Hi, I'm working on an application framework that allows access to application mbeans via two separate mechanisms: JMX and a web-based, ReST-like interface generated from mbeans by Jolokia <http://www.jolokia.org/index.html> .
I've managed to secure the JMX interface by creating a SecurityManager from IniSecurityManagerFactory at load time, and then authenticating via JAAS by overriding the 'authenticate' method on a custom JMXAuthenticator, calling Subject.builder().buildSubject(), authenticating the subject and attaching it to the JAAS security context. (Later, in the authZ checker, I pull the Shiro Subject from the JAAS context and validate access to resources.) There's some hidden magic between the Shiro Subject created during JAAS authentication and the IniSecurityManager created at startup - the linkage is in the Shiro library and I haven't dug deep enough to make the connection yet. I'm sure it's there, but not sure how it's done. Now it's time to secure my Jolokia web interface using the same SecurityManager. I can create a custom SecurityManager and do all the web crap myself, but I'm hoping someone who has more internal knowledge of Shiro can tell me a "best practice path of least resistance" for reusing my existing IniSecurityManager for securing the web side. (The servlet container we're using is Jetty, so I have to rig it up in code, rather than web.xml statements, but I'm pretty much down with that mix at this point.) One other constraint - there are cases when Jetty/Jolokia is not part of the picture at all, so I can't use a WebSecurityManager as my base security manager and build Shiro Subjects from that for JMX authentication - at least, I'm not sure what will happen if I create a WebSecurityManager in an application without a servlet container... Thanks in advance, John -- View this message in context: http://shiro-user.582556.n2.nabble.com/authentication-managing-multiple-access-methods-tp7580390.html Sent from the Shiro User mailing list archive at Nabble.com.
