You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by mrtho1 <mr...@gmail.com> on 2011/03/22 18:03:37 UTC
Authorization and Implication help
Very new to Shiro, my application is using standard wildcard permissions, so
to assign view privs for a job a user would have:
job:view:1 (1 being the instance id).
What I would like to do is have a UI element that is visible if they have
view privileges to ANY job. It's a link that displays a page of jobs they
have view access too. Problem is, I'm not sure how to check for this. Just
checking for job:view fails since the user does not have job:view:* Am I
thinking about this wrong? Do I need to have another permission
job:viewList? Is there a better way to authorize this kind of action?
Thanks in advance!
--m
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Authorization-and-Implication-help-tp6197198p6197198.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Authorization and Implication help
Posted by mrtho1 <mr...@gmail.com>.
Gotcha, I was hoping for something more general, since I don't necessarily
know all the job ids at render time. This may be abusing the authorization
framework though. I think I'll have to get the list of visible jobs and if
len > 0 show the button vs doing the query via a permission string.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Authorization-and-Implication-help-tp6197198p6202077.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Authorization and Implication help
Posted by Les Hazlewood <lh...@apache.org>.
You would need to assign "job:view" to the user, and then a check for
"job:view:1" would succeed. For example:
if (subject.isPermitted("job:view:1")) {
//show job 1.
}
Because "job:view" _implies_ "job:view:1"
The general idea is that you typically assign more general scoped
permissions and at runtime, perform instance-specific checks.
Note that in WildcardPermission syntax job:view is equivalent to
job:view:*, so you could technically assign either.
Does that help?
Cheers,
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com