JOC - JobScheduler Operations Center
  1. JOC - JobScheduler Operations Center
  2. JOC-437

Shiro multi-realm handling should stop after the first successful realm

    Details

    • Type: Feature Feature
    • Status: Released (View Workflow)
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.12.3
    • Fix Version/s: 1.12.4
    • Component/s: None
    • Labels:

      Description

      Current Situation

      in a multi-realm environment all realms will be checked. This will produce warnings, e.g. if a user in the ini realm is not known in the ldap realm.

      securityManager.realms = $iniRealm, $ldapRealm

      will show the warning

      WARN                  SOSLdapAuthorizing.java   369        qtp110718392-18  [LDAP: error code 49 - NDS error: failed authentication 
      (-669)]

      Behavior of the Shiro implementation: Even if the FirstSuccessfulStrategy strategy is assigned, all realms will be checked. The cause for this
      problem is the class org.apache.shiro.authc.pam.FirstSuccessfulStrategy that is is not properly implemented.

      authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
      securityManager.authenticator.authenticationStrategy = $authcStrategy
      

      Desired Behavior

      It should be possible to configure the multi-realm behavior in a way that after succesful authentication no more realms are checked.

      To achieve this a new shiro authenticator class should be implemented. This authenticator will stop calling realms if one successul authentication was performed and the strategy org.apache.shiro.authc.pam.FirstSuccessfulStrategy is assigned.

      authenticator = com.sos.auth.shiro.SOSAuthenticator
      securityManager.authenticator=$authenticator
      

      If this new authenticator is not used then messages originating from the NamingException should have the severity INFO instead of WARN or ERROR.

      Behavior in the SOS implementation: Additionally a new strategy class com.sos.auth.shiro.SOSFirstSuccessfulStrategy should be implemented that works with the standard authenticator.

      With this feature there are two alternative ways to get the FirstSuccessfulStrategy behavior:

      A: Via Strategy

      authcStrategy = com.sos.auth.shiro.SOSFirstSuccessfulStrategy
      securityManager.authenticator.authenticationStrategy = $authcStrategy
      

      B: Via Authenticator

      authenticator = com.sos.auth.shiro.SOSAuthenticator
      # Please note that you have to assign the realms to the authenticator instead to the securityManager.realms
      authenticator.realms = $iniRealm, $ldapRealm
      authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
      authenticator.authenticationStrategy = $authcStrategy
      securityManager.authenticator=$authenticator
      

      Recommended: B
      Similarity: Only the roles from the first successful realm will be assigned.
      Difference: With A all realms will be contacted. With B no more realms will be contacted after the first successful login

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            Uwe Risse
            Reporter:
            Uwe Risse
            Approver:
            Alan Amos
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: