Using Shiro RolesAuthorizationFilter in shiro.ini

0
votes

I have been using JdbcRealm for shiro authentication and authorization, which has been working perfectly. My shiro.ini looks like this:

[main]
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
logout = org.apache.shiro.web.filter.authc.LogoutFilter
authc.loginUrl = /login.xhtml
authc.successUrl = /index.xhtml
logout.redirectUrl = /login.xhtml

jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.authenticationQuery = select password from useraccount where active = true and username LIKE ?
jdbcRealm.userRolesQuery = select rolename from role where id in(select roleid from userrole where useraccountid = (select id from useraccount where username LIKE ?) and active = true) and active = true

ds = org.postgresql.jdbc2.optional.SimpleDataSource
ds.serverName = dbhost:5432
ds.user = db_user
ds.password = db_pass
ds.databaseName = db_name
jdbcRealm.dataSource = $ds
#.
#.
#.
jdbcRealm.credentialsMatcher = $passwordMatcher

[users]

[urls]
#.
#.
#.
/admin** = authc, roles[Admin]

/activity.xhtml = authc
/item.xhtml = authc, roles[Branch]
/unauthorized.xhtml = authc

When a user role say 'Branch' tries to access a url that is meant for 'Admin', user is safely redirected to '/unauthorized.xhtml'

Things changed however, when I decided to move authentication to Active Directory; shiro.ini looks like this:

jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.userRolesQuery = select rolename from role where id in(select roleid from userrole where useraccountid = (select id from useraccount where username LIKE ?) and active = true) and active = true
jdbcRealm.dataSource = $ds

ADRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
ADRealm.url = ldap://xxx.xxx.xxx.xxx:389
ADRealm.searchBase = "OU=Company Name,DC=domain,DC=local"
ADRealm.systemUsername= myuser
ADRealm.systemPassword= mypass
ADRealm.principalSuffix= @domain.local

securityManager.realms = $jdbcRealm,$ADRealm

Authentication happens okay, but trying to access the 'unauthorized url', breaks with the error: 

[org.apache.shiro.authz.AuthorizationException: LDAP naming error while attempting to retrieve authorization for user [myusername]

How can I make authorization safely redirect to unauthorized url as before, without it breaking? I've even tried this:

authz = org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
authz.unauthorizedUrl = /unauthorized.xhtml

But without success.

Edit Inshort, how can we configure shiro.ini to return http response 401/3 - (Unauthorized/forbidden) for necessary cases?

1
shiro

1 Answers

0
votes

It looks like your /unauthorized.xhtml = authc config would block this if you are trying to reuse your 403 page for 401s.

You could probably use: /unauthorized.xhtml = anon (assuming this page didn't need your user context)