I personally haven't done any work on this, but I'd love to hear/see some solutions.
One idea is that the easiest thing to do is to check the session in the Realm method implementations in addition to the underlying data source. Or, instead of doing both checks in a single Realm, you could instead have an additional SessionRealm configured that does not do any authentication - just the authorization operations. The latter is more 'clean' I think from a 'pluggability' perspective, but also is slightly more complex. Bradley, please feel free to brainstorm and/or post your findings on the list - I'd love to hear your progress! I personally feel that Shiro should support SAML as it is being adopted more and more by companies - anything you might find along the way would be helpful! Best, Les On Tue, Nov 17, 2009 at 3:19 PM, Bradley Beddoes <[email protected]> wrote: > Hi Gang, > As part of some broader SAML 2.x integration work I am doing with > Shiro (and specifically Nimble) I need to determine a method for > assigning permissions to sessions based on a level of assurance > attribute sent down from the users IDP via a SAML 2 assertion. Infact > just generically I need to assign roles/permissions for the currently > active session only so when the session dies so does the relationship. > > Obviously I am going to need to look at the Nimble implementation for > isPermitted/hasRole etc and do something to suit this case base but I > figured perhaps someone else was doing something in this space as a > starting point. > > cheers > Bradley >
