Hi Jiggy, > I am a Shiro newbie.
Welcome! > Currently we have Form Based Authentication layer implemented. > Our Realm extends AuthorizingRealm > We are extending FormAuthenticationFilter > > I am trying to figure out how to apply Authorization to > > 1. How authentication happens. It is already implemented but just curious. When you call Subject.login(AuthenticationToken), the token makes its way to the SecurityManager. The SecurityManager calls a wrapped delegate Authenticator. This Authenticator uses an AuthenticationStrategy to interact with one or more Realms to support PAM (Pluggable Authentication Module)-like behavior. Typically each realm is consulted by the Strategy to see if it supports the submitted token, and if so, asks the realm to 'getAuthenticationInfo'. This method call constitutes an authentication attempt for that particular Realm/datasource. Ultimately the Strategy determines exactly how this process occurs, but that should give you a decent idea at a high level how it all works. High level picture: AuthenticationToken -- (submitted to) --> Subject.login --> SecurityManager --> Authenticator --> AuthenticationStrategy --> (1 or more Realms). > 2. What do I need to do implement Authorization on restful services. I > looked a bit into HttpMethodPermissionFilter but I don't see the full > picture. Where do permissions get stored, when to retrieve and how to feed > them to Shiro. Any sample code would be greatly appreciated. There are a few Sample applications in the Shiro distribution. Take a look at the 'spring-hibernate' sample application (even if you're not using spring or hibernate'. It has a org.apache.shiro.samples.sprhib.security.SampleRealm that supports Authorization by implementing the 'doGetAuthorizationInfo' method. The AuthorizationInfo instance acts as a 'bridge' between your data model and Shiro. You manage permissions, how they're stored, what they look like, etc according to that Realm's particular data store. If your Realm implementation subclasses AuthorizingRealm (and you probably should to save you a lot of time), the 'doGetAuthorizationInfo' method will be called (this parallels the 'doGetAuthenticationInfo' method used only for authentication). When an authorization check occurs for a particular Subject (identified by a PrincipalsCollection), your realm looks up any authorization-specific data for that particular Subject however it wants (LDAP query, JDBC query, etc.) and 'translates' your app-specific data it into an instance of AuthorizationInfo. The AuthorizingRealm superclass will take that object, cache it if you have caching enabled (highly recommended for good performance), and then inspect it in order to fulfill all of its org.apache.shiro.authz.Authorizer method implementations (every Realm extends the Authorizer interface). The AuthorizingRealm abstract class implements all those methods, but requires the AuthorizationInfo from you. As for the HttpMethodPermissionFilter, it takes the HTTP Request Method and based on your chain configuration, translates the request into a Permission. Subject.isPermitted(permission) is called by the filter, which eventually will call your AuthorizingRealm to see if isPermitted(permission) is true or not. See the WildcardPermission JavaDoc for how the AuthorizingRealm will perform permission implication/comparison logic to determine this answer. HTH! Best, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com
