For ActiveDirectoryRealm two different user 'types' are used:
1. Users that try to authenticate via login form = 'login-form-users' so
that they may use your application.
2. The systemUsername does not login via your login form, nor does he use
your application. Instead he is used to lookup which groups the already
authenticated 'login-form-users' are members of. You need only one
systemUsername as he can lookup group membership for all active directory
users. *The systemUsername is only needed for authorization not for
authentication.*
For authentication an AuthenticationToken is automatically passed in via the
following method to ActiveDirectoryRealm as soon as
SecurityUtils.getSubject().login(new UsernamePasswordToken(username,
password)); is called:
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
at) throws AuthenticationException {
at.getPrincipal().toString() is the email address in the parameter
'username' (= 'login-form-user')
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/How-to-pass-username-from-login-form-to-ActiveDirectoryRealm-tp7579187p7579192.html
Sent from the Shiro User mailing list archive at Nabble.com.
