You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Brian Demers (JIRA)" <ji...@apache.org> on 2016/07/13 18:44:20 UTC
[jira] [Commented] (SHIRO-534) Provide better documentation around
permissions
[ https://issues.apache.org/jira/browse/SHIRO-534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15375521#comment-15375521 ]
Brian Demers commented on SHIRO-534:
------------------------------------
This issue is about a year old, so I'm not sure if you are still watching this.
But, it looks like this example above has the permissions reversed.
Typically your resource would require a specific permission, for example {{PRODMA:READ:AU}}, and you assign the user the more general permission {{PRODMA:*:AU}}
So in your case:
{code}
@GET
@Path("requiresSuppma.do")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@RequiresPermissions("PRODMA:READ:suppma")
public String suppmaRequired()
{
return "Success";
}
{code}
and assign your user: {{authzInfo.addStringPermission("PRODMA:READ:*");}}, (assuming you want your user to read all resources protected by a permission string starting with "PRODMA:READ".
I think this is covered pretty well [here|http://shiro.apache.org/permissions.html] \[1].
Can you think of anything we should add to the current doc to make this more clear?
\[1] http://shiro.apache.org/permissions.html
> Provide better documentation around permissions
> -----------------------------------------------
>
> Key: SHIRO-534
> URL: https://issues.apache.org/jira/browse/SHIRO-534
> Project: Shiro
> Issue Type: Documentation
> Components: Documentation
> Reporter: Kamal
> Labels: documentation
>
> I was playing around with custom realms and I setup the following AuthorizingRealm:-
> {code}
> public class TestRealm extends AuthorizingRealm
> {
> @Override
> protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken inToken) throws AuthenticationException
> {
> UsernamePasswordToken upToken = (UsernamePasswordToken) inToken;
> if (upToken.getUsername().equals("Kamal") || upToken.getUsername().equals("NotKamal"))
> return new SimpleAuthenticationInfo(upToken.getUsername(), upToken.getPassword(), getName());
> return null;
> }
> @Override
> protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection inPrincipals)
> {
> String username = (String) inPrincipals.fromRealm(getName()).iterator().next();
> SimpleAuthorizationInfo authzInfo = new SimpleAuthorizationInfo();
> authzInfo.addRole("User");
> if (username.equals("Kamal"))
> {
> authzInfo.addStringPermission("PRODMA:READ:AU");
> authzInfo.addStringPermission("PRODMA:WRITE:AU");
> authzInfo.addStringPermission("PRODMA:READ:KB");
> authzInfo.addStringPermission("PRODMA:WRITE:KB");
> authzInfo.addStringPermission("SUPPMA:READ:KB");
> }
> else
> {
> authzInfo.addStringPermission("PRODMA:READ,WRITE,*:AU,*");
> }
> return authzInfo;
> }
> }
> {code}
> I then setup the following resource (I am using Guice + Jersey):-
> {code}
> @Path("/{client}/shiroResource")
> public class ShiroResource
> {
> private static final Logger LOG = LoggerFactory.getLogger(ShiroResource.class);
> private HttpSession mSession;
> @Inject
> public ShiroResource(HttpSession inSession)
> {
> mSession = inSession;
> }
> @POST
> @Path("requiresProdma.do")
> @Produces(MediaType.APPLICATION_JSON)
> @Consumes(MediaType.APPLICATION_JSON)
> @RequiresPermissions({ "PRODMA:*:*" })
> public String prodmaRequired()
> {
> return "Success";
> }
> @GET
> @Path("requiresSuppma.do")
> @Produces(MediaType.APPLICATION_JSON)
> @Consumes(MediaType.APPLICATION_JSON)
> @RequiresPermissions("PRODMA:*")
> public String suppmaRequired()
> {
> return "Success";
> }
> }
> {code}
> Now, if I login as NotKamal I have access to ShiroResource,suppmaRequired, but if I login as Kamal, I won't. It took me a while to work out that I needed to specify the permission string like this:-
> {code} authzInfo.addStringPermission("PRODMA:READ,WRITE,*:AU,*");
> {code}
> i feel that this is a bit unintuitive, but I guess it is what it is. Can we provide better examples of setting up a custom realm with permissions? Preferably one which supports custom wildcards.
> Thanks.
> Kamal.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)