Yes, it did, thanks Benjamin! I've managed to create a KeycloakShiroRealm [1] to handle the roles ;)
I'm still using an AuthenticationFilter, but now I'm creating the subject with the WebSubject.Builder The current solution is a bit (a lot?) hacky, since I had to use reflection to unwrap the ShiroHttpServletRequest to get the original Principal (getUserPrincipal()) from which the keycloak roles can be retrieved, but it works ok If anyone has suggestions of improvements I'd be happy to hear Regards, Telmo [1] https://github.com/tbrugz/queryon/blob/master/qon-auth-keycloak/src/main/java/tbrugz/queryon/shiro/KeycloakShiroRealm.java On Mon, Jul 25, 2022 at 3:56 PM Benjamin Marwell <[email protected]> wrote: > > Hi Telmo! > > Sorry for the late reply. > > > How can I, after creating a Shiro Subject, add roles to it? > > and > > > it would be better to use something like an AuthorizingRealm > > You are right: It is usually the realms which add roles to a subject. > And actually, the roles are not bound to on login-time. Instead they > are queried when you call the "hasRole" or "isPermitted" methods. > > This is the call chain: > DelegatingSubject.isPermitted -> > AuthorizingSecurityManager.isPermitted -> AuthorizingRealm.isPermitted > > That means a Subject knows it's AuthorizingSecurityManager. The > AuthorizingSecurityManager knows it's Realm. We do have some > documentation about this [1]. > > Does this help? > > - Ben > > [1]: https://shiro.apache.org/securitymanager.html > > Am Di., 19. Juli 2022 um 23:52 Uhr schrieb Telmo Brugnara <[email protected]>: > > > > Hi there, > > > > I'm working on a Shiro/Keycloak integration, and the authentication > > part is working. But I suspect I might not be doing it the "proper" > > way. > > > > I've created an AuthenticationFilter where I check if there is an > > active authenticated keycloak user, and if so I build a Shiro Subject > > and bind it to the ThreadContext. > > > > So I have two questions: > > > > 1. Although it works ok, I didn't find a way to associate the Keycloak > > roles with the Shiro Subject. How can I, after creating a Shiro > > Subject, add roles to it? > > (relevant code: > > https://github.com/tbrugz/queryon/blob/master/qon-auth-keycloak/src/main/java/tbrugz/queryon/shiro/KeycloakAuthFilter.java#L52) > > > > 2. To use an AuthenticationFilter might not be the best way to do > > this, and maybe it would be better to use something like an > > AuthorizingRealm... If so, is there any example that fits this kind of > > integration? > > > > Regards, > > Telmo > > > > ps: Also, if anyone is interested in such an integration, > > documentation and code can be found here: > > https://github.com/tbrugz/queryon/tree/master/qon-auth-keycloak
