0

I have an already done j2ee(jsf, cdi, jpa) application that uses Apache Shiro perfectly, it work pretty well and I'm enjoying shiro annotations (hasRole, hasPermission, etc).

Now, this project have to be capable of authenticate with SiteMinder also, and here comes my question:

  • How can I setup a Realm to handle SiteMinder Authentication without losing Shiro Authorization (seems that SiteMinder will give me username and rolename in HTTP Header)
  • If I create a custom Realm, do the "doGetAuthenticationInfo" and log user in a Session, what will happen with SiteMinder Session?
  • If I set "subject.getSession().setTimeout(1000);" in Shiro, what will happen with SiteMinder Session that already had a defined timeout?

My purpose is to user SiteMinder for Authentication (and control my session) and let Shiro just for Authorization. Shiro cannot intrude in SiteMinder Session.

marius
  • 7,766
  • 18
  • 30
Rocha
  • 53
  • 7

1 Answers1

0

How can I setup a Realm to handle SiteMinder Authentication without losing Shiro Authorization (seems that SiteMinder will give me username and rolename in HTTP Header)

In this case you'll need to have 2 realms one that handles authentication and the other one to handle authorization take a look at this one for how to

If I create a custom Realm, do the "doGetAuthenticationInfo" and log user in a Session, what will happen with SiteMinder Session?

Your custom real will be responsible of being the client to SiteMinder so the doGetAuthenticationInfo will return whatever you get back from SiteMinder I'm not familiar with Siteminder but you might check CAS realm as an example

If I set "subject.getSession().setTimeout(1000);" in Shiro, what will happen with SiteMinder Session that already had a defined timeout?

I think there is a confusion here when you use an sso solution the session is managed by the sso server and not the client

Community
  • 1
  • 1
SwEngin
  • 91
  • 1
  • 3