On 17/01/2023 15:20, Jonathan MERCIER wrote:
Dear community,
It would be good to hear from others as to what they do for authentication.
After some investigations on Apache Shiro, it seems that it is not
possible (without to write some java code) to perform a LDAP group/
Role mapping.
Indeed - Shiro is framework and needs customization for authentication.
My (limited) experience is that every deployment has to adapt somehow to
the local authentications services. The communication protocols may be
sort of standard, the details (e.g. schemas for users) are not.
If anyone has suggestions for a more out-of-the-box, open source,
solution, please do say so.
So I would like to know if one of above solution could works:
1. Use a keycloack server as IAM service and forward role to shiro/jena
(JWT or other) ?
That's an option.
2. Develop and deploy an Apache Shiro server as IAM service (for all our
applications) which imply to communicate remotely with Jena to get a JWT
with corresponding role
There's a AuthBearerFilter but it is for Fuseki/main. £job use it as the
basis for AWS/Cognito token handling (e.g. the AWS specific headers).
3. others solution ?
One option is do the authn in a reverse proxy in front to Fuseki. Set it
up so Fuseki will only receive traffic from the reverse proxy.
There is more stuff out there for httpd or nginx.
Thanks a lot for your help, we are trying do do ou best to get a full
understanding how to use jena in our side.
Thanks for saying that.
It is quicker to ask questions than answer them.
Best regards
Andy
