Re: shiro.ini [urls] authorization: lock to one user

2016-12-05 Thread Brian Demers
If you enabled the IniRealm, users would likely be able to login without a password. Which is why you would need to extend/create a realm that only added additional Authorization, and NOT Authentication. On Fri, Dec 2, 2016 at 4:14 PM, Ruslan Dautkhanov wrote: > Thank you Brian. > > We're using

Re: shiro.ini [urls] authorization: lock to one user

2016-12-02 Thread Ruslan Dautkhanov
Thank you Brian. We're using Apache Zeppelin which uses Apache Shiro. So it's not our own product and we're limited what we can develop. Will it be possible to have [users] rdautkhanov@CORP.DOMAIN = ,admin So user name rdautkhanov@CORP.DOMAIN will actually will be coming from LDAP authenticatio

Re: shiro.ini [urls] authorization: lock to one user

2016-12-02 Thread Brian Demers
You have a couple options: - Extend and include one of the TextConfigurationRealms: change how users are parsed (remove the need for passwords), and return null from 'doGetAuthenticationInfo()', so the Realm ONLY provides authorization. - Extend the LDAP realm, creating a custom doGetAuthorization

Re: shiro.ini [urls] authorization: lock to one user

2016-12-01 Thread Ruslan Dautkhanov
Thank you Brian! Yes, this might do what we're looking for. Do you have an example how we could define a shiro.ini role for an LDAP user? I know that LDAP realm has a mapping of LDAP groups to Shiro roles, but for other reasons we can't use that. Can we just define a static shiro.ini role just f

Re: shiro.ini [urls] authorization: lock to one user

2016-12-01 Thread Brian Demers
The UserFiler does take a username as an arg, it only verifies a user's principal exists (authenticated or remembered) Your best bet is probably to use permissions or roles