shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Demers <brian.dem...@gmail.com>
Subject Re: permission everything but this item
Date Tue, 23 Feb 2010 16:21:49 GMT
I had a few discussions internally about similar annotations.  We need to
fill a hole in the JSR 331 annotations when it comes to security.  We need
similar annotations.

So in the example of:

@Path( "/example/{path-param}/foo/{another-param}" )
@Produces( { "application/xml", "application/json" } )
@Consumes( { "application/xml", "application/json" } )

we would need something like:
@RequirePermission( "authcBasic,perms[app:example]" );

We _might_ need to add the permission path also, in the example above it
would be simple to figure out: /example/*/foo/*
but I also have a few paths that would need to be something like
/example/*/foo/**, ( /example/one/foo/bar/hello/something-else) which could
not be generated.

Any ideas?  I don't want to mix web apps and non web apps here, but I
figured I would throw out the question.

-Brian




On Tue, Feb 23, 2010 at 10:10 AM, Les Hazlewood <lhazlewood@apache.org>wrote:

> I agree - the default for morst secure apps should be deny all unless
> allowed.  This is safer in that it often catches unexpected holes that
> you had no idea would be open otherwise.
>
> Shiro's behavior is already to deny access to everything unless
> explicitly granted access, but yes, it does require the declaration of
> an annotation or URL chain to trigger the checking behavior.  We'd
> probably just need to add some AOP support to prevent all invocations
> unless there is the presence of an annotation.
>
> You're right in that it wouldn't incur a performance hit - you'd only
> actually do the role/permission check if you come across an annotation
> and just deny everything else.
>
> I think the existing RequiresRoles/RequiresPermissions annotations
> would work fine in this context.  It would probably just be a
> configuration issue to turn on or off the 'deny all if not annotated'
> behavior.
>
> Les
>
> On Tue, Feb 23, 2010 at 9:51 AM, Kalle Korhonen
> <kalle.o.korhonen@gmail.com> wrote:
> > But I've often thought that the whole security should be based on
> > allowing nothing until you explicitly do so. If we had a set of
> > @AllowRole, @AllowPermission,... it'd simple to deny access to any
> > resources that didn't have the annotation without incurring a
> > performance hit. Just a thought at this point...
> >
> > Kalle
> >
> >
> > On Tue, Feb 23, 2010 at 6:32 AM, Brian Demers <brian.demers@gmail.com>
> wrote:
> >> I see how they would be handy some times, but.... we try to avoid them
> like
> >> the plague ;)
> >>
> >> On Tue, Feb 23, 2010 at 9:27 AM, Les Hazlewood <lhazlewood@apache.org>
> >> wrote:
> >>>
> >>> No, 'negative' permissions are not supported out of the box due to the
> >>> complexity and performance hit it would probably incur.  You're more
> >>> than welcome to open a feature request in Jira however.
> >>>
> >>> Regards,
> >>>
> >>> Les
> >>>
> >>> On Mon, Feb 22, 2010 at 7:41 PM, jobiwan11 <james.s.obrien@gmail.com>
> >>> wrote:
> >>> >
> >>> > If you have a permission like "printer:print:*" is there a way to say
> >>> > you're
> >>> > not allowed to print to "lpd7" without getting rid of the
> >>> > "printer:print:*"
> >>> > and listing out individual permissions per printer?
> >>> > Thanks,
> >>> > --jim
> >>> > --
> >>> > View this message in context:
> >>> >
> http://n2.nabble.com/permission-everything-but-this-item-tp4616037p4616037.html
> >>> > Sent from the Shiro User mailing list archive at Nabble.com.
> >>> >
> >>
> >>
> >
>

Mime
View raw message