I'm reading up on Apache Shiro and like to see if I got this mental model right.
From the docs: "A
Realmis a component that can access application-specific security data such asusers,roles, andpermissions". .. "Realms usually have a 1-to-1 correlation with a data source such as a relational database, LDAP directory, file system, or other similar resource. "
Moreover, I've read that an application may include multiple realms for its authentication and authorization purposes.
Ok so great, but how do this Realms relate to the concept of a User?
- is every
Realmexpected to be a partition over the user-space? I.e: aUsermay only ever occur in 1Realm - or, and this is what I'm expecting,
Realmscan be used to layer authentication & authorization on top of eachother and may work on the sameUser. However in that case, where is theUsermanaged? It should be somewhere external to aRealmI guess, but where?
Perhaps I'm confused by this because I'm thinking of User as a single entity (e.g: of me there can be only one) . And should instead be thinking of User as a UserAccount. I.e.: Each Realm manages it's own Useraccounts (in the docs called User), but a User may have multiple UserAcounts. Is that correct?
Assuming the above is correct:
- is there any logic that enables me to query for all
UserAccountsof a given User? I.e: basically merging allUseraccountstogether to get a complete view of theUser? - does the concept of
Userin this case (1Userpossibly having multipleUserAccounts) even exist in Shiro?
You define relation between Realms in authenticationStrategy. Lets see the example. User will be authenticated only when he passes authentication against all realms. You can make your own authenticationStrategy implementation which says just one successful authentication is enough or whatsoever.
In the example, we combine JDBC realm to store users names (no passwords) and authenticate it against LDAP.
Lets say you will add one another LDAP realm and create authenticationStrategy, where not all authentications against realm are needed. But just one successful authentication against LDAP is enough.
shiro.ini
ds = org.apache.shiro.jndi.JndiObjectFactory
ds.requiredType = javax.sql.DataSource
ds.resourceName = java:comp/env/jdbc/xxx
noPassWordCredentialMatcher = eu.corp.domain.auth.NoPassMatcher
ldapRealm = eu.corp.domain.auth.CustomActiveDirectoryRealm
ldapRealm.searchBase = OU=USERS,OU=EN,DC=our,DC=corp
ldapRealm.url = ldap://our.corp:389
ldapRealm.principalSuffix = @our.corp
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.dataSource = $ds
jdbcRealm.credentialsMatcher = $noPassWordCredentialMatcher
jdbcRealm.authenticationQuery = SELECT name FROM auth WHERE name = ?
jdbcRealm.userRolesQuery = SELECT role.shortcut FROM auth LEFT JOIN auth_role ON auth_role.auth_id = auth.id LEFT JOIN role ON role.id = auth_role.role_id WHERE auth.name = ?
jdbcRealm.permissionsQuery = SELECT permission.shortcut FROM role JOIN role_permission ON role_permission.role_id = role.id JOIN permission ON permission.id = role_permission.permission_id WHERE role.shortcut = ?
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager
securityManager.realms = $ldapRealm, $jdbcRealm
authcStrategy = org.apache.shiro.authc.pam.AllSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
来源:https://stackoverflow.com/questions/19124192/how-do-concepts-of-user-useraccount-and-realm-relate-in-apache-shiro