Hi Ken, Since I created my own realm from scratch and implemented Realm and Authorizer, but didn't extend AuthorizingRealm I don't have doGet*** methods. Also since I'm dealing with preauthenticated users via my own SSO system (CA SiteMinder) I don't actually do authentication in my authorizing realm. I've attached the custom realm below.
If you notice I implemented my own getAuthorizationInfo method in the realm, this is where the permission loader is called. I had to do this because AuthorizingRealm's method only accepted PrincipalCollection and I needed both PrincipalCollection and the permission being requested. All of the isPermitted and hasRole methods eventually invoke that method. You can notice the authentication methods at the bottom are basically disabled. I have a separate realm that "authenticates" my preauthenticated user. Basically its main job is to convert my SSO user object into a Shiro AuthenticationInfo. I've attached that realm further down. Our SSO system has roles, and has been extended so it can have roles by company as we have multi-tenant systems with users from many different companies. If you notice in the example rule above the hasRole method is checking to see if the user has a certain role for the company that matches the company that owns the railcar. The SSO roles are converted into roles in the AssignableAuthorizationInfo object when I initially build it. It would be possible for the security rules to add additional roles to this (it has an addRole method). Then a RolePermissionResolver could be used to convert the role into the correct permissions. With our initial work though we have just added permissions directly and not dealt with roles in this way. The authorizing permission loading realm DynamicPermissionAuthorizingRealm.java <http://shiro-user.582556.n2.nabble.com/file/n7578987/DynamicPermissionAuthorizingRealm.java> The "authenticating" realm SsoPreauthenticatedRealm.java <http://shiro-user.582556.n2.nabble.com/file/n7578987/SsoPreauthenticatedRealm.java> What do you mean by a tech sheet? Do you have an example? -- View this message in context: http://shiro-user.582556.n2.nabble.com/Handling-a-large-number-of-dynamic-permissions-tp7578918p7578987.html Sent from the Shiro User mailing list archive at Nabble.com.
