Hi Sebastian,
Yes, this is possible and usually recommended.
A Realm is essentially a security-specific DAO. Since DAOs usually
use a single datasource API (JDBC or Hibernate or File I/O, etc), it
is common to have one Realm per datasource.
So, using your example, you can use the PropertiesRealm out of the box
for logins. Then you can configure a JdbcRealm. But since you don't
want the JdbcRealm to perform authentication duties (just
authorization), you can subclass it and override the
'supports(AuthenticationToken token)' method to always return false:
public class MyJdbcRealm extends JdbcRealm {
...
public boolean supports( AuthenticationToken token ) {
return false;
}
...
}
This way the JdbcRealm will never attempt to process a login attempt.
Here's how you would set it up for testing or in a _standalone_
environment without a configuration container such as JEE, IoC or web
environments. These environments almost always use the
JSecurityFilter in web.xml instead:
IniConfiguration config = new IniConfiguration();
//the following call will automatically use jsecurity.ini at the root
of the classpath:
config.init();
//This is for Standalone (single-VM) applications that don't use a
configuration container (Spring, JBoss, etc)
//See its JavaDoc for our feelings on this.
SecurityUtils.setSecurityManager(config.getSecurityManager());
/* ** The code below here would be used in all environments - testing,
standalone, JEE, web container, etc: ** */
Subject currentUser = SecurityUtils.getSubject();
//login:
currentUser.login( new UsernamePasswordToken( username, password,
rememberMe ) );
...
currentUser.logout();
Note that with this code, you configure your realms inside of
jsecurity.ini which resides at the root of the classpath. If you
don't want it at the root of the classpath, you can put it somewhere
else and then specify that path to the IniConfiguration object before
calling init().
I hope that helps!
Regards,
Les
On Tue, Sep 23, 2008 at 6:06 PM, Sebastian_K <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> is it possible to use one Realm for authentifikation (e.g. PropertiesRealm
> only with password information) and then after login another Realm for
> authorization (e.g. JdbcRealm with no password information but with
> user-role-permission information)?
>
> I tried this, but that's definitely wrong:
>
> DefaultSecurityManager securityManager = new DefaultSecurityManager();
> securityManager.setRealm(propertiesRealm);
>
> UsernamePasswordToken token = new UsernamePasswordToken("sebastian",
> "secret" );
> token.setRememberMe(true);
> Subject user = securityManager.login(token);
> /*...*/ user.isAuthenticated();
> securityManager.setRealm(jdbcRealm);
> user = SecurityUtils.getSubject();
> /*...*/ user.hasRole("clerk");
>
> I get a NoSuchElementExcepition
> Exception in thread "main" java.util.NoSuchElementException
> at java.util.Collections$EmptySet$1.next(Collections.java:2912)
> at
> java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
> at
> org.jsecurity.realm.jdbc.JdbcRealm.doGetAuthorizationInfo(JdbcRealm.java:265)
> at
> org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:279)
> at
> org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:500)
> at
> org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:178)
> at
> org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:213)
> at
> org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:211)
> at JDBCSample.main(JDBCSample.java:54)
>
> Can somebody help me please.
>
> Sebastian
>
> --
> View this message in context:
> http://n2.nabble.com/Multiple-Realms%2C-one-for-Authentikation%2C-one-for-Authorization-tp1113845p1113845.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>
