos.auth.shiro.SOSFirstSuccessfulStrategy
      securityManager.authenticator.authenticationStrategy = $authcStrategy
      

      B: Via Authenticator

      authenticator = com.sos.auth.shiro.SOSAuthenticator
      # Please note that you have to assign the realms to the authenticator instead to the securityManager.realms
      authenticator.realms = $iniRealm, $ldapRealm
      authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
      authenticator.authenticationStrategy = $authcStrategy
      securityManager.authenticator=$authenticator
      

      Recommended: B
      Similarity: Only the roles from the first successful realm will be assigned.
      Difference: With A all realms will be contacted. With B no more realms will be contacted after the first successful login

        Attachments

          Activity

            People

            • Assignee:
              ur Uwe Risse
              Reporter:
              ur Uwe Risse
              Approver:
              Alan Amos
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 3 days
                3d
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 days
                3d