Integrate Shiro with pac4j jax-rs implementation

Question

I am using pac4j's jsx-rs implementation to enable only AUTHENTICATION for my application. For authorization, I want to use Shiro. But I am not sure how to integrate Shiro with pac4j.

Currently, I have a Feature which does the necessary JAX-RS Configuration and I have made it a Provider

The following are the features and providers that I have registered.

    featureContext
    .register(new JaxRsConfigProvider(config))
    .register(new Pac4JSecurityFeature())
    .register(new Pac4JValueFactoryProvider.Binder())
    .register(new ServletJaxRsContextFactoryProvider())
    .register(new Pac4JSecurityFilterFeature(false, null, "keycloakoidcclient", "callback", false))

I am using Shiro's AuthorizationFilter to do the authentication part. By this I mean I am creating a token based on the logged in user. I have registered this filter using Guice's ServletModule. But I am unable to get a hold of the logged in user. I am trying to inject Jersey's SecurityContext using @Context. But the filter ordering is messed up. The AuthorizationFilter gets invoked before authentication is complete. Hence the SecurityContext is always null.

Is there a better way to integrate Shiro with pac4j?

Answer 1

Shiro provides its own Feature implementation to be used with JAX-RS. Adding that module dependency to the project does the trick.

And to get the user context from pac-4j, I implemented an Authorizer where I get the OIDC profile injected. I created a custom user profile and provided it to Shiro like this:

SecurityUtils.getSubject().login(new DemoToken(profile));

This way Shiro gets the user profile and then can carry on the authorization.