shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kamal (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SHIRO-534) Provide better documentation around permissions
Date Wed, 03 Jun 2015 06:37:49 GMT
Kamal created SHIRO-534:
---------------------------

             Summary: Provide better documentation around permissions
                 Key: SHIRO-534
                 URL: https://issues.apache.org/jira/browse/SHIRO-534
             Project: Shiro
          Issue Type: Documentation
            Reporter: Kamal


I was playing around with custom realms and I setup the following AuthorizingRealm:-

{code}
public class TestRealm extends AuthorizingRealm
{

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken inToken) throws
AuthenticationException
    {
        UsernamePasswordToken upToken = (UsernamePasswordToken) inToken;

        if (upToken.getUsername().equals("Kamal") || upToken.getUsername().equals("NotKamal"))
            return new SimpleAuthenticationInfo(upToken.getUsername(), upToken.getPassword(),
getName());

        return null;
    }

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection inPrincipals)
    {
        String username = (String) inPrincipals.fromRealm(getName()).iterator().next();
        SimpleAuthorizationInfo authzInfo = new SimpleAuthorizationInfo();
        authzInfo.addRole("User");

        if (username.equals("Kamal"))
        {
            authzInfo.addStringPermission("PRODMA:READ:AU");
            authzInfo.addStringPermission("PRODMA:WRITE:AU");
            authzInfo.addStringPermission("PRODMA:READ:KB");
            authzInfo.addStringPermission("PRODMA:WRITE:KB");
            authzInfo.addStringPermission("SUPPMA:READ:KB");
        }
        else
        {
            authzInfo.addStringPermission("PRODMA:READ,WRITE,*:AU,*");
        }

        return authzInfo;
    }
}
{code}

I then setup the following resource (I am using Guice + Jersey):-

{code}
@Path("/{client}/shiroResource")
public class ShiroResource
{
    private static final Logger LOG = LoggerFactory.getLogger(ShiroResource.class);
    private HttpSession mSession;

    @Inject
    public ShiroResource(HttpSession inSession)
    {
        mSession = inSession;
    }

    @POST
    @Path("requiresProdma.do")
    @Produces(MediaType.APPLICATION_JSON)
    @Consumes(MediaType.APPLICATION_JSON)
    @RequiresPermissions({ "PRODMA:*:*" })
    public String prodmaRequired()
    {
        return "Success";
    }

    @GET
    @Path("requiresSuppma.do")
    @Produces(MediaType.APPLICATION_JSON)
    @Consumes(MediaType.APPLICATION_JSON)
    @RequiresPermissions("PRODMA:*")
    public String suppmaRequired()
    {
        return "Success";
    }
}
{code}

Now, if I login as NotKamal I have access to ShiroResource,suppmaRequired, but if I login
as Kamal, I won't.  It took me a while to work out that I needed to specify the permission
string like this:-

{code}            authzInfo.addStringPermission("PRODMA:READ,WRITE,*:AU,*");
{code}

i feel that this is a bit unintuitive, but I guess it is what it is.  Can we provide better
examples of setting up a custom realm with permissions?  Preferably one which supports custom
wildcards.

Thanks.

Kamal.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message