Shiro Active Diectory with custom roles

Question

How do I configure a Shiro to use Active Directory Authentication, but in addition I want to map the usernames to custom roles. I can't seem to find any information on this. Can anyone give me any pointers?

Answer 1

To do Active Directory Authentication use the JndiLdapRealm

For the authorization override the method queryForAuthorizationInfo

Be aware that you probably get group from your AD so you have to provide your own mapping (group to role).

About this shiro reference manual say :

A RolePermissionResolver can be used by a Realm internally when needing to translate a role name into a concrete set of Permission instances.

This is a particularly useful feature for supporting legacy or inflexible data sources that may have no notion of permissions.

For example, many LDAP directories store role names (or group names) but do not support association of role names to concrete permissions because they have no 'permission' concept. A Shiro-based application can use the role names stored in LDAP, but implement a RolePermissionResolver to convert the LDAP name into a set of explicit permissions to perform preferred explicit access control. The permission associations would be stored in another data store, probably a local database.

Hope this will help

Answer 2

I'm working on doing the same thing, but I'm pretty sure you have to write a custom AuthenticationStrategy. I wanted to authenticate against AD but use the INI to define roles, but I could not get it to behave properly enough to not accept authentication against either (even utilizing FirstSuccessfulStrategy). I didn't get to look into it too much, so maybe one of the Shiro guys who floats around can correct this, but i hit these issues today.