Hi Telmo! Sorry for the late reply.
> How can I, after creating a Shiro Subject, add roles to it? and > it would be better to use something like an AuthorizingRealm You are right: It is usually the realms which add roles to a subject. And actually, the roles are not bound to on login-time. Instead they are queried when you call the "hasRole" or "isPermitted" methods. This is the call chain: DelegatingSubject.isPermitted -> AuthorizingSecurityManager.isPermitted -> AuthorizingRealm.isPermitted That means a Subject knows it's AuthorizingSecurityManager. The AuthorizingSecurityManager knows it's Realm. We do have some documentation about this [1]. Does this help? - Ben [1]: https://shiro.apache.org/securitymanager.html Am Di., 19. Juli 2022 um 23:52 Uhr schrieb Telmo Brugnara <[email protected]>: > > Hi there, > > I'm working on a Shiro/Keycloak integration, and the authentication > part is working. But I suspect I might not be doing it the "proper" > way. > > I've created an AuthenticationFilter where I check if there is an > active authenticated keycloak user, and if so I build a Shiro Subject > and bind it to the ThreadContext. > > So I have two questions: > > 1. Although it works ok, I didn't find a way to associate the Keycloak > roles with the Shiro Subject. How can I, after creating a Shiro > Subject, add roles to it? > (relevant code: > https://github.com/tbrugz/queryon/blob/master/qon-auth-keycloak/src/main/java/tbrugz/queryon/shiro/KeycloakAuthFilter.java#L52) > > 2. To use an AuthenticationFilter might not be the best way to do > this, and maybe it would be better to use something like an > AuthorizingRealm... If so, is there any example that fits this kind of > integration? > > Regards, > Telmo > > ps: Also, if anyone is interested in such an integration, > documentation and code can be found here: > https://github.com/tbrugz/queryon/tree/master/qon-auth-keycloak
