堆栈内存溢出
  简体   繁体   English

Shiro:即使现有会话已经通过其他领域进行了身份验证,也强制进行第二个领域身份验证

[英]Shiro: Forcing second realm authentication even though existing session is already authenticated via other realm

 原文  2012-06-07 20:55:42       java/ guice/ shiro

问题描述

In my web application that uses Apache Shiro for AuthC and AuthZ I have two authentication realms: One for the regular web interface (called SsoRealm ) and another one for the REST API (called RestRealm ) using an API token. 在将Apache Shiro用于AuthC和AuthZ的Web应用程序中,我有两个身份验证领域:一个用于常规Web界面(称为SsoRealm ),另一个用于使用API​​令牌的REST API(称为RestRealm )。 The principals authenticated by both realms have disjunct permissions (and AuthenticationTokens ). 由两个领域认证的主体具有分离权限(和AuthenticationTokens )。 If there is no pre-existing session and an API call arrives via the REST interface everything is fine and the authentication (and authorization) happens via the RestRealm . 如果没有预先存在的会话,并且通过REST接口到达API调用,则一切正常,并且通过RestRealm进行身份验证(和授权)。 However, if there is an existing session previously authenticated via the SsoRealm no authentication attempt via the RestRealm happens and the consecutive authorization check (using Subject.isPermitted ) fails as the subject is from the wrong realm. 但是,如果是以前通过认证的现有会话SsoRealm通过任何身份验证尝试RestRealm发生,连续授权检查(使用Subject.isPermitted )作为主题是从错误的境界失败。

The corresponding authentication filters are registered as (using Shiro Guice): 相应的身份验证过滤器注册为(使用Shiro Guice): 

addFilterChain("/api/x/*/y", REST_AUTH, NO_SESSION_CREATION);
addFilterChain("/**", SSO_AUTH);

Is there anything I can do to force a re-authentication with the "correct" realm? 我可以采取什么措施来强制对“正确”领域进行重新认证?

Would a custom AuthenticationStrategy help (ie, does the AuthenticationStrategy contract allow the implementation of a strategy "if RestRealm is involved, the RestRealm authentication needs to be successful")? 将一个自定义AuthenticationStrategy帮助(即:不将AuthenticationStrategy合同允许的策略:“如果实施RestRealm参与,在RestRealm认证必须成功”)? AFAICS ModularRealmAuthenticator.doMultiRealmAuthentication is not called again if there is an existing authenticated session... 如果存在已通过身份验证的会话,则不会再次调用ModularRealmAuthenticator.doMultiRealmAuthentication

1 个解决方案

解决方案1
 1 已采纳  2012-06-14 07:55:42

事实证明,这个问题很容易解决:只需覆盖AuthenticatingFilter#isAccessAllowed以确保为您的领域认证了“正确的”主体类型(默认实现仅使用Subject#isAuthenticated来测试是否对任何主体进行了认证-不论它是否适合该领域)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Shiro自定义JDBC领域 - Shiro custom JDBC realm 如何为用户身份验证添加SHIRO领域请求超时? - How to add SHIRO realm request time out for user authentication? Shiro Authenticating Realm应该是交易吗? - Should a Shiro Authenticating Realm be transactional? Shiro:会话已失效 - Shiro: Session already invalidated Apache Shiro和Google Guice:将依赖注入Realm - Apache Shiro and Google Guice: Inject Dependencies into Realm Apache Shiro:动态启用/禁用领域 - Apache Shiro: dynamically enable/disable realm 自动接线在Apache Shiro自定义Realm类中不起作用 - Autowiring is not working in Apache Shiro custom Realm class 使用Shiro的PasswordMatcher和自定义领域 - Using Shiro's PasswordMatcher with a custom realm 使用JDBC领域进行身份验证 - Authentication with JDBC Realm JDBC领域表单身份验证 - JDBC Realm Form Authentication
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM