shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stephen McCants (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-459) Support role-based authorization depending on HTTP request method
Date Tue, 24 Sep 2013 14:48:12 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13776355#comment-13776355
] 

Stephen McCants commented on SHIRO-459:
---------------------------------------

Our "quick" solution, which is probably not the correct long term solution, was to add an
"anon" setting to our filter.  For instance:

/users/** = noSessionCreation, rest[POST-anon,GET-anon,DELETE-admin]

That lets anonymous users do POST (create a new account) and GETs (see their new account)
and requires admin permission/role for DELETEs.

So the work around was to combine the authc and anon filter into my "rest" filter.

I think your proposed solution (along the lines of SHIRO-107) is better.  Could you end up
with something like:

/rest:GET = anon
/rest:PUT = authcBasic, myFilter[SERVICE_PROVIDER,EXPERIMENTER]
/rest:POST = authcBasic, myFilter[EXPERIMENTER]
/rest:DELETE = authcBasic, myFilter[ADMINISTRATOR]

That would remove the redundant method references.  It also starts to look at lot like SHIRO-107.
 I'm wondering if maybe 107 should be reopened because it isn't working correctly?
                
> Support role-based authorization depending on HTTP request method
> -----------------------------------------------------------------
>
>                 Key: SHIRO-459
>                 URL: https://issues.apache.org/jira/browse/SHIRO-459
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authorization (access control) 
>    Affects Versions: 1.2.2
>            Reporter: Daniel Bimschas
>            Priority: Minor
>              Labels: features, newbie
>
> Below is a copy+paste from the Shiro users mailing list:
> =====================
> Dear Shiro gods!
> I'm struggling to figure out how I can do role-based authorization depending on what
HTTP method a request is using. I've posted this question on StackOverflow as it seems nobody
has been asking it before (at least I couldn't find it with my search terms). I would be incredibly
happy if you could take a look!
> http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m
> Cheers
> Daniel Bimschas
> =============================
> Then, in a second mail I proposed a solution to the issue:
> =============================
> Digging into the Shiro source codes I found that this feature is in fact not available
in Shiro. I've now implemented my own custom filter (extending RolesAuthorizationFilter) that
allows you to do exactly what I wanted. Configuration for the filter follows the following
example:
> [main]
>  myFilter=my.package.HttpMethodRolesAuthorizationFilter
> [urls]
>  /rest = authcBasic, myFilter[PUT=SERVICE_PROVIDER&EXPERIMENTER,POST=EXPERIMENTER,DELETE=ADMINISTRATOR]
> So, in this example
> - a user must be authenticated to execute any operation
> - a user with both roles SERVICE_PROVIDER and EXPERIMENTER can send a PUT request,
> - a user with role EXPERIMENTER can send POST requests, and
> - a user with role ADMINISTRATOR can DELETE things
> I would be more than happy to contribute this little bit of code to the project in case
you're interested!
> =============================

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message