shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mangelo <>
Subject Re: Single Sign On (SSO), Spring, Hibernate Help.
Date Fri, 04 Mar 2011 18:01:31 GMT
I appreciate the help, but I am so lost that I have no idea where to turn.

My scenario is like this: Users are already authenticated and as a result
their user-id is in the HttpServletRequest header. I thought I was supposed to
use the Realm to load their roles, permissions, etc, but it looks like some of
what is in the Realm is duplicated in the AuthenitcatingFilter.

Once I get the Subject loaded up with their roles and permissions all is well
and good. Why I could not use Spring security is the user is able to change
their 'region' which comes with it a new set of permissions. I need for Shiro
to load up these new permissions so that they can be checked for later.

And now, I'm still staring at a blank wall and security was supposed to be
done this week.


------ Original Message ------
From: "Jared Bunting [via Shiro Developer]"
To: mangelo <>
Subject: Re: Single Sign On (SSO), Spring, Hibernate Help.

> On 03/04/2011 09:33 AM, mangelo wrote:
> > I am brand new to Shiro. Just found it last night. I am very encouraged
> > what I've read so far. My security requirements seem to be too much for
> > Spring Security. I am confident that Shiro can handle them given the
> > flexibility.
> > 
> > The only problem is that I don't know how quite to get started. I've
> > the Spring samples and how to get set up. My problem is the users of my
> > are already authenticated by Oracle SSO. The username is in the request
> > header.
> > 
> > How do I get it out of the request header and into Shiro? Where would I
> > such code?
> This should go into a filter.  You likely want to extend
> AuthenticatingFilter - look at the BasicHttpAuthenticationFilter for an
> example that uses headers.
> Basically, your filter should pack up the header value in an
> AuthenticationToken.  Shiro will pass this AuthenticationToken to your
> Realm.
> > 
> > I have based my Realm from the SampleRealm class. Should I always return
> > 'false' from the supports method? Should I return
> > with an empty string as the password?
> I would say yes.  In addition, accept the AuthenticationToken type that
> you created in your filter.
> > 
> > If there is a more complete example that would help out a lot. I feel
> > I've hit a brick wall.
> > 
> > TIA.
> > 
> > MIke.
> > 
> > --
> > View this message in context:
> > Sent from the Shiro Developer mailing list archive at
> _______________________________________________
> If you reply to this email, your message will be added to the discussion
> To unsubscribe from Single Sign On (SSO), Spring, Hibernate Help., visit

View this message in context:
Sent from the Shiro Developer mailing list archive at

View raw message