

我正在处理一个Web应用程序,其中多个应用程序通过CAS SSO服务器进行身份验证.但是,每个应用程序都应保持各自的角色,并且这些角色存储在特定于该应用程序的数据库中.因此,我需要有2个领域,一个领域用于CAS(用于authc),另一个领域用于DB(用于authz).

I'm working on a web application where multiple applications authenticates through a CAS SSO Server. Howerver, each application should maintain their respective roles and these roles are stored in a database specific to the application. So, I need to have 2 realms, one for CAS (for authc) and another for DB (for authz).


This is my current shiro config. I'm getting the redirection to the CAS working properly, but the logged in user (Subject) doesn't seems to have the roles/permission loaded in it (e.g. SecurityUtil.isPermitted() not working as expected)

<bean id="jdbcRealm" class="org.apache.shiro.realm.jdbc.JdbcRealm">
        <property name="name" value="jdbcRealm" />
        <property name="dataSource" ref="dataSource" />
        <property name="authenticationQuery"
            value="SELECT password FROM system_user_accounts WHERE username=? and status=10" />
        <property name="userRolesQuery"
            value="SELECT role_code FROM system_roles r, system_user_accounts u, system_user_roles ur WHERE u.user_id=ur.user_id AND r.role_id=ur.role_id AND u.username=?" />
        <property name="permissionsQuery"
            value="SELECT code FROM system_roles r, system_permissions p, system_role_permission rp WHERE r.role_id=rp.role_id AND p.permission_id=rp.permission_id AND r.role_code=?" />

        <property name="permissionsLookupEnabled" value="true"></property>
        <property name="cachingEnabled" value="true" />
        <property name="credentialsMatcher" ref="passwordMatcher" />

    <!-- For CAS -->
    <bean id="casRealm" class="org.apache.shiro.cas.CasRealm">
        <property name="defaultRoles" value="ROLE_USER" />
        <property name="casServerUrlPrefix" value="http://localhost:7080/auth" />
        <property name="casService" value="http://localhost:8080/hawk-hck-web/shiro-cas" />
        <property name="validationProtocol" value="SAML" />
        <property name="cachingEnabled" value="true"></property>
    <bean id="casSubjectFactory" class="org.apache.shiro.cas.CasSubjectFactory" />

<!-- Security Manager -->
    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <property name="realms">
                <ref bean="casRealm" />
                <ref bean="jdbcRealm" />
        <property name="cacheManager" ref="cacheManager"/>
        <property name="subjectFactory" ref="casSubjectFactory" />

<bean id="casFilter" class="org.apache.shiro.cas.CasFilter">
        <property name="failureUrl" value="/error"></property>

<!-- Shiro filter -->
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager" />
        <property name="loginUrl" value="http://localhost:7080/auth/login?service=http://localhost:8080/hawk-hck-web/shiro-cas" />
        <property name="successUrl" value="/home/index" />
        <property name="unauthorizedUrl" value="/error" />
        <property name="filters">
                    <entry key="casFilter" value-ref="casFilter" />
        <property name="filterChainDefinitions">
                <!-- !!! Order matters !!! -->
                /shiro-cas = casFilter
                /login = anon
                /logout = logout
                /error = anon
                /static/** = anon
                /** = authc


The way I register the realms with the securityManager should be in correct. I can't really find a good example of the setup.


  1. 要实现上述方案,正确的设置/配置是什么?
  2. 在不同/分离的应用程序中管理用户和角色的最佳实践是什么?


您遇到的问题与CasRealm和JdbcRealm都扩展了AuthorizingRealm(Authorizer)和AuthenticatingRealm的事实有关.我要采取的第一步是使用JdbcRealm. JdbcRealm实现继承了 AuthenticatingRealm#supports(AuthenticationToken令牌)方法实现.如果扩展JdbcRealm并重写"supports"方法以针对所有令牌类型返回"false",则JdbcRealm将不再用于身份验证.

The problem you are running into has to do with the fact that both CasRealm and JdbcRealm extends both AuthorizingRealm (Authorizer) and AuthenticatingRealm. First step I would take is with the JdbcRealm. The JdbcRealm implementation inherits the AuthenticatingRealm#supports(AuthenticationToken token) method implementation. If you extend JdbcRealm and override the "supports" method to return "false" for all token types the JdbcRealm will no longer be used for authentication purposes.

public boolean supports (AuthenticationToken token) {
    return false;

CasRealm是一个不同的故事,(我所知道的)没有办法轻松告诉Shiro不要使用实现 Authorizer (在检查权限时).我个人发现,大多数协议的默认实现都假定需要授权和身份验证,这令人感到沮丧.我希望每个都分成两个实现(例如AuthenticatingCasRealm,AuthorizingCasRealm).

The CasRealm is a different story, there is no way (that I know of) to easily tell Shiro to not use a realm that implements Authorizer when checking permissions. I personally find it frustrating that the default implementation for most protocols assumes that both authorization and authentication are needed. I would prefer each to be split into two implementations (eg AuthenticatingCasRealm, AuthorizingCasRealm).


The logic behind checking permissions when multiple realms are in use is documented here. The specific text that references this behavior is:


Based on this, you theoretically could override each of the named methods and all of their overloaded implementations to always return "false".


My solution to this problem is based on my prior comment about splitting each realm into two components, one for authentication and one for authorization. You end up with more duplicate code this way but it is explicit in what behaviors you are expecting from your implementation.


  1. 创建一个新类"AuthenticatingCasRealm",该类扩展了org.apache.shiro.realm.AuthenticatingRealm并实现了org.apache.shiro.util.Initializable.

  1. Create a new class "AuthenticatingCasRealm" that extends org.apache.shiro.realm.AuthenticatingRealm and implements org.apache.shiro.util.Initializable.

复制并粘贴现有 CasRealm源放入新的"AuthenticatingCasRealm"类中. (我知道,对现有代码进行复制和粘贴通常会让人感到厌烦,但是在上述情况下,我知道没有其他方法可以解决此问题.)

Copy and paste the contents of the existing CasRealm source into your new "AuthenticatingCasRealm" class. (I am aware that taking a copy-and-paste route of existing code is often frowned upon however in the described circumstsance I know of no other way of solving the problem.)


Strip out all methods that were implemented for org.apache.shiro.realm.AuthorizingRealm.


Update your Shrio configuration to reference your new AuthenticatingCasRealm implementation.


Based on these changes you should now have two custom implementations in your Shrio config; one of JdbcRealm overriding the "supports" method and one of CasRealm removing the authorization API methods.


There is one additional method based on explicitly declaring an Authorizer via Shiro's configuration that may be better suited to your situation.


Here is an explicit declaration of an Authorizer and Authenticator via a custom ShiroFilter extension. Both were implemented and registered to the provided JNDI names at startup.

public class CustomShiroFilter extends ShiroFilter {

    public void init () throws Exception {
        DefaultWebSecurityManager dwsm = (DefaultWebSecurityManager) getSecurityManager();


