After trying to use (I am able to login and authenticate ):
Apache Shiro | Java Security Framework
|
| |
Apache Shiro | Java Security Framework
Apache Shiro is a powerful and easy-to-use Java security framework that
performs authentication, authorization, ... | |
|
|
|
|
|
with
casRealm.validationProtocol = SAML
enabled I was able to login to the app. However I did not have permissions or
role options.
What does this mean? I could not use:
...
if ( currentUser.hasRole( "schwartz" ) ) {
...
Just to see what Shiro was using I dumped the principal attributes by using:
... public void verify(){
try{
Subject subject = SecurityUtils.getSubject();
if ( subject.isAuthenticated() ){
List<Object> perms = subject.getPrincipals().asList();
for ( Object perm : perms ){
logger.debug(perm.toString());
}
logger.info("Authenticated user: {}",
subject.getPrincipal().toString());
...
and got
...
Info: DEBUG [http-listener-1(1)] (StartShiro.java:35) -
{samlAuthenticationStatementAuthMethod=urn:oasis:names:tc:SAML:1.0:am:password,
authenticationMethod=LdapAuthenticationHandler, displayName=Test User,
roles=[cn=user administrator,cn=roles,cn=accounts,dc=mydomain,dc=com, cn=change
a user password,cn=permissions,cn=pbac,dc=mydomain,dc=com, cn=user
administrators,cn=privileges,cn=pbac,dc=mydomain,dc=com, cn=modify
groups,cn=permissions,cn=pbac,dc=mydomain,dc=com,
cn=developers,cn=groups,cn=accounts,dc=mydomain,dc=com, ...,
cn=cas_admin,cn=roles,cn=accounts,dc=mydomain,dc=com, ..., cn=modify
users,cn=permissions,cn=pbac,dc=mydomain,dc=com, cn=add
groups,cn=permissions,cn=pbac,dc=mydomain,dc=com, cn=remove
groups,cn=permissions,cn=pbac,dc=mydomain,dc=com],
successfulAuthenticationHandlers=LdapAuthenticationHandler,
[email protected]}
INFO [http-listener-1(1)] (StartShiro.java:38) - Authenticated user: testuser
...
So I switched to using pac4j-cas
bujiio/buji-pac4j
|
|
|
| | |
|
|
|
|
|
|
| |
|
|
|
| |
bujiio/buji-pac4j
buji-pac4j - Multi protocols (OAuth, OpenID Connect, CAS, SAML, HTTP, GAE)
security extension for Shiro | |
|
|
... try{
Subject subject = SecurityUtils.getSubject();
if ( subject.isAuthenticated() ){
CommonProfile commonProfile = (CommonProfile)
subject.getPrincipals().asList().get(1);
for ( String role : commonProfile.getRoles() ){
logger.debug(role);
}
// works!
logger.info("Main principal: ", commonProfile.getDisplayName());
// email works!
logger.info("Authenticated user email: {}",
commonProfile.getEmail());
...
Info: INFO [http-listener-1(1)] (StartShiro.java:38) - Main principal:
Info: INFO [http-listener-1(1)] (StartShiro.java:40) - Authenticated user
email: [email protected]
I obviously need roles and permissions. I can feel that I am pretty close but
not close enough.I configured the CAS server and control the properties
returned by the SAML service on the CAS server with:...<bean
id="ldapAuthenticationHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="uid" c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<entry key="displayName" value="displayName" />
<entry key="mail" value="email" />
<entry key="memberOf" value="roles" />
</map>
</property>
</bean>...
Still, at this point I feel there is a mapping problem between the SAML
document and the Shiro client. Not sure where to proceed from here.
Here are the particulars:
CAS server: 4.2.1Shiro core: 1.2.4Shiro web: 1.2.4pac4j-core:
1.8.8pac4j-cas: 1.8.8
