shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Schayna <>
Subject Shiro and dynamic role assignments
Date Wed, 12 Jun 2013 08:57:20 GMT

I am new to Shiro and I want to implement it into my app. I want to use
roles, but I'm not sure if it conforms intended use of roles in Shiro.

My app is Jersey REST server based, now completely without security but with
appropriate flags/relations in the database. There are three types of
security use cases I want to cover:

1) restrict users to access resources -- for example: only admin can add new
project. This is pretty simple, user has flag "admin" in database, I can
assign role ADMIN to user principal in custom realm

2) restrict users to access instances identified by {id} in resource URL --
for example: only project owner can add members to the project. This could
be tricky, each project has field "ownerUserId" in database, I can assign
PROJECT_OWNER role to user principal in realm, but {id} of project is in the
URL and role assignments in Shiro are cached, so user still have
PROJECT_OWNER role in processing of another requests for different projects.
Is it true?

3) filter output -- for example: users can read only events on projects,
where they are project members, events is global resource, not subresource
under project. This is similar to previous case, each project has collection
"members" so user has PROJECT_MEMBER role when exists in this collection on
each project. I can obtain list of events from DAO and now, for every event
in list, I have to decide if logged user has role PROJECT_MEMBER in context
of project on this event. Or may I convert requested PROJECT_MEMBER role
into filter condition to DAO?

Are there any recommendations for these basic scenarios?

Thank you

Martin Schayna

View this message in context:
Sent from the Shiro User mailing list archive at

View raw message