...
Code Block |
---|
|
authenticator = com.sos.auth.shiro.SOSAuthenticator
securityManager.authenticator=$authenticator
# Please note that you have to assign the realms to the authenticator instead to the securityManager.realms
authenticator.realms = $iniRealm, $ldapRealm
|
The SOS authenticator can be used with all three behavior strategies but it only causes the behavior of the First Successful strategy to be modified,
...
Code Block |
---|
title | Multi Group Realms |
---|
collapse | true |
---|
|
[main]
A#Ldap1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
A#Ldap1.userDnTemplate = uid={0},dc=example,dc=com
A#Ldap1.searchBase = dc=example,dc=com
A#Ldap1.contextFactory.url = ldap://ldap.forumsys.com:389
A#Ldap1.groupNameAttribute = ou
A#Ldap1.userNameAttribute = uid
A#Ldap1.rolePermissionResolver = $rolePermissionResolver
A#Ldap1.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
A#Ldap1.groupRolesMap = \
scientists : r1, \
mathematicians: r2
A#Ldap1.roleAssignmentFromIni = false
A#Ldap2 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
...
B#Ldap1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
...
B#Ldap2 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
...
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
authcStrategy = org.apache.shiro.authc.pam.SOSFirstSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
securityManager.realms = $A#Ldap1,$A#Ldap2,$B#Ldap1,$B#Ldap2
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager |
...
Find a number of examples for the behavior with different strategies from the following chapters.
SOSFirstSuccessfulGroupStrategy
Code Block |
---|
authcStrategy = org.apache.shiro.authc.pam.SOSFirstSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy |
...
- All Realms with the same group will be checked group-wise.
- In every group there must be one Realm that can be authenticated, otherwise authentication will fail for all groups.
- The roles from the first Realm per group will be added to the roles the user is assigned.
Authentication Matrix
A#Ldap1 | A#Ldap2 | B#Ldap1 | B#Ldap2 | resultResulting Role Assignments |
---|
x | x | x | x | A#Ldap1, B#Ldap1 |
x | | x | x | A#Ldap1, B#Ldap1 |
x | x | | x | A#Ldap1, B#Ldap2 |
x | x | x | | A#Ldap1, B#Ldap1 |
| x | x | x | A#Ldap2, B#Ldap1 |
x | x | | | fail |
x | | x | | A#Ldap1, B#Ldap1 |
x | | | x | A#Ldap1, B#Ldap2 |
| x | x | | A#Ldap2, B#Ldap1 |
| x | | x | A#Ldap2, B#Ldap2 |
| | x | x | fail |
x | | | | fail |
| x | | | fail |
| | x | | fail |
| | | x | fail |
| | | | fail |
SOSAllSuccessfulGroupStrategy
Code Block |
---|
authcStrategy = org.apache.shiro.authc.pam.SOSAllSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy |
Explanation
- All realms with the same group will be checked group-wise.
- In at least one group all Realms must be authenticated.
- The roles from Realms in groups where all Realms can be authenticated will be merged to the roles the user is assigned.
Authentication Matrix
A#Ldap1 | A#Ldap2 | B#Ldap1 | B#Ldap2 | resultResulting Role Assignments |
---|
x | x | x | x | A#Ldap1, A#Ldap2, B#Ldap1, B#Ldap2 |
x | | x | x | B#Ldap1, B#Ldap2 |
x | x | | x | A#Ldap1, A#Ldap2 |
x | x | x | | A#Ldap1, A#Ldap2 |
| x | x | x | B#Ldap1, B#Ldap2 |
x | x | | | A#Ldap1, A#Ldap2 |
x | | x | | fail |
x | | | x | fail |
| x | x | | fail |
| x | | x | fail |
| | x | x | B#Ldap1, B#Ldap2 |
x | | | | fail |
| x | | | fail |
| | x | | fail |
| | | x | fail |
| | | | fail |
SOSAllSuccessfulFirstGroupStrategy
Code Block |
---|
authcStrategy = org.apache.shiro.authc.pam.SOSAllSuccessfulFirstGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy |
Explanation
...
- All Realms with the same group will be checked group-wise.
- In at least one group all Realms must be authenticated.
- The roles from Realms in the first group where all Realms can be authenticated will be merged with other roles the user may be is assigned.
Authentication Matrix
A#Ldap1 | A#Ldap2 | B#Ldap1 | B#Ldap2 | resultResulting Role Assignments |
---|
x | x | x | x | A#Ldap1, A#Ldap2 |
x | | x | x | B#Ldap1, B#Ldap2 |
x | x | | x | A#Ldap1, A#Ldap2 |
x | x | x | | A#Ldap1, A#Ldap2 |
| x | x | x | B#Ldap1, B#Ldap2 |
x | x | | | A#Ldap1, A#Ldap2 |
x | | x | | fail |
x | | | x | fail |
| x | x | | fail |
| x | | x | fail |
| | x | x | B#Ldap1, B#Ldap2 |
x | | | | fail |
| x | | | fail |
| | x | | fail |
| | | x | fail |
| | | | fail |
SOSAtLeastOneSuccessfulGroupStrategy
Code Block |
---|
authcStrategy = org.apache.shiro.authc.pam.SOSAtLeastOneSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy |
...
- All Realms with the same group will be checked group-wise.
- At least one Realm must be authenticated in every group.
- The roles from Realms that have been authenticated will be merged with other roles the user may be is assigned.
Authentication Matrix
A#Ldap1 | A#Ldap2 | B#Ldap1 | B#Ldap2 | resultResulting Role Assignments |
---|
x | x | x | x | A#Ldap1, A#Ldap2, B#Ldap1, B#Ldap2 |
x | | x | x | A#Ldap1, B#Ldap1, B#Ldap2 |
x | x | | x | A#Ldap1, A#Ldap2, B#Ldap2 |
x | x | x | | A#Ldap1, A#Ldap2, B#Ldap1 |
| x | x | x | A#Ldap2, B#Ldap1, B#Ldap2 |
x | x | | | fail |
x | | x | | A#Ldap1, B#Ldap1 |
x | | | x | A#Ldap1, B#Ldap2 |
| x | x | | A#Ldap2, B#Ldap1 |
| x | | x | A#Ldap2, B#Ldap2 |
| | x | x | fail |
x | | | | fail |
| x | | | fail |
| | x | | fail |
| | | x | fail |
| | | | fail |
...