Hey folks,
I'm a bit confused on the interaction between two different authorizing
realms.
My application is entirely permission-based, permissions are checked either
direct by calls to Subject.isPermitted or with
the PermissionsAuthorizationFilter.
My deployment environment is as follows:
Authentication is handled via Kerberos. The input is an HTTP header and the
output is a principal (for example, "kevints"). This is handled by a custom
Kerberos5Realm.
Authorization data is stored in LDAP. The input is a userId and the output
is a list of roles, populated from data in LDAP. For example "kevints" =>
{"capacity-planning", "free-ice-cream"}. This is handled by a custom
JdbcRealm
Application role to permission mapping is stored in a shiro.ini file. This
uses an IniRealm and looks like:
[users]
# doesn't work unless I add
# kevints = _, capacity-planning
[roles]
capacity-planning = thrift:setQuota, thrift:getQuota
It seems IniRealm only provides a mapping from its internally-defined roles
to permissions. This seems counterintuitive - is there a way to get it to
provide mappings for all roles returned by any other Authorizer?
