shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hilco Wijbenga <hilco.wijbe...@gmail.com>
Subject Re: Shiro and RESTful web services
Date Mon, 20 Sep 2010 03:23:00 GMT
On 18 September 2010 01:42, Les Hazlewood <lhazlewood@apache.org> wrote:
> As Brian mentioned, check out the BasicHttpAuthenticationFilter
> (available as the 'authcBasic' default filter).  Most REST apps use
> that one for authentication and this performs the challenge/response
> logic you mentioned (HTTP 401, etc).  You might also want to look in
> to the HttpMethodPermissionFilter for authorization.  They're both
> linked from the page Brian included.

I've got the BasicHttpAuthenticationFilter working but I'm unclear on
how to add the HttpMethodPermissionFilter. I can get something like

/account/** = authcBasic

to work but

/account/** = authcBasic, rest[user]

just seems to block everything.

Also, how do I configure different permissions for different HTTP
methods? E.g. allow everyone POST on /accounts (to create a new
account) but require role Admin for GET on /accounts (to list all
existing accounts).

How do I allow one particular user access to a particular URL. I.e.
how do I allow *only* user xyz access to /user/xyz/stuff? Obviously, I
don't want to have to configure each user separately.

Cheers,
Hilco

Mime
View raw message