On Wed, May 11, 2011 at 7:00 AM, sminogue <[email protected]> wrote: > I am new to shiro and having some trouble... Perhaps its a problem of > wrapping my head around how shiro works. > > I am building a JEE application. Users and their roles are defined in my > database. However, passwords are not. Authentication is done above me by > siteminder. > > I use my database for authorization purposes only. I am not having a lot of > luck finding information about using shiro and siteminder? > > I did create my own custom realm and disabled authorization by returning > false from the supports method.
That disables *authentication*, not authorization. If your custom realm extends AuthorizingRealm, you disable authorization by returning null from the doGetAuthorizationInfo method. I don't have any experience with siteminder, but assuming it is performing Single Sign-On (SSO), there is usually some token that is sent into your application after logging in through the SSO service. You would need to create an AuthenticationToken implementation that represents that token. You call subject.login(myCustomToken) somewhere - often in a servlet filter that intercepts the request redirected from the SSO provider. Then, in your Realm's doGetAuthenticationInfo method, you would extract that token, call siteminder, get the associated account data, and return that data in the form of an AuthenticationInfo object. This is just one workflow that is fairly common among SSO providers. I'm sure there are any number of other ways to do this, but I don't know how siteminder works to recommend siteminder-specific advice. Maybe in siteminder's case, the redirect already includes account information such that you don't need to call siteminder during the doGetAuthenticationInfo method. Maybe you can extract that data from the token implicitly and return it in the form of an AuthenticationInfo object. Does that help? -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com
