Hi,
I already did something like this for a jwt realm and I used the shiro
cache to sync the authorization and authentication of the principal.
regards,
François
On 28/07/2022 05:28, Telmo Brugnara wrote:
Yes, it did, thanks Benjamin! I've managed to create a
KeycloakShiroRealm [1] to handle the roles ;)
I'm still using an AuthenticationFilter, but now I'm creating the
subject with the WebSubject.Builder
The current solution is a bit (a lot?) hacky, since I had to use
reflection to unwrap the ShiroHttpServletRequest to get the original
Principal (getUserPrincipal()) from which the keycloak roles can be
retrieved, but it works ok
If anyone has suggestions of improvements I'd be happy to hear
Regards,
Telmo
[1]
https://github.com/tbrugz/queryon/blob/master/qon-auth-keycloak/src/main/java/tbrugz/queryon/shiro/KeycloakShiroRealm.java
On Mon, Jul 25, 2022 at 3:56 PM Benjamin Marwell <bmarw...@apache.org> wrote:
Hi Telmo!
Sorry for the late reply.
How can I, after creating a Shiro Subject, add roles to it?
and
it would be better to use something like an AuthorizingRealm
You are right: It is usually the realms which add roles to a subject.
And actually, the roles are not bound to on login-time. Instead they
are queried when you call the "hasRole" or "isPermitted" methods.
This is the call chain:
DelegatingSubject.isPermitted ->
AuthorizingSecurityManager.isPermitted -> AuthorizingRealm.isPermitted
That means a Subject knows it's AuthorizingSecurityManager. The
AuthorizingSecurityManager knows it's Realm. We do have some
documentation about this [1].
Does this help?
- Ben
[1]: https://shiro.apache.org/securitymanager.html
Am Di., 19. Juli 2022 um 23:52 Uhr schrieb Telmo Brugnara <tbr...@gmail.com>:
Hi there,
I'm working on a Shiro/Keycloak integration, and the authentication
part is working. But I suspect I might not be doing it the "proper"
way.
I've created an AuthenticationFilter where I check if there is an
active authenticated keycloak user, and if so I build a Shiro Subject
and bind it to the ThreadContext.
So I have two questions:
1. Although it works ok, I didn't find a way to associate the Keycloak
roles with the Shiro Subject. How can I, after creating a Shiro
Subject, add roles to it?
(relevant code:
https://github.com/tbrugz/queryon/blob/master/qon-auth-keycloak/src/main/java/tbrugz/queryon/shiro/KeycloakAuthFilter.java#L52)
2. To use an AuthenticationFilter might not be the best way to do
this, and maybe it would be better to use something like an
AuthorizingRealm... If so, is there any example that fits this kind of
integration?
Regards,
Telmo
ps: Also, if anyone is interested in such an integration,
documentation and code can be found here:
https://github.com/tbrugz/queryon/tree/master/qon-auth-keycloak
