diff --git a/assembly/broker/configurations/shiro.ini b/assembly/broker/configurations/shiro.ini
index 8fe38b094c1..0972c7a5a43 100644
--- a/assembly/broker/configurations/shiro.ini
+++ b/assembly/broker/configurations/shiro.ini
@@ -3,70 +3,25 @@
# =======================
[main]
-# Objects and their properties are defined here,
-# Such as the securityManager, Realms and anything
-# else needed to build the SecurityManager
-#authenticator
+# Authenticator
authenticator = org.eclipse.kapua.service.authentication.shiro.KapuaAuthenticator
securityManager.authenticator = $authenticator
-#
-# Auth filters
-# kapuaAuthcAccessToken = org.eclipse.kapua.app.api.auth.KapuaTokenAuthenticationFilter
-
-#cacheManager = org.eclipse.kapua.broker.core.experimental.CacheManager
-#securityManager.cacheManager = $cacheManager
-
-##########
-# Realms #
-##########
-# Login
+# Realms
kapuaUserPassAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.UserPassAuthenticatingRealm
-# Session
-kapuaAccessTokenAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.AccessTokenAuthenticatingRealm
-
-########################
-#Authorization section #
-########################
# Authorization
kapuaAuthorizingRealm = org.eclipse.kapua.service.authorization.shiro.KapuaAuthorizingRealm
-#removed from realms the authorizing realm (kapuaAuthorizingRealm) since it will be defined into the new Authorizer component
securityManager.realms = $kapuaUserPassAuthenticatingRealm
+# Authorizer
authorizer = org.eclipse.kapua.broker.core.security.EnhModularRealmAuthorizer
-#realms must be set again otherwise the authorizer will not have any.
-#The security manager (AuthorizingSecurityManager) is built in this way:
-# AuthorizingSecurityManager() //constructor
-# setRealms(realms) //set realms (if any)
-# afterRealmsSet() //set realms to authenticator (if any)
-# setAuthorizer(Authorizer authorizer) //if any configured
-# setAuthenticator() //if any custom authenticator is set
-#In this way the new authenticator must have the realms already configured once is set to the security manager.
-#Otherwise the security manager doesn't set it's own security manager to the authenticator
authorizer.realms = $kapuaAuthorizingRealm
securityManager.authorizer = $authorizer
-# SessionListeners only works with in the native SessionMode
-# This is not the mode we use when running in Tomcat.
-#securityManager.sessionMode = native
+# Session
securityManager.sessionManager.globalSessionTimeout = -1
securityManager.sessionManager.sessionValidationSchedulerEnabled = false
-securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false
-
-[users]
-# The 'users' section is for simple deployments
-# when you only need a small number of statically-defined
-# set of User accounts.
-
-[roles]
-# The 'roles' section is for simple deployments
-# when you only need a small number of statically-defined
-# roles.
-
-[urls]
-# The 'urls' section is used for url-based security
-# in web applications. We'll discuss this section in the
-# Web documentation
+securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false
\ No newline at end of file
diff --git a/console/web/src/main/resources/shiro.ini b/console/web/src/main/resources/shiro.ini
index 1fc83a40d16..3e82d9bd662 100644
--- a/console/web/src/main/resources/shiro.ini
+++ b/console/web/src/main/resources/shiro.ini
@@ -3,31 +3,17 @@
# =======================
[main]
-# Objects and their properties are defined here,
-# Such as the securityManager, Realms and anything
-# else needed to build the SecurityManager
-#authenticator
+# Authenticator
authenticator = org.eclipse.kapua.service.authentication.shiro.KapuaAuthenticator
securityManager.authenticator = $authenticator
-#realms
+# Realms
kapuaAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.UserPassAuthenticatingRealm
kapuaAuthorizingRealm = org.eclipse.kapua.service.authorization.shiro.KapuaAuthorizingRealm
jwtAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.JwtAuthenticatingRealm
-securityManager.realms = $kapuaAuthorizingRealm, $kapuaAuthenticatingRealm, $jwtAuthenticatingRealm
-
-[users]
-# The 'users' section is for simple deployments
-# when you only need a small number of statically-defined
-# set of User accounts.
-[roles]
-# The 'roles' section is for simple deployments
-# when you only need a small number of statically-defined
-# roles.
+securityManager.realms = $kapuaAuthorizingRealm, $kapuaAuthenticatingRealm, $jwtAuthenticatingRealm
-[urls]
-# The 'urls' section is used for url-based security
-# in web applications. We'll discuss this section in the
-# Web documentation
+# Request Filtering
+filterChainResolver = org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver
\ No newline at end of file
diff --git a/qa/integration/src/test/resources/shiro.ini b/qa/integration/src/test/resources/shiro.ini
index 243eb7d95a2..fc7e70b51d8 100644
--- a/qa/integration/src/test/resources/shiro.ini
+++ b/qa/integration/src/test/resources/shiro.ini
@@ -3,70 +3,31 @@
# =======================
[main]
-# Objects and their properties are defined here,
-# Such as the securityManager, Realms and anything
-# else needed to build the SecurityManager
-#authenticator
+# Authenticator
authenticator = org.eclipse.kapua.service.authentication.shiro.KapuaAuthenticator
securityManager.authenticator = $authenticator
-#
-# Auth filters
-# kapuaAuthcAccessToken = org.eclipse.kapua.app.api.auth.KapuaTokenAuthenticationFilter
-
-#cacheManager = org.eclipse.kapua.broker.core.experimental.CacheManager
-#securityManager.cacheManager = $cacheManager
-
##########
# Realms #
##########
+
# Login
kapuaUserPassAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.UserPassAuthenticatingRealm
# Session
kapuaAccessTokenAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.AccessTokenAuthenticatingRealm
-########################
-#Authorization section #
-########################
# Authorization
kapuaAuthorizingRealm = org.eclipse.kapua.service.authorization.shiro.KapuaAuthorizingRealm
-#removed from realms the authorizing realm (kapuaAuthorizingRealm) since it will be defined into the new Authorizer component
+
securityManager.realms = $kapuaAccessTokenAuthenticatingRealm, $kapuaUserPassAuthenticatingRealm
+# Authorizer
authorizer = org.eclipse.kapua.broker.core.security.EnhModularRealmAuthorizer
-#realms must be set again otherwise the authorizer will not have any.
-#The security manager (AuthorizingSecurityManager) is built in this way:
-# AuthorizingSecurityManager() //constructor
-# setRealms(realms) //set realms (if any)
-# afterRealmsSet() //set realms to authenticator (if any)
-# setAuthorizer(Authorizer authorizer) //if any configured
-# setAuthenticator() //if any custom authenticator is set
-#In this way the new authenticator must have the realms already configured once is set to the security manager.
-#Otherwise the security manager doesn't set it's own security manager to the authenticator
authorizer.realms = $kapuaAuthorizingRealm
securityManager.authorizer = $authorizer
-# SessionListeners only works with in the native SessionMode
-# This is not the mode we use when running in Tomcat.
-#securityManager.sessionMode = native
+# Session
securityManager.sessionManager.globalSessionTimeout = -1
-securityManager.sessionManager.sessionValidationSchedulerEnabled = false
-
-securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false
-
-[users]
-# The 'users' section is for simple deployments
-# when you only need a small number of statically-defined
-# set of User accounts.
-
-[roles]
-# The 'roles' section is for simple deployments
-# when you only need a small number of statically-defined
-# roles.
-
-[urls]
-# The 'urls' section is used for url-based security
-# in web applications. We'll discuss this section in the
-# Web documentation
+securityManager.sessionManager.sessionValidationSchedulerEnabled = false
\ No newline at end of file
diff --git a/rest-api/web/src/main/resources/shiro.ini b/rest-api/web/src/main/resources/shiro.ini
index 780ebf85c20..99a50cec8d5 100644
--- a/rest-api/web/src/main/resources/shiro.ini
+++ b/rest-api/web/src/main/resources/shiro.ini
@@ -3,21 +3,15 @@
# =======================
[main]
-# Objects and their properties are defined here,
-# Such as the securityManager, Realms and anything
-# else needed to build the SecurityManager
-#authenticator
+# Authenticator
authenticator = org.eclipse.kapua.service.authentication.shiro.KapuaAuthenticator
securityManager.authenticator = $authenticator
-#
-# Auth filters
-kapuaAuthcAccessToken = org.eclipse.kapua.app.api.core.auth.KapuaTokenAuthenticationFilter
-
##########
# Realms #
##########
+
# Login
kapuaUserPassAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.UserPassAuthenticatingRealm
kapuaApiKeyAuthenticatingRealm = org.eclipse.kapua.service.authentication.shiro.realm.ApiKeyAuthenticatingRealm
@@ -35,22 +29,13 @@ securityManager.realms = $kapuaAuthorizingRealm, $kapuaAccessTokenAuthenticating
securityManager.rememberMeManager.cookie.name = kapua-rememberme
securityManager.rememberMeManager.cookie.maxAge = 0
-[users]
-# The 'users' section is for simple deployments
-# when you only need a small number of statically-defined
-# set of User accounts.
-
-[roles]
-# The 'roles' section is for simple deployments
-# when you only need a small number of statically-defined
-# roles.
+#
+# Auth filters
+kapuaAuthcAccessToken = org.eclipse.kapua.app.api.core.auth.KapuaTokenAuthenticationFilter
[urls]
-# The 'urls' section is used for url-based security
-# in web applications. We'll discuss this section in the
-# Web documentation
-# Authentication
+# Filter Mappings
/v1/authentication/info = kapuaAuthcAccessToken
/v1/authentication/logout = kapuaAuthcAccessToken
diff --git a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/KapuaAuthenticator.java b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/KapuaAuthenticator.java
index 89688325ba0..976e5df1fb7 100644
--- a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/KapuaAuthenticator.java
+++ b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/KapuaAuthenticator.java
@@ -12,10 +12,6 @@
*******************************************************************************/
package org.eclipse.kapua.service.authentication.shiro;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-
import org.apache.shiro.ShiroException;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
@@ -26,13 +22,18 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
/**
- * Kapua Shiro Authenticator.
+ * Kapua Shiro Authenticator.
+ *
* This authenticator provide more significantly exception message in a multi-realm configuration.
- * The code is derived from the original {@link ModularRealmAuthenticator} because the default Shiro implementation doesn't support detailed messages in a multirealm configuration.
- *
- * since 1.0
+ * The code is derived from the original {@link ModularRealmAuthenticator} because the
+ * default Shiro implementation doesn't support detailed messages in a multirealm configuration.
*
+ * @since 1.0.0
*/
public class KapuaAuthenticator extends ModularRealmAuthenticator {
@@ -45,6 +46,7 @@ protected AuthenticationInfo doMultiRealmAuthentication(Collection realms
if (logger.isTraceEnabled()) {
logger.trace("Iterating through {} realms for PAM authentication", realms.size());
}
+
List exceptionList = new ArrayList<>();
boolean loginSucceeded = false;
boolean supportedRealmFound = false;
@@ -61,9 +63,7 @@ protected AuthenticationInfo doMultiRealmAuthentication(Collection realms
} catch (Exception exception) {
t = exception;
if (logger.isDebugEnabled()) {
- String msg = "Realm [" + realm
- + "] threw an exception during a multi-realm authentication attempt:";
- logger.debug(msg, t);
+ logger.debug("Realm [{}] threw an exception during a multi-realm authentication attempt:", realm, t);
}
}
aggregate = strategy.afterAttempt(realm, token, info, aggregate, t);
@@ -80,6 +80,7 @@ protected AuthenticationInfo doMultiRealmAuthentication(Collection realms
// TODO move the error message to the message bundle
throw new ShiroException("Internal Error!");
}
+
if (exceptionList.get(0) instanceof AuthenticationException) {
throw (AuthenticationException) exceptionList.get(0);
} else {