Return-Path: X-Original-To: apmail-shiro-dev-archive@www.apache.org Delivered-To: apmail-shiro-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EB29795BA for ; Fri, 9 Mar 2012 21:21:49 +0000 (UTC) Received: (qmail 39517 invoked by uid 500); 9 Mar 2012 21:21:49 -0000 Delivered-To: apmail-shiro-dev-archive@shiro.apache.org Received: (qmail 39499 invoked by uid 500); 9 Mar 2012 21:21:49 -0000 Mailing-List: contact dev-help@shiro.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@shiro.apache.org Delivered-To: mailing list dev@shiro.apache.org Received: (qmail 39491 invoked by uid 99); 9 Mar 2012 21:21:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Mar 2012 21:21:49 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [209.85.160.173] (HELO mail-gy0-f173.google.com) (209.85.160.173) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Mar 2012 21:21:44 +0000 Received: by ghrr14 with SMTP id r14so1381340ghr.32 for ; Fri, 09 Mar 2012 13:21:24 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding:x-gm-message-state; bh=oC4TNsRfeMqzBsvt7JAWtI+R1PfbyFnk3aHOE89i9X4=; b=UPUuVqGdCZkTHwJaPiEhLIX+Rz+Qr7nL7F1cKHilxmyJkrGPQQro3CXkkMvTfRV/qC 9v/3tO11Dg9UsKDwWf5kHG39Jq/IDDG+zbJqNeaaGJZbYlDJ44ExyF6mTEhi7iQW4XjC t+edykPdax+KbM84uoUy1rzbj26swv0tfmBCaFehKrGlid6IJwCNEYVidWOdarjJpYBe DfUGlSEtg0HUywW+cQMc80q4tyfi+w76jzE08HVaVBVnkSWMM6BPZsUv4d2Dic954AYX 1RBPaELIXb0ol+N6D03EfIC1wh5mN0ZodQsKDEyiLFbjwLSeKwoaozzCGVHiwJrXJUCq LnKg== MIME-Version: 1.0 Received: by 10.224.173.205 with SMTP id q13mr1317489qaz.29.1331328083869; Fri, 09 Mar 2012 13:21:23 -0800 (PST) Sender: les.hazlewood@anjinllc.com Received: by 10.229.239.212 with HTTP; Fri, 9 Mar 2012 13:21:23 -0800 (PST) In-Reply-To: References: Date: Fri, 9 Mar 2012 13:21:23 -0800 X-Google-Sender-Auth: _QlpKpQeh2qsKyUzntEYq0s56Lk Message-ID: Subject: Re: Making the ModularRealmAuthenticator not check all realms for FirstSuccessfulStrategy From: Les Hazlewood To: dev@shiro.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQmLW1kmI+g/9uT1PpQ55LH4eiMdtqnNGL7+tsRdeDhFJShNjLOpywgu4gazOfEcrP7pcrrz X-Virus-Checked: Checked by ClamAV on apache.org Adding the new method for 1.3 is difficult: while not backwards compatible, it is certainly better than changing the behavior of an existing API. But if we want to guarantee APR versioning guidelines - which reinforces perceived stability (highly desirable for a security API/framework) - it should probably go into 2.x only. If we are to guarantee backwards compatibility, a new strategy should be implemented that throws an Exception from the afterAttempt method. That exception is inspected (e.g. ShortCircuitIterationException) to trigger whether or not to continue to further realms. Yes, this is hacky, yes, it's not ideal, but it does guarantee backwards compatibility while still retaining existing functionality. Because I favor stability in a security framework, my preference is to do the hacky exception approach and then clean this up permanently in 2.x. But I could be in the minority here. What are peoples' thoughts on this? Les On Fri, Mar 9, 2012 at 9:56 AM, Brian Demers wrote= : > The ModularRealmAuthenticator always loops through all the configure > realms. =C2=A0This can get expense if you have multiple external realms > configured (JDBC, LDAP, etc), and you are using > the FirstSuccessfulStrategy. =C2=A0In this case where you had both a JDBC= and > LDAP realm configured you would want to drop out of the loop if the Subje= ct > was authenticated in the JDBC realm. =C2=A0This way you do not need to ea= t the > cost of the LDAP query (which the results would be ignored anyway) > > To solve this I added a new method to the AuthenticationStrategy Interfac= e, > this makes the change simple, but would break backwards compatibility wit= h > any custom AuthenticationStrategy NOT extending from > AbstractAuthenticationStrategy. > https://github.com/apache/shiro/compare/trunk...first-successful-authc-st= rategy#L1R99 > > I cannot think of any (non hackie way) alternative to this for 1.3. =C2= =A0Anyone > have any thoughts? =C2=A0Or any thoughts on including this in 1.3?