Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-444

Add Shiro strategies for collecting permissions from group/roles mappings with LDAP directory services

    XMLWordPrintable

Details

    Description

      Current Situation

      Shiro provides a FirstSuccessFul strategy with the class org.apache.shiro.authc.pam.FirstSuccessfulStrategy

      Please note that the implementation is wrong (they @override the method protected AuthenticationInfo merge instead of {{public AuthenticationInfo afterAttempt You can use the class com.sos.auth.shiro.SOSFirstSuccessfulStrategy with the standard authenticator or the authenticator com.sos.auth.shiro.SOSAuthenticator to fix this.

      All given realms in securityManager.realms will be checked. The first authenticated realm will be used to get the roles for the login.

      Desired Behavior

      Additionally there should be a strategy

      • com.sos.auth.shiro.SOSFirstSuccessfulGroupStrategy
      • com.sos.auth.shiro.SOSAllSuccessfulGroupStrategy
      • com.sos.auth.shiro.SOSAllSuccessfulFirstGroupStrategy
      • com.sos.auth.shiro.SOSAtLeastOneSuccessfulGroupStrategy

      Realms can be named with group#name.

      Example

      A#ldap1
      roles = a1

      A#ldap2
      roles = a2

      B#ldap1
      roles = b1

      B#ldap2
      roles = b2

      SOSFirstSuccessfulGroupStrategy

      All realms with the same group will be checked group wise
      In every group there must be one realm that can be authenticated
      The roles from the first realm per group will be merged to the roles the user have.

      Example
      If A#ldap1, A#ldap2 and B#ldap2 can authenticate than the user will have the roles a1 and b2

      SOSAllSuccessfulGroupStrategy

      All realms with the same group will be checked group wise
      In at least one group all realms must be authenticated
      The roles from realms in groups where all realms can be authenticae will be merged to the roles the user have.

      Example
      If A#ldap1, A#ldap2 and B#ldap1, B#ldap2 can authenticate than the user will have the roles a1,a2,b1,b2

      SOSAllSuccessfulFirstGroupStrategy

      All realms with the same group will be checked group wise
      In at least one group all realms must be authenticated
      The roles from realms in the first group where all realms can be authenticae will be merged to the roles the user have.

      Example
      If A#ldap1, A#ldap2 and B#ldap1, B#ldap2 can authenticate than the user will have the roles a1,a2

      SOSAtLeastOneSuccessfulGroupStrategy

      All realms with the same group will be checked group wise
      In all groups at least one realms must be authenticated
      The roles from realms that can be authenticate will be merged to the roles the user have.

      Example
      If A#ldap1, B#ldap1, B#ldap2 can authenticate than the user will have the roles a1,b1,b2

      How to configure this in shiro.ini

      Example with group wise first successful strategy

      authcStrategy = com.sos.auth.shiro.SOSFirstSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy

      Attachments

        Activity

          People

            ur Uwe Risse
            ur Uwe Risse
            Alan Amos Alan Amos
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 1 week
                1w
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 week
                1w