In that case, what is the preferred way to handle a case where I want to use AD for both authentication and authorization, as well as an additional ini realm for authorization but not authentication? Should I write a custom authenticator (or is there one available to do this?) or is there another best way for this?
On Tue, Jan 8, 2013 at 1:21 PM, Les Hazlewood <[email protected]> wrote: > While I guess the AD Realm could implement the Authenticator interface, the > Authenticator interface really represents a higher level concept than > Realms: > > There is typically one and only one Authenticator per Shiro > SecurityManager. The Authenticator in turn knows how to coordinate across > one or more Realm instances to perform authentication attempts. > > http://shiro.apache.org/authentication.html#Authentication-AuthenticationSequence > > Authenticator implementations also tend to be responsible for managing > AuthenticationListeners and triggering various authentication events, which > is typically not the responsibility of Realms. Also, since Shiro's default > Authenticator implementations already handle the single-realm use case, > they can handle apps that might have only a single AD Realm configured > (i.e. no need to use the Realm as the Authenticator - just plug it in to > the Authenticator that already exists). > > HTH, > > -- > Les Hazlewood | @lhazlewood > CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 > Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk > > On Mon, Jan 7, 2013 at 9:47 PM, John Vines <[email protected]> wrote: > > > Is there any reason that the provided ActiveDirectoryRealm doesn't > > implement the Authenticator interface? It is a really simple code change, > > but I'm wondering if there was any sort of design decision against this. > > >
