On Sun, Dec 21, 2014 at 8:55 AM, Charles Karow <char...@karow.com> wrote:
> I'm using Tynamo Tapestry-Security 0.6.0 with Tapestry 5.4, and finding it > a very useful tool!! > I am implementing two realms for two different classes of users that are > stored in different tables in the database; both will use username/password > authentication, and thus the same authentication token type. They are > mutually exclusive - any given user will be found in one realm and not > found in the other, so I will always have one realm that fails to > authenticate. > I see that in Tynamo the default authentication strategy has been replaced > with a custom FirstExceptionStrategy, which improves the exception > handling, but will only work if there is only one Realm per Token type. > (See http://jira.codehaus.org/browse/TYNAMO-154) While I appreciate and > value the ability to get the original exceptions, right now it seems more > important to me to be able to have the two realms. > So it seems to me that I should change the authentication strategy to one > of Shiro's (e.g. "First Successful" or "At Least One Successful"), or > eventually create my own custom strategy that would give me the best of > both worlds, by passing on the correct exceptions, while allowing multiple > realms using the same token type. > If you know the type of the user at login time (for example, your users have different entry points or they pick a specific domain), it'd be far easier to create separate tokens for each realm. The type of the token tells the realm whether it should participate in the authentication of that token, so if you use the same token for both realms, it'll always try and fail one. > I have tried to change the authentication strategy in my AppModule with > the following code in addRealms(): > > SecurityManager sm = SecurityUtils.getSecurityManager(); > DefaultWebSecurityManager wsm = (DefaultWebSecurityManager)sm; // > <<---- Class cast fails > ModularRealmAuthenticator mra = (ModularRealmAuthenticator) > wsm.getAuthenticator(); > mra.setAuthenticationStrategy(new FirstSuccessfulStrategy()); > > It fails because the returned SecurityManager is actually the IOC > ServiceProxy and not the SecurityManager object. I tried similar code in > the Realm's constructor, with a similar failure. > Yeah, I've never liked that part of Shiro's native api myself (that in multiple places you are required to downcast to specific types to reveal more functionality). However, I've tried to publish enough of the security api as services, so you don't have to navigate through Shiro's object tree (native Shiro doesn't have such luxuries as an IoC container). In this case as well, ModularRealmAuthenticator is a service, so you can just obtain it directly and set a different authentication strategy. See the source for SecurityModule to find out what exactly is published as a service ( https://github.com/tynamo/tapestry-security/blob/master/src/main/java/org/tynamo/security/services/SecurityModule.java ). Kalle
