custom in shiro.ini
Hi, What is the "custom" variable in the shiro.ini? I am trying to use buji-pac4j and I see that in a demo application [1] it uses a "custom" variable. Where is this variable defined? What is it used for? I see that it is used like this: custom:$customAuthorizer. And the variable customAuthorizer is defined above: customAuthorizer= org.pac4j.demo.shiro.CustomAuthorizer Why not use $customAuthorizer directly? Is custom used as a namespace for user-defined variables? [1] https://github.com/pac4j/buji-pac4j-demo/blob/master/src/main/resources/shiro.ini Regards, Gabriel
Re: custom in shiro.ini
In this case both 'customAuthorizer' and 'config' define which class is used. After 'config' is instantiated config.setAuthorizers(Map) would be called. In this case the map contains two entries with keys 'admin' and 'custom'. (with values being the instances represented by '$requireRoleAdmin' and '$customAuthorizer' customAuthorizer = org.pac4j.demo.shiro.CustomAuthorizer config = org.pac4j.core.config.Config config.authorizers = admin:$requireRoleAdmin,custom:$customAuthorizer Does that help? On Mon, Aug 22, 2016 at 8:24 AM, Gabriel Titerlea wrote: > Hi, > > What is the "custom" variable in the shiro.ini? I am trying to use > buji-pac4j and I see that in a demo application [1] it uses a "custom" > variable. > Where is this variable defined? What is it used for? > > I see that it is used like this: custom:$customAuthorizer. > And the variable customAuthorizer is defined above: customAuthorizer = > org.pac4j.demo.shiro.CustomAuthorizer > > Why not use $customAuthorizer directly? Is custom used as a namespace for > user-defined variables? > > [1] > https://github.com/pac4j/buji-pac4j-demo/blob/master/src/main/resources/shiro.ini > > Regards, > Gabriel
Re: custom in shiro.ini
Yes, perfect explanation. Thank you! On 22-Aug-16 17:05, Brian Demers wrote: In this case both 'customAuthorizer' and 'config' define which class is used. After 'config' is instantiated config.setAuthorizers(Map) would be called. In this case the map contains two entries with keys 'admin' and 'custom'. (with values being the instances represented by '$requireRoleAdmin' and '$customAuthorizer' customAuthorizer = org.pac4j.demo.shiro.CustomAuthorizer config = org.pac4j.core.config.Config config.authorizers = admin:$requireRoleAdmin,custom:$customAuthorizer Does that help? On Mon, Aug 22, 2016 at 8:24 AM, Gabriel Titerlea wrote: Hi, What is the "custom" variable in the shiro.ini? I am trying to use buji-pac4j and I see that in a demo application [1] it uses a "custom" variable. Where is this variable defined? What is it used for? I see that it is used like this: custom:$customAuthorizer. And the variable customAuthorizer is defined above: customAuthorizer = org.pac4j.demo.shiro.CustomAuthorizer Why not use $customAuthorizer directly? Is custom used as a namespace for user-defined variables? [1] https://github.com/pac4j/buji-pac4j-demo/blob/master/src/main/resources/shiro.ini Regards, Gabriel -- Gabriel Titerlea XML Web Author https://www.oxygenxml.com
Re: Anonymous binding issue while searching LDAP roles
That is how it should work if you do not set the system user/password. Can you confirm that your configuration does not set them ? On Mon, Aug 22, 2016 at 12:17 AM, vlhf刘海峰 wrote: > Hi all, > > As some AD forbid search operation with anonymous binding, > org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm will fail to get > authorization info without a manager account. But, since user has logged in > before, which means user has bound successfully and able to do search over > LDAP, I'd prefer using user’s account to search for it’s LDAP attributes, > and I think the manager account is totally unnecessary. > > There is at least two ways to achieve this, but both has blocked after read > the source code: > > 1) search LDAP attributes right after binding: > Problem is no straight way to put roles to authorization cache, related > methods are mostly private > 2) bind again while get authorization info: > Problem is at this step the only information of authentication is > principals, no credentials > > I hope Shiro dev team deal with this, or let me know if there is better > solution. > > Thank you all.
Re: Anonymous binding issue while searching LDAP roles
I didn’t give any manager account. And I doubt that without manager account it works that way. I’ve browsed the source code, doGetAuthenticationInfo and doGetAuthorizationInfo are two relatively independent processes, they don’t use the same ldapContext. 在 16/8/22 下午10:15,“Brian Demers” 写入: >That is how it should work if you do not set the system user/password. >Can you confirm that your configuration does not set them ? > >On Mon, Aug 22, 2016 at 12:17 AM, vlhf刘海峰 wrote: >> Hi all, >> >> As some AD forbid search operation with anonymous binding, >> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm will fail to get >> authorization info without a manager account. But, since user has logged in >> before, which means user has bound successfully and able to do search over >> LDAP, I'd prefer using user’s account to search for it’s LDAP attributes, >> and I think the manager account is totally unnecessary. >> >> There is at least two ways to achieve this, but both has blocked after read >> the source code: >> >> 1) search LDAP attributes right after binding: >> Problem is no straight way to put roles to authorization cache, related >> methods are mostly private >> 2) bind again while get authorization info: >> Problem is at this step the only information of authentication is >> principals, no credentials >> >> I hope Shiro dev team deal with this, or let me know if there is better >> solution. >> >> Thank you all.
Re: Anonymous binding issue while searching LDAP roles
Ahh, I understand now. Take a look at this thread: http://shiro-user.582556.n2.nabble.com/How-to-set-a-custom-principal-object-td1090270.html You could possibly build and attach an AuthorizationInfo object to your principal when the user logs in. There are a couple scenarios that this would probably NOT work for: RememberMe, RunAs. That said, I've done something similar in the past with success, (it just depends on your use case) On Mon, Aug 22, 2016 at 12:59 PM, vlhf刘海峰 wrote: > I didn’t give any manager account. And I doubt that without manager account > it works that way. > > I’ve browsed the source code, doGetAuthenticationInfo and > doGetAuthorizationInfo are two relatively independent processes, they don’t > use the same ldapContext. > > > > > 在 16/8/22 下午10:15,“Brian Demers” 写入: > >>That is how it should work if you do not set the system user/password. >>Can you confirm that your configuration does not set them ? >> >>On Mon, Aug 22, 2016 at 12:17 AM, vlhf刘海峰 wrote: >>> Hi all, >>> >>> As some AD forbid search operation with anonymous binding, >>> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm will fail to get >>> authorization info without a manager account. But, since user has logged in >>> before, which means user has bound successfully and able to do search over >>> LDAP, I'd prefer using user’s account to search for it’s LDAP attributes, >>> and I think the manager account is totally unnecessary. >>> >>> There is at least two ways to achieve this, but both has blocked after read >>> the source code: >>> >>> 1) search LDAP attributes right after binding: >>> Problem is no straight way to put roles to authorization cache, related >>> methods are mostly private >>> 2) bind again while get authorization info: >>> Problem is at this step the only information of authentication is >>> principals, no credentials >>> >>> I hope Shiro dev team deal with this, or let me know if there is better >>> solution. >>> >>> Thank you all.
