I appreciate the help, but I am so lost that I have no idea where to turn. My scenario is like this: Users are already authenticated and as a result their user-id is in the HttpServletRequest header. I thought I was supposed to use the Realm to load their roles, permissions, etc, but it looks like some of what is in the Realm is duplicated in the AuthenitcatingFilter.
Once I get the Subject loaded up with their roles and permissions all is well and good. Why I could not use Spring security is the user is able to change their 'region' which comes with it a new set of permissions. I need for Shiro to load up these new permissions so that they can be checked for later. And now, I'm still staring at a blank wall and security was supposed to be done this week. Mike ------ Original Message ------ Received: From: "Jared Bunting [via Shiro Developer]" <[email protected]> To: mangelo <[email protected]> Subject: Re: Single Sign On (SSO), Spring, Hibernate Help. > > > On 03/04/2011 09:33 AM, mangelo wrote: > > I am brand new to Shiro. Just found it last night. I am very encouraged from > > what I've read so far. My security requirements seem to be too much for > > Spring Security. I am confident that Shiro can handle them given the > > flexibility. > > > > The only problem is that I don't know how quite to get started. I've found > > the Spring samples and how to get set up. My problem is the users of my app > > are already authenticated by Oracle SSO. The username is in the request > > header. > > > > How do I get it out of the request header and into Shiro? Where would I put > > such code? > > This should go into a filter. You likely want to extend > AuthenticatingFilter - look at the BasicHttpAuthenticationFilter for an > example that uses headers. > > Basically, your filter should pack up the header value in an > AuthenticationToken. Shiro will pass this AuthenticationToken to your > Realm. > > > > > I have based my Realm from the SampleRealm class. Should I always return > > 'false' from the supports method? Should I return SimpleAuthenticationInfo() > > with an empty string as the password? > > I would say yes. In addition, accept the AuthenticationToken type that > you created in your filter. > > > > > If there is a more complete example that would help out a lot. I feel like > > I've hit a brick wall. > > > > TIA. > > > > MIke. > > > > -- > > View this message in context: http://shiro-developer.582600.n2.nabble.com/Single-Sign-On-SSO-Spring-Hibernate-Help-tp6088874p6088874.html > > Sent from the Shiro Developer mailing list archive at Nabble.com. > > > > > _______________________________________________ > If you reply to this email, your message will be added to the discussion below: > http://shiro-developer.582600.n2.nabble.com/Single-Sign-On-SSO-Spring-Hibernate-Help-tp6088874p6089122.html > > To unsubscribe from Single Sign On (SSO), Spring, Hibernate Help., visit http://shiro-developer.582600.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=6088874&code=bWlrZWFuZ2Vsb0B1c2EubmV0fDYwODg4NzR8LTE1NDY4NDI3NDY= -- View this message in context: http://shiro-developer.582600.n2.nabble.com/Single-Sign-On-SSO-Spring-Hibernate-Help-tp6088874p6089432.html Sent from the Shiro Developer mailing list archive at Nabble.com.
