4

我正在使用使用 Apache Shiro 的 Tapestry-Security

我有一个处理授权和身份验证的自定义领域。从技术上讲,我们的身份验证使用远程服务进行,该服务返回用户名和一组角色。我只是将用户名传递给我的自定义 AuthenticationToken,它允许我查询本地数据库并设置 SimpleAuthenticationInfo。

我不知道如何使用从我们的远程服务返回给我的角色列表来填充 AuthorizationInfo doGetAuthorizationInfo 方法。下面是我用来填充领域的代码。

登录类

//Remote authentication service
RemoteLoginClient client = new RemoteLoginClient();
RemoteSubject authenticate = client.authenticate(username, password);

//tapestry security authentication
Subject currentUser = SecurityUtils.getSubject();
CustomAuthenticationToken token = new 
    CustomAuthenticationToken(authenticate.getUsername());
System.out.println("roles" + authenticate.getRoles());

currentUser.login(token);

customRealm 公共类 CustomRealm 中的 AuthorizationInfo 方法扩展 AuthorizingRealm {

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    CustomAuthenticationToken upToken = (CustomAuthenticationToken ) token;
    String email = upToken.getUsername();

    ApplicationUser applicationUser = (ApplicationUser) session.createCriteria(ApplicationUser.class)
            .add(Restrictions.like("email", email + "%"))
            .uniqueResult();

    if (applicationUser == null) {
        throw new UnknownAccountException("User doesn't exist in EPRS database");
    }

    return buildAuthenticationInfo(applicationUser.getId());
}

protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//Not sure how to populate the principle or
//read the principle to populate the SimpleAuthorizationInfo
    return new SimpleAuthorizationInfo(roleNames);
}
4

2 回答 2

7

如果您需要身份验证和授权,扩展AuthorizingRealm是一个很好的起点。此外,正如 PepperBob 已经说过的,当您使用它时,Account接口及其SimpleAccount实现在单个接口中支持身份验证和授权,因此您不需要太多单独的代码,doGetAuthenticationInfo()并且doGetAuthorizationInfo()可以只从两者返回相同的对象方法。

要获取授权信息,您需要做两件事:

  • getAvailablePrincipal()通过方法(在 中整齐地预定义)从作为参数传递的主体集合中获取可用主体(在大多数情况下,无论如何,它只包含一个主体AuthorizingRealm)。
  • 加载您的角色并将它们传递给setRoles()您的帐户对象。

...你就完成了。

编辑添加:

这将是一种非常简单的方式来存储角色直到您需要它们。请注意,实际的身份验证是在领域中完成的,它依赖于RemoteLoginClient.

public class MyRealm extends AuthorizingRealm {

    private RemoteLoginClient client = ...;

    private final Map<String, Set<String>> emailToRoles = new ConcurrentHashMap<>();

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(
             AuthenticationToken token) {
        final UsernamePasswordToken userPass = (UsernamePasswordToken) token;

        final RemoteSubject authenticate = this.client.authenticate(
            userPass.getUserName(), userPass.getPassword());
        if (authenticate != null) { //assuming this means success
            this.emailToRoles.put(userPass.getUserName(), authenticate.getRoles());
            return new SimpleAuthenticationInfo(...);
        } else {
            return null;
        }
    }

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(
            PrincipalCollection principals) {
         final String username = (String) principals.getPrimaryPrincipal();
         final Set<String> roles = this.emailToRoles.get(username);
         return new SimpleAuthorizationInfo(roles);
    }

}
于 2012-05-02T11:27:39.870 回答
3

我回答了我自己的问题并想发布这个以防其他人需要帮助或可能改进我的解决方案。

Login.class 方法

Object onSubmit() {
    try {
        //Remote Authentication
        RemoteLoginClient client = new RemoteLoginClient ();
        RemoteSubject authenticate = client.authenticate(formatUsername(username), password);

        //tapestry security authentication
        Subject currentUser = SecurityUtils.getSubject();
        CustomAuthenticationToken token = new CustomAuthenticationToken(authenticate.getUsername(), authenticate.getRoles());

        currentUser.login(token);
    } //catch errors
}

//自定义令牌用于保存从远程身份验证服务设置的用户名和角色。

public class CustomAuthenticationToken implements AuthenticationToken {

private String username;
private Set<String> roles;

public CustomAuthenticationToken(String username, Set<String> roles) {
    this.username = username;
    this.roles = roles;
}

getters/setters

//自定义Realm用于处理本地认证和授权。

public class CustomRealm extends AuthorizingRealm {

//Hibernate Session
private final Session session;
public static final String EMPTY_PASSWORD = "";

public CustomRealm(Session session) {
    this.session = session;
    setCredentialsMatcher(new AllowAllCredentialsMatcher());
    setAuthenticationTokenClass(CustomAuthenticationToken.class);
}

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    CustomAuthenticationToken customToken = (CustomAuthenticationToken) token;
    String email = customToken.getUsername();

    User user = (User) session.createCriteria(User.class)
            .add(Restrictions.like("email", email+ "%"))
            .uniqueResult();

    if (user == null) {
        throw new UnknownAccountException("User doesn't exist in local database");
    }

    return new SimpleAuthenticationInfo(new CustomPrincipal(user, customToken.getRoles()), EMPTY_PASSWORD, getName());
}

protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
    return new SimpleAuthorizationInfo(((CustomPrincipal) principals.getPrimaryPrincipal()).getRoles());
}

}

//用于保存用户对象和角色的自定义主体 public class CustomPrincipal {

private User user;
private Set<String> roles;

public CustomPrincipal() {
}

public CustomPrincipal(User user, Set<String> roles) {
    this.user = user;
    this.roles = roles;
}

getters/setters
于 2012-05-03T13:09:25.033 回答