You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by jcvidal <jc...@improve.fr> on 2009/04/29 18:08:47 UTC
AND or OR roles filters ?
Hi,
I'm using Ki in an unusual way (with configuration in XML file instead of
Web.xml ini-file-like conf).
That's not the point (all is working well), but trying different scenarios,
i found a weird behaviour.
Let's say there is in the conf file a line like this :
/blabla/** = authc, roles[admin,superadmin]
In my mind, this means : (authenticated) user with admin role OR superadmin
role may access to /blabla/**
I fact, it seems to be : user with admin role AND superadmin role may
access to /blabla/**
Am i right or am i wrong ?
Obviously, the next question is : if the AND behaviour is the standard one,
how to have a OR behaviour ?
Best regards
Jean-Charles
--
View this message in context: http://n2.nabble.com/AND-or-OR-roles-filters---tp2741505p2741505.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: AND or OR roles filters ?
Posted by jcvidal <jc...@improve.fr>.
Hi Les
You're right : it won't be simple. I already thought about permissions, but
it's a little bit too granular :)
I'm thinking about the JIRA, but not for now ....
Thanks a lot for your help
Best regards
Jean-Charles
Les Hazlewood-2 wrote:
>
> Hi Jean-Charles,
>
> We don't support logical expressions in text configuration at the moment
> (please add a Jira issue if you'd like to see this feature!).
>
> Currently most people use Permissions for this type of model, since they
> are
> much finer grained and allow you really customizable security policies.
>
> That is, you might see the following:
>
> /blabla/** = authc, perms[user:create]
>
> That way it doesn't matter what roles they have as long as at least one of
> the roles to which they're assigned implies the 'user:create' permission.
>
> I don't disagree it could be useful to support what you mention
> (text-based
> config with logical expressions for roles and/or permission checks), but
> if
> you think about it, its not entirely easy - we'd need to come up with a
> parsing/expression grammar that could parse your logical expression string
> and convert that into a security check.
>
> Its not very simple - we'd probably have to use something like antlr, and
> even then, I'm not sure that should be a required dependency. But, if you
> like, open a Jira issue and we could discuss it :)
>
> Cheers,
>
> Les
>
> On Wed, Apr 29, 2009 at 12:08 PM, jcvidal <jc...@improve.fr> wrote:
>
>>
>> Hi,
>>
>> I'm using Ki in an unusual way (with configuration in XML file instead of
>> Web.xml ini-file-like conf).
>> That's not the point (all is working well), but trying different
>> scenarios,
>> i found a weird behaviour.
>>
>> Let's say there is in the conf file a line like this :
>>
>> /blabla/** = authc, roles[admin,superadmin]
>>
>> In my mind, this means : (authenticated) user with admin role OR
>> superadmin
>> role may access to /blabla/**
>> I fact, it seems to be : user with admin role AND superadmin role may
>> access to /blabla/**
>>
>> Am i right or am i wrong ?
>>
>> Obviously, the next question is : if the AND behaviour is the standard
>> one,
>> how to have a OR behaviour ?
>>
>>
>>
>> Best regards
>>
>> Jean-Charles
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/AND-or-OR-roles-filters---tp2741505p2741505.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://n2.nabble.com/AND-or-OR-roles-filters---tp2741505p2745765.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: AND or OR roles filters ?
Posted by Les Hazlewood <lh...@apache.org>.
Hi Jean-Charles,
We don't support logical expressions in text configuration at the moment
(please add a Jira issue if you'd like to see this feature!).
Currently most people use Permissions for this type of model, since they are
much finer grained and allow you really customizable security policies.
That is, you might see the following:
/blabla/** = authc, perms[user:create]
That way it doesn't matter what roles they have as long as at least one of
the roles to which they're assigned implies the 'user:create' permission.
I don't disagree it could be useful to support what you mention (text-based
config with logical expressions for roles and/or permission checks), but if
you think about it, its not entirely easy - we'd need to come up with a
parsing/expression grammar that could parse your logical expression string
and convert that into a security check.
Its not very simple - we'd probably have to use something like antlr, and
even then, I'm not sure that should be a required dependency. But, if you
like, open a Jira issue and we could discuss it :)
Cheers,
Les
On Wed, Apr 29, 2009 at 12:08 PM, jcvidal <jc...@improve.fr> wrote:
>
> Hi,
>
> I'm using Ki in an unusual way (with configuration in XML file instead of
> Web.xml ini-file-like conf).
> That's not the point (all is working well), but trying different scenarios,
> i found a weird behaviour.
>
> Let's say there is in the conf file a line like this :
>
> /blabla/** = authc, roles[admin,superadmin]
>
> In my mind, this means : (authenticated) user with admin role OR superadmin
> role may access to /blabla/**
> I fact, it seems to be : user with admin role AND superadmin role may
> access to /blabla/**
>
> Am i right or am i wrong ?
>
> Obviously, the next question is : if the AND behaviour is the standard one,
> how to have a OR behaviour ?
>
>
>
> Best regards
>
> Jean-Charles
>
> --
> View this message in context:
> http://n2.nabble.com/AND-or-OR-roles-filters---tp2741505p2741505.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>