shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Ledbrook <pe...@cacoethes.co.uk>
Subject Re: HTTP method-dependent Basic authentication
Date Fri, 15 Oct 2010 21:42:04 GMT
> For example:
>
> /rest/**,GET = anon, foo, bar
> /rest/**,POST = authcBasic, perms[blah]
>
> or even more robust, to allow for other matching criteria later (e.g.
> header values?)
>
> rest/**[method:GET,blah:x] = anon, foo, bar
>
> This feels a little more robust to me than perhaps duplicating this
> stuff across the HttpMethodPermissionFilter or Authc filters...
>
> Thoughts?

I agree that whether a filter should apply to a particular HTTP method
is orthogonal to the filter implementation. Attaching it to the rule
itself does make sense. To my mind, it's simply a question of what
syntax to use.

     GET:/rest/** = ...
     POST,PUT,DELETE:/rest/** = ...

or

    /rest/** = anon, foo, bar -- GET
    /rest/** = authcBasic, perms[user] -- POST,PUT,DELETE

All sorts of options available.

Peter

Mime
View raw message