shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <>
Subject Re: Rest resource authorisation
Date Wed, 16 Nov 2011 18:54:39 GMT
Hi Nicolas,

I think your approach is sound - a regular expression matcher would
certainly work!


On Tue, Nov 15, 2011 at 1:34 PM, ngriso <> wrote:
> Hi,
> For the rest resources I expose in my application, I'd like to have
> different permissions based on the id of the resource.
> Example:
> for the resource /store/books/123:
> * user1 can update it (i.e run the request PUT /store/books/123 with
> success)
> * user2 cannot (i.e get a 403 when running PUT /store/books/123)
> First, I try to use HttpMethodPermissionFilter.
> But with it, I don't have access to the id of the resource.
> If my ini configuration is:
> /store/books/**   rest[books]
> I only get permissions like books:read or books:update.
> But what I'd like is: books:read:123
> So I was thinking to use regex to extract the part of the url I'm interessed
> in.
> Example with this configuration:
> /store/books/(.*)    rest[books]
> The filter could extract the group(s) defined in the url, and add them to
> the permission.
> What do you think?
> Do you see another solution to do that?
> Thanks for your help
> Nicolas
> PS: I already write the code to do this. The only difficult part is that the
> PatternMatcher we want to use (here RegExPatternMatcher) is not easily
> injectable into the different filter or chain resolver. If asked I'll start
> another thread about this
> --
> View this message in context:
> Sent from the Shiro Developer mailing list archive at

View raw message