Hi François, Sounds interesting. Do you mind sharing the highlights of how you use the cache to sync the authorization and authentication of the principal?
Thanks Stephen On Thu, Jul 28, 2022 at 4:12 AM Francois Papon <[email protected]> wrote: > Hi, > > I already did something like this for a jwt realm and I used the shiro > cache to sync the authorization and authentication of the principal. > > regards, > > François > > On 28/07/2022 05:28, Telmo Brugnara wrote: > > Yes, it did, thanks Benjamin! I've managed to create a > > KeycloakShiroRealm [1] to handle the roles ;) > > > > I'm still using an AuthenticationFilter, but now I'm creating the > > subject with the WebSubject.Builder > > > > The current solution is a bit (a lot?) hacky, since I had to use > > reflection to unwrap the ShiroHttpServletRequest to get the original > > Principal (getUserPrincipal()) from which the keycloak roles can be > > retrieved, but it works ok > > > > If anyone has suggestions of improvements I'd be happy to hear > > > > Regards, > > Telmo > > > > [1] > https://github.com/tbrugz/queryon/blob/master/qon-auth-keycloak/src/main/java/tbrugz/queryon/shiro/KeycloakShiroRealm.java > > > > > > On Mon, Jul 25, 2022 at 3:56 PM Benjamin Marwell <[email protected]> > wrote: > >> Hi Telmo! > >> > >> Sorry for the late reply. > >> > >>> How can I, after creating a Shiro Subject, add roles to it? > >> and > >> > >>> it would be better to use something like an AuthorizingRealm > >> You are right: It is usually the realms which add roles to a subject. > >> And actually, the roles are not bound to on login-time. Instead they > >> are queried when you call the "hasRole" or "isPermitted" methods. > >> > >> This is the call chain: > >> DelegatingSubject.isPermitted -> > >> AuthorizingSecurityManager.isPermitted -> AuthorizingRealm.isPermitted > >> > >> That means a Subject knows it's AuthorizingSecurityManager. The > >> AuthorizingSecurityManager knows it's Realm. We do have some > >> documentation about this [1]. > >> > >> Does this help? > >> > >> - Ben > >> > >> [1]: https://shiro.apache.org/securitymanager.html > >> > >> Am Di., 19. Juli 2022 um 23:52 Uhr schrieb Telmo Brugnara < > [email protected]>: > >>> Hi there, > >>> > >>> I'm working on a Shiro/Keycloak integration, and the authentication > >>> part is working. But I suspect I might not be doing it the "proper" > >>> way. > >>> > >>> I've created an AuthenticationFilter where I check if there is an > >>> active authenticated keycloak user, and if so I build a Shiro Subject > >>> and bind it to the ThreadContext. > >>> > >>> So I have two questions: > >>> > >>> 1. Although it works ok, I didn't find a way to associate the Keycloak > >>> roles with the Shiro Subject. How can I, after creating a Shiro > >>> Subject, add roles to it? > >>> (relevant code: > >>> > https://github.com/tbrugz/queryon/blob/master/qon-auth-keycloak/src/main/java/tbrugz/queryon/shiro/KeycloakAuthFilter.java#L52 > ) > >>> > >>> 2. To use an AuthenticationFilter might not be the best way to do > >>> this, and maybe it would be better to use something like an > >>> AuthorizingRealm... If so, is there any example that fits this kind of > >>> integration? > >>> > >>> Regards, > >>> Telmo > >>> > >>> ps: Also, if anyone is interested in such an integration, > >>> documentation and code can be found here: > >>> https://github.com/tbrugz/queryon/tree/master/qon-auth-keycloak >
