Ahh, I understand now. Take a look at this thread: http://shiro-user.582556.n2.nabble.com/How-to-set-a-custom-principal-object-td1090270.html
You could possibly build and attach an AuthorizationInfo object to your principal when the user logs in. There are a couple scenarios that this would probably NOT work for: RememberMe, RunAs. That said, I've done something similar in the past with success, (it just depends on your use case) On Mon, Aug 22, 2016 at 12:59 PM, vlhf刘海峰 <[email protected]> wrote: > I didn’t give any manager account. And I doubt that without manager account > it works that way. > > I’ve browsed the source code, doGetAuthenticationInfo and > doGetAuthorizationInfo are two relatively independent processes, they don’t > use the same ldapContext. > > > > > 在 16/8/22 下午10:15,“Brian Demers”<[email protected]> 写入: > >>That is how it should work if you do not set the system user/password. >>Can you confirm that your configuration does not set them ? >> >>On Mon, Aug 22, 2016 at 12:17 AM, vlhf刘海峰 <[email protected]> wrote: >>> Hi all, >>> >>> As some AD forbid search operation with anonymous binding, >>> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm will fail to get >>> authorization info without a manager account. But, since user has logged in >>> before, which means user has bound successfully and able to do search over >>> LDAP, I'd prefer using user’s account to search for it’s LDAP attributes, >>> and I think the manager account is totally unnecessary. >>> >>> There is at least two ways to achieve this, but both has blocked after read >>> the source code: >>> >>> 1) search LDAP attributes right after binding: >>> Problem is no straight way to put roles to authorization cache, related >>> methods are mostly private >>> 2) bind again while get authorization info: >>> Problem is at this step the only information of authentication is >>> principals, no credentials >>> >>> I hope Shiro dev team deal with this, or let me know if there is better >>> solution. >>> >>> Thank you all.
