From 6f5baaaa69b08e78f2149dddb4a628e9a7b4be54 Mon Sep 17 00:00:00 2001 From: jomu Date: Wed, 14 Nov 2018 17:41:39 +0100 Subject: [PATCH] ensured only users which have a role assigned to the application can login --- account-ui/src/main/webapp/WEB-INF/shiro.ini | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/account-ui/src/main/webapp/WEB-INF/shiro.ini b/account-ui/src/main/webapp/WEB-INF/shiro.ini index f841c69..153b226 100644 --- a/account-ui/src/main/webapp/WEB-INF/shiro.ini +++ b/account-ui/src/main/webapp/WEB-INF/shiro.ini @@ -25,7 +25,8 @@ passwordMatcher.passwordService = $passwordService # JDBC Realm setup jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm jdbcRealm.permissionsLookupEnabled=false -jdbcRealm.authenticationQuery = select al.account_password from account a, account_login al where al.account = a.id and a.username = ? and status not in ('LOCKED','DELETED') +# jdbcRealm.authenticationQuery = select al.account_password from account a, account_login al where al.account = a.id and a.username = ? and status not in ('LOCKED','DELETED') +jdbcRealm.authenticationQuery = SELECT accl.account_password from account acc, account_login accl, account_role accr, application_role appr WHERE accl.account = acc.id AND acc.id = accr.account AND accr.account_role = appr.id AND appr.application = '143a2bd3-7e0b-4162-a76e-3031331c7dfe' AND acc.status not in ('LOCKED','DELETED') AND acc.username = ? jdbcRealm.userRolesQuery = select r.role_name from application_role r, account_role ar, account a WHERE a.username = ? AND a.id = ar.account AND ar.account_role = r.id jdbcRealm.credentialsMatcher = $passwordMatcher jdbcRealm.dataSource = $datasource