Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 29

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 30

changes.mady.by.user Uwe Risse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • If the authorization occurs through the ini realm then the user account will only be assigned the roles specified for the ini realm. The LDAP realm(s) will be ignored.
  • If the authorization occurs through an LDAP realm then, regardless of whether or not the same password is used in each realm:
    • The user account will be assigned the role(s) specified for the account in the (first) authorizing realm.
    • The user account will also be assigned the role(s) specified for the account in the ini realm.
      • This behavior ensures that a login is possible in the event of problems with the LDAP realm(s).
    • The order in which the realms are specified in the securityManager.realms parameter is not significant here.
    • The roleAssignmentFromIni=false setting (default true) can be used to modify the behavior of the First Successful strategy so that roles from the ini realm are not assigned. See the Suppressing assignment of the ini Realm section below.

  Show If

useraa
When the SOS Authenticator is used with the At Least One Successful strategy:
  • ...

When the SOS Authenticator is used with the All Successful strategy:

  • ...
StrategyAuthenticator.........
First Successfulshiro   
First  SuccessfulSOS   
At Least One Successfulshiro/SOS   
All Successfulshiro/SOS   
     

Suppressing assignment of the ini Realm

Display feature availability
StartingFromRelease1.12.4

Suppressing assignment of the ini Realm

Display feature availability
StartingFromRelease1.12.4

When the First Successful strategy is used when an ini Realm and one or more LDAP Realms have accounts with common user When the First Successful strategy is used when an ini realm and one or more LDAP realms have accounts with common user names and separate passwords, the roles for the ini realm Realm will be assigned by default when the login is carried out for one of the LDAP realmsRealms. This behavior can be suppressed by setting the roleAssignmentFromIni parameter property to false for the  the LDAP realms Realms in the environment. This is shown in the code example below: 

Code Block
languagexml
titleConfiguration for ini and LDAP Realms
collapsetrue
[users]
newton = $shiro1$SHA-512$500000$wsJJJJ7cbBpoVi0C...JJ5U5pter6Q==,administrator

[main]
publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
 
publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com
publicLdapRealm.searchBase = dc=example,dc=com
publicLdapRealm.contextFactory.url = ldap://ldap.forumsys.com:389
 
publicLdapRealm.groupNameAttribute = ou
publicLdapRealm.userNameAttribute = uid
 
publicLdapRealm.rolePermissionResolver = $rolePermissionResolver
publicLdapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
publicLdapRealm.groupRolesMap = \
  scientists : it_operator, \
  mathematicians: all
publicLdapRealm.roleAssignmentFromIni = false
 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
 
authcStrategy = org.apache.shiro.authc.pam.SOSFirstSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
securityManager.realms = $publicLdapRealm, $iniRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager$authcStrategy
securityManager.cacheManagerrealms = $cacheManager

With the above configuration:

  • When the user name newton is used together with the password for the ini realm then the account will be assigned the administrator role.
  • When the user name newton is used together with the password for the LDAP realm then the account will be assigned the it_operator role.

Realm Group/Role Mappings

Display feature availability
StartingFromRelease1.12.4

Logical selection of realm group strategies can also be implemented. These strategies determine, for example, that an account will only be authenticated for one realm when it can also be authenticated for all the realms in that group.

Configuration

This feature is activated by inserting the following line of code in the [main] section of the Shiro ini file:

  • securityManager.authenticator.authenticationStrategy = $authcStrategy

In addition a logical strategy has to be implemented - the following four strategies are available:

...

 $publicLdapRealm, $iniRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

With the above configuration:

  • When the user name newton is used together with the password for the ini realm then the account will be assigned the administrator role.
  • When the user name newton is used together with the password for the LDAP realm then the account will be assigned the it_operator role.

Realm Group/Role Mappings

Display feature availability
StartingFromRelease1.12.4

Use of group strategies can be configured. These strategies determine, for example, that an account will only be authenticated for one realm when it can also be authenticated for all the realms in that group.

Configuration

The group strategy has to be configured - the following four strategies are available:

  • SOSFirstSuccessfulGroupStrategy
  • SOSAllSuccessfulGroupStrategy
  • SOSAllSuccessfulFirstGroupStrategy
  • SOSAtLeastOneSuccessfulGroupStrategy

The strategy to be followed is specified by adding, for example, the following to the [main] section of the Shiro ini file:

  • authcStrategy = com.sos.auth.shiro.SOSFirstSuccessfulGroupStrategy
  • securityManager.authenticator.authenticationStrategy = $authcStrategy

For the grouping of strategies a naming convention has to be followed that includes to separate the group form the Realm name by a hashtag, for example

  • A#Ldap1

Example

The following example uses two Groups "A" and "B", each with two Realms each. Roles "r1" and "r2" are configured per Realm by the groups/roles mapping instruction: 

 

...

The strategy to be followed is specified by adding, for example, the following to the [main] section of the Shiro ini file:

  • authcStrategy = com.sos.auth.shiro.SOSFirstSuccessfulGroupStrategy

Finally all group realms are to be named following the syntax:

  • group#name

Example

The following example uses two Groups, each with two Realms. An account with a common User Name and Password is configured for all Realms:

A#Ldap1
roles = a1

A#Ldap2
roles = a2

B#Ldap1
roles = b1

B#Ldap2
roles = b2

 

Find the following example main section for this scenario:

Code Block
titleMulti Group Realms
collapsetrue
[main]
A#Ldap1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
 
A#Ldap1.userDnTemplate = uid={0},dc=example,dc=com
A#Ldap1.searchBase = dc=example,dc=com
A#Ldap1.contextFactory.url = ldap://ldap.forumsys.com:389
 
A#Ldap1.groupNameAttribute = ou
A#Ldap1.userNameAttribute = uid
 
A#Ldap1.rolePermissionResolver = $rolePermissionResolver
A#Ldap1.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
A#Ldap1.groupRolesMap = \
  scientists : it_operatorr1, \
  mathematicians: allr2
A#Ldap1.roleAssignmentFromIni = false
 
A#Ldap2 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
...

B#Ldap1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
...

B#Ldap2 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
...

rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
 
authcStrategy = org.apache.shiro.authc.pam.SOSFirstSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
securityManager.realms = $A#Ldap1,$A#Ldap2,$B#Ldap1,$B#Ldap2
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

 

...


Example Behavior with Different Strategies
...
 Code Block
authcStrategy = org.apache.shiro.authc.pam.SOSFirstSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
...
Explanation
  • All Realms with the same group will be checked group-wise.
  • In every group there must be one Realm that can be authenticated.If none of the Realms in at least one group authenticate then , otherwise authentication will fail for all groups.
  • The roles from the first Realm per group will be merged added to the roles the user is assigned.
      Example:
        • If A#Ldap1, A#Ldap2 and B#Ldap2 can authenticate and B#Ldap1 cannot authenticate then the user will be assigned the roles 
         a1 and b2
        • from the first authenticated Realm A#Ldap1 and B#Ldap2.
        • If only A#Ldap2 and 
         B#Ldap1 
        • A#Ldap1 can authenticate then authentication will fail.
      SOSAllSuccessfulGroupStrategy
      ...
      • All Realms with the same group will be checked group-wise.
      • In at least one group all Realms must be authenticated.
      • The roles from Realms in the first group where all Realms can be authenticated will be merged with other roles the user may be assigned.
      Example:
      • If A#Ldap1, and B#Ldap1, B#Ldap2 can authenticate then the user will be assigned the roles b1, b2
      • If A#Ldap1, A#Ldap2 and B#Ldap2 can authenticate then the user will be assigned the roles a1, a2
      • If A#Ldap1 and B#Ldap2 can authenticate then authentication will fail.
      ...
      • All Realms with the same group will be checked group-wise.
      • At least one Realm must be authenticated in every group.
      • The roles from Realms that have been authenticated will be merged with other roles the user may be assigned.
      Example:
      • If A#Ldap1, B#Ldap1, B#Ldap2 can authenticate then the user will be assigned the roles a1, b1, b2
      • If B#Ldap1 and B#Ldap2 can authenticate then authentication will fail.
      ...