Are you using SSL with Client Authentication? If so, then that will handle authenticating your users. Shiro can then be used to handle your role based access/authorization.
There's a github repo here that has some great example code - https://github.com/SomMeri/SimpleShiroSecuredApplication. Following that example, you'd do something like this: * Create a Shiro Filter implementation that extracts info from the user's X509 cert. You'd then store that info in a Shiro User token. The example makes one that is based on the UsernamePassword token, but you can do whatever you need. This class in the repo is a good example https://github.com/SomMeri/SimpleShiroSecuredApplication/blob/master/src/main/java/org/meri/simpleshirosecuredapplication/servlet/CertificateOrFormAuthenticationFilter.java * You'd also create a custom Shiro Realm, in which would use the token you created to determine the user's roles. If you're configuring Shiro with an ini file, then you might want to subclass Shiro's IniRealm class.The tricky part is figuring out how you want to take the user's creds (as found in the user token you created), and map them to the user's roles. You might want to store this info in a database. You could technically make [user] entries in the ini file that are based on each user's CN (as defined in their X509 cert), and then map each of those user accounts to a list of roles. But if you have a lot of users, that could become really problematic. On Wed, Mar 9, 2016 at 10:12 AM, rmpage0425 <[email protected]> wrote: > I would like to use the shiro.ini configuration to secure Web apps using > SSL > authentication. I have successfully implemented the Web App Tutorial. Now > my next step is to try authentication using SSL with an x509 certificate > and > I am having difficulty determining the steps that must be done. > > I have successfully placed /account/** = ssl in the shiro.ini in place of > /account/** = authc, roles[admin] but I'm not sure what else I need to do > to > associate with a user in the shiro.ini to get RBAC as with the form based > (username/password) authentication of the tutorial. > > I have noticed Shiro Issue SHIRO-24 is titled "Add support for X509 > Authentication" and am wondering if this is what would be helpful for my > situation. I am assuming that I could implement/extend some of the Shiro > API to do what I need to lacking that support. > > I also found the following which looks to be along the lines of what I > need, > but I'm not sure. > > https://github.com/eskatos/shiro-ext/tree/master/x509/core/src/main/java/org/apache/shiro/authc/x509 > > Any help would be appreciated. Thanks. > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/x509-authentication-tp7580976.html > Sent from the Shiro User mailing list archive at Nabble.com. >
