You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by juminoz <ju...@hotmail.com> on 2011/05/13 22:10:05 UTC

Re: Advise on authorization strategy

How about using one more level of the permission.

For example:

user:view:<group name>:*

Then supervisor of that group can view all users that belongs to the group.
The only thing is, you will need to be able to look up which group the user
is in first.

---
public User view(String username) throws AuthorizationException{

   //impersonate daemon/admin/service user first
   String groupName = getUserGroupName(username);

  //unimpersonate - I guess this is not a word?

   SecurityUtils.getSubject().isPermitted("user:view:" + groupName  + ":" +
username);

   return getUser(username);
}
---

The only problem here is that if a user can belong to multiple groups, you
may have to take a slightly different approach. Either try them all and see
if return group names even contain the group supervisor belongs to and throw
an exception even before you call .isPermitted().

---
public User view(String username) throws AuthorizationException{

   //impersonate daemon/admin/service user first
   Set<String> groupNames = getUserGroupNames(username);

   //unimpersonate

   Set<String> groups =
getUserGroupNames((String)SecurityUtils.getSubject().getPrincipal());
   Iterator<String> gi = groups.iterator();

   String targetGroupName = "";

   while(gi.hasNext()){
      String g = gi.next();
      if(groupNames.contains(g){
         targetGroupName = g;
         break;
         //break after the first match since that's all you really have to
care about
      }
   }

   if(targetGroupName.equals("")
      throw new AuthorizationException("You don't have permission to view
this user");

   SecurityUtils.getSubject().isPermitted("user:view:" + targetGroupName  +
":" + username);

   return getUser(username);
}
---

So it's a little more than just using Shiro, but this is the only way I can
think of right now. Haven't tried this myself, but I'm definitely running
into the same issue. For my case, user belong to a department, but since
there is a hierarchical structure of department, supervisor of supervisor
may want to be able to view the user in a subdepartment as well. But then I
can simply add multiple permissions for each of the sub department and the
first logic will then work for me.

I still need to figure out the impersonation/unimpersonation part myself.

HTH!
Jack

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Advise-on-authorization-strategy-tp6312150p6361031.html
Sent from the Shiro User mailing list archive at Nabble.com.