shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ngriso <>
Subject Rest resource authorisation
Date Tue, 15 Nov 2011 21:34:42 GMT

For the rest resources I expose in my application, I'd like to have
different permissions based on the id of the resource.

for the resource /store/books/123:
* user1 can update it (i.e run the request PUT /store/books/123 with
* user2 cannot (i.e get a 403 when running PUT /store/books/123)

First, I try to use HttpMethodPermissionFilter.
But with it, I don't have access to the id of the resource.
If my ini configuration is:
/store/books/**   rest[books]
I only get permissions like books:read or books:update.
But what I'd like is: books:read:123

So I was thinking to use regex to extract the part of the url I'm interessed
Example with this configuration:
/store/books/(.*)    rest[books]
The filter could extract the group(s) defined in the url, and add them to
the permission.

What do you think?
Do you see another solution to do that?

Thanks for your help

PS: I already write the code to do this. The only difficult part is that the
PatternMatcher we want to use (here RegExPatternMatcher) is not easily
injectable into the different filter or chain resolver. If asked I'll start
another thread about this 

View this message in context:
Sent from the Shiro Developer mailing list archive at

View raw message