Hi there, I've been evaluating using Shiro for authorization for a web application I've been working on. We have authentication done via shibboleth, routing traffic through apache to our web application server (glassfish at the moment). With this setup, authentication is done via shibboleth and the user ID (and other info) is passed to glassfish via server request attributes. We are then using a separate service (likely grouper or possibly something custom) to manage user roles/groups/permissions. I have half of the puzzle done, in that I've written a custom authentication realm that will be used to talk to grouper. The other thing I would like to do is to intercept each request and attach to the SecurityUtils.getSubject() any principal information shibboleth has passed along, so then in backing beans I can do tests against this user and/or specify conditional rendering of page elements based on whether the current subject/principal has authorization to see the info.
Currently my shiro.ini is very sparse: [main] # Objects and their properties are defined here, # Such as the securityManager, Realms and anything # else needed to build the SecurityManager grouperRealm = my.org.TestRealm [users] # The 'users' section is for simple deployments # when you only need a small number of statically-defined # set of User accounts. [roles] # The 'roles' section is for simple deployments # when you only need a small number of statically-defined # roles. [urls] # The 'urls' section is used for url-based security # in web applications. We'll discuss this section in the # Web documentation And I have a JSF page with a backing bean that calls this code on each load: org.apache.shiro.mgt. SecurityManager sm = SecurityUtils.getSecurityManager(); System.out.println(sm); final Subject subject = SecurityUtils.getSubject(); System.out.println(subject); I would like to have the subject here have principal information set if it's available from shibboleth - is this the correct way to access the security manager from a backing bean/JSF? I figure I need to extend some kind of filter to add the shibboleth info, any push in the right direction would be great. Cheers!
