4

I am trying to create a simple Authorizing Realm for Apache Shiro for testing:

public class MyAuthRealm extends AuthorizingRealm {
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        SimpleAuthorizationInfo sai = new SimpleAuthorizationInfo();
        sai.addRole("kota");
        sai.addStringPermission("koko:*:view");
        return sai;
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        return null;
    }
}

As you can see it doesn't care about who the user is - it just returns a role and a specific permission.

Now, I am trying to test that in the following snipptet:

if(SecurityUtils.getSubject().hasRole("kota")) {
    out.write("kota ");
}
if(SecurityUtils.getSubject().hasRole("kota2")) {
    out.write("kota2 ");
}  
if(SecurityUtils.getSubject().isPermitted("koko:toto:view")) {
    out.write("koko ");
}
if(SecurityUtils.getSubject().isPermitted("koko2:toto:view")) {
    out.write("koko2 ");
}

And I receive the following output

kota koko koko2

:(

So it seems that the role is configured correctly (since the user only has the role kota), but the permission is not (why is koko2 printed???) !!!!

Can anybody explain to me what I am doing wrong ?

TIA !

Serafeim
  • 14,962
  • 14
  • 91
  • 133

1 Answers1

5

Are you just using this realm? You may have multiple realms configured; try this to see what realms you currently have:

for (Realm realm : ((RealmSecurityManager) SecurityUtils.getSecurityManager()).getRealms())
    System.out.println(realm.getName());

Your security manager may ask multiple realms for authorization info; which may be the cause of this problem.

Deniz Acay
  • 1,609
  • 1
  • 13
  • 24
  • Yes, you are right - there are actually two other realms: iniRealm and ldapRealm. Probably the error was because of the iniRealm and I corrected that. However, I want to use the ldapRealm only for authentication (because I am not sure of the authorization information it returns) and use my own AuthRealm for authorization. How can I manually "disable" authorization for the ldapRealm and allow authorization only from my AuthRealm ? Should I open a new question ? Thanks ! – Serafeim Feb 13 '12 at 06:32
  • The documentation of class JndiLdapRealm actually answers my question: "By default, authorization is effectively disabled due to the default doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) implementation returning null. If you wish to perform authorization based on an LDAP schema, you must subclass this one and override that method to reflect your organization's data model. " – Serafeim Feb 13 '12 at 06:55