You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Daniel Bimschas <bi...@itm.uni-luebeck.de> on 2013/09/16 11:37:03 UTC
Role-based authorization depending on HTTP request method
Dear Shiro gods!
I'm struggling to figure out how I can do role-based authorization depending on what HTTP method a request is using. I've posted this question on StackOverflow as it seems nobody has been asking it before (at least I couldn't find it with my search terms). I would be incredibly happy if you could take a look!
http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m
Cheers
Daniel Bimschas
Re: Role-based authorization depending on HTTP request method
Posted by Daniel Bimschas <bi...@itm.uni-luebeck.de>.
Looking at the implementation of Shiros filter I guess it could be sufficient (and not breaking compatibility) if we would modify PathMatchingFilter.pathsMatch(...) and/or AntPathMatcher to reflect the behavior. Maybe one of the Shiro core guys has an idea if this could be working without breaking anything!?
Cheers
Daniel
On 26.09.2013, at 01:35, davison wrote:
> I have a similar use case to yours but I need anonymous access to certain
> methods too which I think is not possible (I'll post separately to outline
> my case). But for your needs, where you must be authenticated for *any*
> request, I think this can be handled with config only - at least using Shiro
> 1.2.2
>
> Define a filter chain using the "rest" filter (an inbuilt instance of
> HttpMethodPermissionFilter)...
>
> /data/stocks/** = authc, rest[stocks]
>
> ..and in your realm define permissions like;
>
> role.admin=stocks:*
> role.user=stocks:read
>
>
> hth,
> Darren.
>
>
> Daniel Bimschas wrote
>> Dear Shiroers,
>>
>> I've commented my ticket as I noticed that also my implementation doesn't
>> really support all use cases. In fact it would be ideal to configure the
>> filter like in the example of SHIRO-107
>> (https://issues.apache.org/jira/browse/SHIRO-107):
>>
>> /data/stocks/**:post = authc, roles[admin]
>> /data/stocks/** = authc
>>
>> However, although the issue is marked as resolved it doesn't seem to be
>> possible to specify the filter as in the given example. Doing so will fail
>> with the following message:
>>
>> There is no filter with name 'post = authc' to apply to chain
>> [/data/stocks/**] in the pool of available Filters. Ensure a filter with
>> that name/path has first been registered with the addFilter method(s).
>>
>> Is there another way to specify the filter chain that resembles the same
>> behavior?
>
>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Role-based-authorization-depending-on-HTTP-request-method-tp7579143p7579175.html
> Sent from the Shiro User mailing list archive at Nabble.com.
--
Daniel Bimschas, M.Sc.
UNIVERSITÄT ZU LÜBECK
INSTITUT FÜR TELEMATIK
Ratzeburger Allee 160
23538 Lübeck
Tel +49 451 500 5392
Fax +49 451 500 5382
bimschas@itm.uni-luebeck.de
https://www.itm.uni-luebeck.de/people/bimschas
Re: Role-based authorization depending on HTTP request method
Posted by davison <da...@davisononline.org>.
I have a similar use case to yours but I need anonymous access to certain
methods too which I think is not possible (I'll post separately to outline
my case). But for your needs, where you must be authenticated for *any*
request, I think this can be handled with config only - at least using Shiro
1.2.2
Define a filter chain using the "rest" filter (an inbuilt instance of
HttpMethodPermissionFilter)...
/data/stocks/** = authc, rest[stocks]
..and in your realm define permissions like;
role.admin=stocks:*
role.user=stocks:read
hth,
Darren.
Daniel Bimschas wrote
> Dear Shiroers,
>
> I've commented my ticket as I noticed that also my implementation doesn't
> really support all use cases. In fact it would be ideal to configure the
> filter like in the example of SHIRO-107
> (https://issues.apache.org/jira/browse/SHIRO-107):
>
> /data/stocks/**:post = authc, roles[admin]
> /data/stocks/** = authc
>
> However, although the issue is marked as resolved it doesn't seem to be
> possible to specify the filter as in the given example. Doing so will fail
> with the following message:
>
> There is no filter with name 'post = authc' to apply to chain
> [/data/stocks/**] in the pool of available Filters. Ensure a filter with
> that name/path has first been registered with the addFilter method(s).
>
> Is there another way to specify the filter chain that resembles the same
> behavior?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Role-based-authorization-depending-on-HTTP-request-method-tp7579143p7579175.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Role-based authorization depending on HTTP request method
Posted by Daniel Bimschas <bi...@itm.uni-luebeck.de>.
Dear Shiroers,
I've commented my ticket as I noticed that also my implementation doesn't really support all use cases. In fact it would be ideal to configure the filter like in the example of SHIRO-107 (https://issues.apache.org/jira/browse/SHIRO-107):
/data/stocks/**:post = authc, roles[admin]
/data/stocks/** = authc
However, although the issue is marked as resolved it doesn't seem to be possible to specify the filter as in the given example. Doing so will fail with the following message:
There is no filter with name 'post = authc' to apply to chain [/data/stocks/**] in the pool of available Filters. Ensure a filter with that name/path has first been registered with the addFilter method(s).
Is there another way to specify the filter chain that resembles the same behavior?
Regards
Daniel
On 19.09.2013, at 16:51, Daniel Bimschas wrote:
> Hmm. I'm not sure how to add you guys to the issue so please go ahead and watch it: https://issues.apache.org/jira/browse/SHIRO-459
>
> I'll now add the implementation and some comment on how to proceed...
>
> Cheers
> Daniel
>
> On 18.09.2013, at 20:39, Stephen McCants wrote:
>
>> Hi Daniel,
>>
>> I'd like to be copied on that Jira ticket as well.
>> Thanks!
>>
>> --Stephen
>>
>> On 9/18/2013 1:33 PM, Les Hazlewood wrote:
>>> Hi Daniel,
>>>
>>> Please attach it to a Jira issue so we can take a look at it - if it makes sense to add for general purpose use, we will!
>>>
>>> Thanks!
>>>
>>> --
>>> Les Hazlewood | @lhazlewood
>>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>>>
>>>
>>> On Wed, Sep 18, 2013 at 12:24 AM, Daniel Bimschas <bi...@itm.uni-luebeck.de> wrote:
>>> Digging into the Shiro source codes I found that this feature is in fact not available in Shiro. I've now implemented my own custom filter (extending RolesAuthorizationFilter) that allows you to do exactly what I wanted. Configuration for the filter follows the following example:
>>>
>>> [main]
>>> myFilter=my.package.HttpMethodRolesAuthorizationFilter
>>> [urls]
>>> /rest = authcBasic, myFilter[PUT=SERVICE_PROVIDER&EXPERIMENTER,POST=EXPERIMENTER,DELETE=ADMINISTRATOR]
>>>
>>> So, in this example
>>>
>>> - a user must be authenticated to execute any operation
>>> - a user with both roles SERVICE_PROVIDER and EXPERIMENTER can send a PUT request,
>>> - a user with role EXPERIMENTER can send POST requests, and
>>> - a user with role ADMINISTRATOR can DELETE things
>>>
>>> I would be more than happy to contribute this little bit of code to the project in case you're interested!
>>>
>>> Best regards
>>> Daniel Bimschas
>>>
>>> On 16.09.2013, at 11:37, Daniel Bimschas wrote:
>>>
>>>> Dear Shiro gods!
>>>>
>>>> I'm struggling to figure out how I can do role-based authorization depending on what HTTP method a request is using. I've posted this question on StackOverflow as it seems nobody has been asking it before (at least I couldn't find it with my search terms). I would be incredibly happy if you could take a look!
>>>>
>>>> http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m
>>>>
>>>> Cheers
>>>> Daniel Bimschas
>>>
>>
>>
>> --
>> Stephen McCants
>> Senior Software Engineer
>> Healthcare Control Systems
>> 1-877-877-8795 x116
>>
>
> --
> Daniel Bimschas, M.Sc.
>
>
> UNIVERSITÄT ZU LÜBECK
> INSTITUT FÜR TELEMATIK
>
> Ratzeburger Allee 160
> 23538 Lübeck
>
> Tel +49 451 500 5392
> Fax +49 451 500 5382
> bimschas@itm.uni-luebeck.de
>
> https://www.itm.uni-luebeck.de/people/bimschas
>
--
Daniel Bimschas, M.Sc.
UNIVERSITÄT ZU LÜBECK
INSTITUT FÜR TELEMATIK
Ratzeburger Allee 160
23538 Lübeck
Tel +49 451 500 5392
Fax +49 451 500 5382
bimschas@itm.uni-luebeck.de
https://www.itm.uni-luebeck.de/people/bimschas
Re: Role-based authorization depending on HTTP request method
Posted by Daniel Bimschas <bi...@itm.uni-luebeck.de>.
Hmm. I'm not sure how to add you guys to the issue so please go ahead and watch it: https://issues.apache.org/jira/browse/SHIRO-459
I'll now add the implementation and some comment on how to proceed...
Cheers
Daniel
On 18.09.2013, at 20:39, Stephen McCants wrote:
> Hi Daniel,
>
> I'd like to be copied on that Jira ticket as well.
> Thanks!
>
> --Stephen
>
> On 9/18/2013 1:33 PM, Les Hazlewood wrote:
>> Hi Daniel,
>>
>> Please attach it to a Jira issue so we can take a look at it - if it makes sense to add for general purpose use, we will!
>>
>> Thanks!
>>
>> --
>> Les Hazlewood | @lhazlewood
>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>>
>>
>> On Wed, Sep 18, 2013 at 12:24 AM, Daniel Bimschas <bi...@itm.uni-luebeck.de> wrote:
>> Digging into the Shiro source codes I found that this feature is in fact not available in Shiro. I've now implemented my own custom filter (extending RolesAuthorizationFilter) that allows you to do exactly what I wanted. Configuration for the filter follows the following example:
>>
>> [main]
>> myFilter=my.package.HttpMethodRolesAuthorizationFilter
>> [urls]
>> /rest = authcBasic, myFilter[PUT=SERVICE_PROVIDER&EXPERIMENTER,POST=EXPERIMENTER,DELETE=ADMINISTRATOR]
>>
>> So, in this example
>>
>> - a user must be authenticated to execute any operation
>> - a user with both roles SERVICE_PROVIDER and EXPERIMENTER can send a PUT request,
>> - a user with role EXPERIMENTER can send POST requests, and
>> - a user with role ADMINISTRATOR can DELETE things
>>
>> I would be more than happy to contribute this little bit of code to the project in case you're interested!
>>
>> Best regards
>> Daniel Bimschas
>>
>> On 16.09.2013, at 11:37, Daniel Bimschas wrote:
>>
>> > Dear Shiro gods!
>> >
>> > I'm struggling to figure out how I can do role-based authorization depending on what HTTP method a request is using. I've posted this question on StackOverflow as it seems nobody has been asking it before (at least I couldn't find it with my search terms). I would be incredibly happy if you could take a look!
>> >
>> > http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m
>> >
>> > Cheers
>> > Daniel Bimschas
>>
>
>
> --
> Stephen McCants
> Senior Software Engineer
> Healthcare Control Systems
> 1-877-877-8795 x116
>
--
Daniel Bimschas, M.Sc.
UNIVERSITÄT ZU LÜBECK
INSTITUT FÜR TELEMATIK
Ratzeburger Allee 160
23538 Lübeck
Tel +49 451 500 5392
Fax +49 451 500 5382
bimschas@itm.uni-luebeck.de
https://www.itm.uni-luebeck.de/people/bimschas
Re: Role-based authorization depending on HTTP request method
Posted by Stephen McCants <st...@hcs.us.com>.
Hi Daniel,
I'd like to be copied on that Jira ticket as well.
Thanks!
--Stephen
On 9/18/2013 1:33 PM, Les Hazlewood wrote:
> Hi Daniel,
>
> Please attach it to a Jira issue so we can take a look at it - if it
> makes sense to add for general purpose use, we will!
>
> Thanks!
>
> --
> Les Hazlewood | @lhazlewood
> CTO, Stormpath | http://stormpath.com <http://stormpath.com/> |
> @goStormpath | 888.391.5282
>
>
> On Wed, Sep 18, 2013 at 12:24 AM, Daniel Bimschas
> <bimschas@itm.uni-luebeck.de <ma...@itm.uni-luebeck.de>> wrote:
>
> Digging into the Shiro source codes I found that this feature is
> in fact not available in Shiro. I've now implemented my own custom
> filter (extending RolesAuthorizationFilter) that allows you to do
> exactly what I wanted. Configuration for the filter follows the
> following example:
>
> [main]
> myFilter=my.package.HttpMethodRolesAuthorizationFilter
> [urls]
> /rest = authcBasic,
> myFilter[PUT=SERVICE_PROVIDER&EXPERIMENTER,POST=EXPERIMENTER,DELETE=ADMINISTRATOR]
>
> So, in this example
>
> - a user must be authenticated to execute any operation
> - a user with both roles SERVICE_PROVIDER and EXPERIMENTER can
> send a PUT request,
> - a user with role EXPERIMENTER can send POST requests, and
> - a user with role ADMINISTRATOR can DELETE things
>
> I would be more than happy to contribute this little bit of code
> to the project in case you're interested!
>
> Best regards
> Daniel Bimschas
>
> On 16.09.2013, at 11:37, Daniel Bimschas wrote:
>
> > Dear Shiro gods!
> >
> > I'm struggling to figure out how I can do role-based
> authorization depending on what HTTP method a request is using.
> I've posted this question on StackOverflow as it seems nobody has
> been asking it before (at least I couldn't find it with my search
> terms). I would be incredibly happy if you could take a look!
> >
> >
> http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m
> >
> > Cheers
> > Daniel Bimschas
>
>
--
Stephen McCants
Senior Software Engineer
Healthcare Control Systems
1-877-877-8795 x116
Re: Role-based authorization depending on HTTP request method
Posted by Les Hazlewood <lh...@apache.org>.
Hi Daniel,
Please attach it to a Jira issue so we can take a look at it - if it makes
sense to add for general purpose use, we will!
Thanks!
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
On Wed, Sep 18, 2013 at 12:24 AM, Daniel Bimschas <
bimschas@itm.uni-luebeck.de> wrote:
> Digging into the Shiro source codes I found that this feature is in fact
> not available in Shiro. I've now implemented my own custom filter
> (extending RolesAuthorizationFilter) that allows you to do exactly what I
> wanted. Configuration for the filter follows the following example:
>
> [main]
> myFilter=my.package.HttpMethodRolesAuthorizationFilter
> [urls]
> /rest = authcBasic,
> myFilter[PUT=SERVICE_PROVIDER&EXPERIMENTER,POST=EXPERIMENTER,DELETE=ADMINISTRATOR]
>
> So, in this example
>
> - a user must be authenticated to execute any operation
> - a user with both roles SERVICE_PROVIDER and EXPERIMENTER can send a PUT
> request,
> - a user with role EXPERIMENTER can send POST requests, and
> - a user with role ADMINISTRATOR can DELETE things
>
> I would be more than happy to contribute this little bit of code to the
> project in case you're interested!
>
> Best regards
> Daniel Bimschas
>
> On 16.09.2013, at 11:37, Daniel Bimschas wrote:
>
> > Dear Shiro gods!
> >
> > I'm struggling to figure out how I can do role-based authorization
> depending on what HTTP method a request is using. I've posted this question
> on StackOverflow as it seems nobody has been asking it before (at least I
> couldn't find it with my search terms). I would be incredibly happy if you
> could take a look!
> >
> >
> http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m
> >
> > Cheers
> > Daniel Bimschas
>
Re: Role-based authorization depending on HTTP request method
Posted by Daniel Bimschas <bi...@itm.uni-luebeck.de>.
Digging into the Shiro source codes I found that this feature is in fact not available in Shiro. I've now implemented my own custom filter (extending RolesAuthorizationFilter) that allows you to do exactly what I wanted. Configuration for the filter follows the following example:
[main]
myFilter=my.package.HttpMethodRolesAuthorizationFilter
[urls]
/rest = authcBasic, myFilter[PUT=SERVICE_PROVIDER&EXPERIMENTER,POST=EXPERIMENTER,DELETE=ADMINISTRATOR]
So, in this example
- a user must be authenticated to execute any operation
- a user with both roles SERVICE_PROVIDER and EXPERIMENTER can send a PUT request,
- a user with role EXPERIMENTER can send POST requests, and
- a user with role ADMINISTRATOR can DELETE things
I would be more than happy to contribute this little bit of code to the project in case you're interested!
Best regards
Daniel Bimschas
On 16.09.2013, at 11:37, Daniel Bimschas wrote:
> Dear Shiro gods!
>
> I'm struggling to figure out how I can do role-based authorization depending on what HTTP method a request is using. I've posted this question on StackOverflow as it seems nobody has been asking it before (at least I couldn't find it with my search terms). I would be incredibly happy if you could take a look!
>
> http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m
>
> Cheers
> Daniel Bimschas