shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ngriso <nicolas.gr...@gmail.com>
Subject Rest resource authorisation
Date Tue, 15 Nov 2011 21:34:42 GMT
Hi,

For the rest resources I expose in my application, I'd like to have
different permissions based on the id of the resource.

Example: 
for the resource /store/books/123:
* user1 can update it (i.e run the request PUT /store/books/123 with
success)
* user2 cannot (i.e get a 403 when running PUT /store/books/123)

First, I try to use HttpMethodPermissionFilter.
But with it, I don't have access to the id of the resource.
If my ini configuration is:
/store/books/**   rest[books]
I only get permissions like books:read or books:update.
But what I'd like is: books:read:123

So I was thinking to use regex to extract the part of the url I'm interessed
in.
Example with this configuration:
/store/books/(.*)    rest[books]
The filter could extract the group(s) defined in the url, and add them to
the permission.

What do you think?
Do you see another solution to do that?

Thanks for your help
Nicolas

PS: I already write the code to do this. The only difficult part is that the
PatternMatcher we want to use (here RegExPatternMatcher) is not easily
injectable into the different filter or chain resolver. If asked I'll start
another thread about this 

--
View this message in context: http://shiro-developer.582600.n2.nabble.com/Rest-resource-authorisation-tp6998028p6998028.html
Sent from the Shiro Developer mailing list archive at Nabble.com.

Mime
View raw message