I was worried that I might be overcomplicating things. Thanks Kalle. From: Kalle Korhonen [mailto:[email protected]] Sent: Wednesday, July 10, 2013 8:56 AM To: [email protected] Subject: Re: How to just do authorization with Shiro
For an authorizing only realm, you can simply return null in doGetAuthenticationInfo() to indicate the realm shouldn't participate in authentication process. Kalle On Wed, Jul 10, 2013 at 8:49 AM, Michael Chandler <[email protected]<mailto:[email protected]>> wrote: Christian, If Authentication is already handled outside of Shiro, it seems like you could be able to handle Authorization only by implementing your own Realm. Here's a rough example of what I'm thinking... The authentication method is implemented to do very little other than appear to be successful, while you do your authorization work as planned. Hopefully I'm not over simplifying the problem here... public YourRealm extends AuthorizingRealm { @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken token) throws AuthenticationException { // Retrieve your user object by leveraging info from your token User user = someMethodThatGetsUserFromToken(token); // Make sure the credentials matcher is always successful since you handle this elsewhere setCredentialsMatcher(new CredentialsMatcher() { @Override public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) { return true; } }); return new SimpleAuthenticationInfo(user, token, "YourRealm"); } @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { // YOUR AUTHORIZATION IMPLEMENTATION GOES HERE! } } From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Christian Schneider Sent: Tuesday, July 09, 2013 11:57 PM To: [email protected]<mailto:[email protected]> Subject: How to just do authorization with Shiro Hi All, I am trying to integrate Shiro into an Apache CXF project. The Authentication is already done by CXF. I am using a SAML token to authenticate at the service. Inside the token there already is the subject name and the role names. CXF establishes a CXF specific LoginSecuritycontext that contains these details. Now I want to use a CXF interceptor to read this LoginSecurityContext and establish an authenticated Shiro subject that also contains subject name and roles. I intend to use the Shiro Context then to do normal Shiro authorization using annotations. Currently I only know how to log into Shiro using a UserPasswordToken. So I give Shiro my identity and my credentials and shiro does the authentication and fetches the roles. How can I change this to work with an already authenticated subject and given roles? Christian
