shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "opticyclic (JIRA)" <>
Subject [jira] [Commented] (SHIRO-586) Can't Search For Groups In Active Directory Without A System User
Date Sat, 24 Sep 2016 05:26:20 GMT


opticyclic commented on SHIRO-586:

In order to do this with custom code you need to do something like the following pseudo-code
public class CustomActiveDirectoryRealm extends ActiveDirectoryRealm {

   * Done during the log in process
  protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory
ldapContextFactory) throws NamingException {
    SimpleAuthenticationInfo authenticationInfo = (SimpleAuthenticationInfo)super.queryForAuthenticationInfo(token,

    return authenticationInfo;

   * Done during checks for hasRole
  protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals, LdapContextFactory
ldapContextFactory) throws NamingException {

    return buildAuthorizationInfo(roleNames);

However, the key method to get the role names from active directory is private:
    private Set<String> getRoleNamesForUser(String username, LdapContext ldapContext)
throws NamingException {

Right now, the only option seems to be to copy the code into the subclass :(

If this method was protected it would make sub-classing easier.

Obviously, it would be a better if this didn't have to be custom code at all and the main
ActiveDirectoryRealm could bind without a system user; but for now, changing from private
to protected is a very small change to make this workable.

> Can't Search For Groups In Active Directory Without A System User
> -----------------------------------------------------------------
>                 Key: SHIRO-586
>                 URL:
>             Project: Shiro
>          Issue Type: Bug
>            Reporter: opticyclic
>            Priority: Blocker
> From
> I can authenticate with the ActiveDirectoryRealm but I can't search for groups without
having a systemUser.
> Most often, clients of my application don't have the system user/password and the admins
don't like giving it out so they can't configure it properly.
> Spring Security and GUI clients let you use the username and password that was used to
log in with to search for the groups.

This message was sent by Atlassian JIRA

View raw message