[英]Shiro: Forcing second realm authentication even though existing session is already authenticated via other realm
In my web application that uses Apache Shiro for AuthC and AuthZ I have two authentication realms: One for the regular web interface (called SsoRealm
) and another one for the REST API (called RestRealm
) using an API token. 在将Apache Shiro用于AuthC和AuthZ的Web应用程序中,我有两个身份验证领域:一个用于常规Web界面(称为
SsoRealm
),另一个用于使用API令牌的REST API(称为RestRealm
)。 The principals authenticated by both realms have disjunct permissions (and AuthenticationTokens
). 由两个领域认证的主体具有分离权限(和
AuthenticationTokens
)。 If there is no pre-existing session and an API call arrives via the REST interface everything is fine and the authentication (and authorization) happens via the RestRealm
. 如果没有预先存在的会话,并且通过REST接口到达API调用,则一切正常,并且通过
RestRealm
进行身份验证(和授权)。 However, if there is an existing session previously authenticated via the SsoRealm
no authentication attempt via the RestRealm
happens and the consecutive authorization check (using Subject.isPermitted
) fails as the subject is from the wrong realm. 但是,如果是以前通过认证的现有会话
SsoRealm
通过任何身份验证尝试RestRealm
发生,连续授权检查(使用Subject.isPermitted
)作为主题是从错误的境界失败。
The corresponding authentication filters are registered as (using Shiro Guice): 相应的身份验证过滤器注册为(使用Shiro Guice):
addFilterChain("/api/x/*/y", REST_AUTH, NO_SESSION_CREATION);
addFilterChain("/**", SSO_AUTH);
Is there anything I can do to force a re-authentication with the "correct" realm? 我可以采取什么措施来强制对“正确”领域进行重新认证?
Would a custom AuthenticationStrategy
help (ie, does the AuthenticationStrategy
contract allow the implementation of a strategy "if RestRealm
is involved, the RestRealm
authentication needs to be successful")? 将一个自定义
AuthenticationStrategy
帮助(即:不将AuthenticationStrategy
合同允许的策略:“如果实施RestRealm
参与,在RestRealm
认证必须成功”)? AFAICS ModularRealmAuthenticator.doMultiRealmAuthentication
is not called again if there is an existing authenticated session... 如果存在已通过身份验证的会话,则不会再次调用
ModularRealmAuthenticator.doMultiRealmAuthentication
。
事实证明,这个问题很容易解决:只需覆盖AuthenticatingFilter#isAccessAllowed
以确保为您的领域认证了“正确的”主体类型(默认实现仅使用Subject#isAuthenticated
来测试是否对任何主体进行了认证-不论它是否适合该领域)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.