SSO using Waffle in Shiro Realm
757 views
Skip to first unread message
Dan Rollo
Jan 7, 2013, 11:38:35 PM1/7/13
to waffle...@googlegroups.com
Hi,
I'm trying to get Shiro and Waffle working together, and thanks to David
Carr, have UsernamePasswordToken tokens working nicely using the classes
he posted here: https://issues.apache.org/jira/browse/SHIRO-385
(specifically, the gist here: https://gist.github.com/4352563).
My simple test project using his classes is here:
https://github.com/bhamail/shiro-test-dan/tree/waffleRealm
(note the branch: waffleRealm).
The relevant classes are:
com.danrollo.davidmc24.waffle.AbstractWaffleRealm
com.danrollo.davidmc24.waffle.GroupMappingWaffleRealm
com.danrollo.davidmc24.waffle.WaffleFqnPrincipal
So far, so good. The web app will validate a given windows user/pwd
using waffle.
The next feature I'm after is to allow a user who is already logged on
to windows to avoid having to logon again in a web app (when using a
browser that supports this - chrome, ie...). Meaning, the user would NOT
provide a username and password.
I've been stepping through the Waffle demo of a SSO tomcat filter, and I
can't see how to convert the "negotiate" logic from that filter (with
it's "continue" support) into the Shiro Realm. Maybe I don't need to
reproduce that, and there is a simpler way to access the current user?
Sorry for the vagaries of this question. If this is better asked on the
Shiro forum, I will do so (but maybe I can at least figure out what
exactly to ask first? ;)
Thanks,
Dan Rollo
I'm trying to get Shiro and Waffle working together, and thanks to David
Carr, have UsernamePasswordToken tokens working nicely using the classes
he posted here: https://issues.apache.org/jira/browse/SHIRO-385
(specifically, the gist here: https://gist.github.com/4352563).
My simple test project using his classes is here:
https://github.com/bhamail/shiro-test-dan/tree/waffleRealm
(note the branch: waffleRealm).
The relevant classes are:
com.danrollo.davidmc24.waffle.AbstractWaffleRealm
com.danrollo.davidmc24.waffle.GroupMappingWaffleRealm
com.danrollo.davidmc24.waffle.WaffleFqnPrincipal
So far, so good. The web app will validate a given windows user/pwd
using waffle.
The next feature I'm after is to allow a user who is already logged on
to windows to avoid having to logon again in a web app (when using a
browser that supports this - chrome, ie...). Meaning, the user would NOT
provide a username and password.
I've been stepping through the Waffle demo of a SSO tomcat filter, and I
can't see how to convert the "negotiate" logic from that filter (with
it's "continue" support) into the Shiro Realm. Maybe I don't need to
reproduce that, and there is a simpler way to access the current user?
Sorry for the vagaries of this question. If this is better asked on the
Shiro forum, I will do so (but maybe I can at least figure out what
exactly to ask first? ;)
Thanks,
Dan Rollo
Ryan McKinley
Jan 7, 2013, 11:55:47 PM1/7/13
to waffle...@googlegroups.com
Check:
for an example... I'm not sure if its the best approach, but it works so far :)
Ryan McKinley
Jan 8, 2013, 12:01:28 AM1/8/13
to waffle...@googlegroups.com
dooh -- you are already pointing to that!
Note that using the realm is only half the problem -- you need a filter that will handle negotiate. See:
See the bottom of that class where it actually calls:
IWindowsIdentity identity = negotiate.doFilter(
(HttpServletRequest) request,
(HttpServletResponse) response);
if(identity!=null) {
IWindowsIdentityToken t = new IWindowsIdentityToken(identity, request.getRemoteHost());
try {
subject.login(t);
success = true;
}
catch( AuthenticationException ex ) {
throw new RuntimeException( ex );
}
}would be great to have a general solution...
David Carr
Jan 8, 2013, 8:08:51 AM1/8/13
to waffle...@googlegroups.com
I had forgotten that there was a second class in your example. Thanks for the clarification; it makes perfect sense now in context.
I think it should be possible to retrofit your XxxxxSecurityFilter on top of my version of a waffle realm, and then we can submit that as a general solution. Sounds like another thing to add to my development TODO list for tonight.
Now that I understand the technique, I may also want to add it into AuthC4J. It's a cross-platform authentication facade library I'm writing. Currently it has support for Mac OS X authentication, and Windows authentication using Waffle will be coming shortly... and also Shiro integration after that.
Reply all
Reply to author
Forward
0 new messages