You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by ngriso <ni...@gmail.com> on 2011/11/15 22:34:42 UTC

Rest resource authorisation

Hi,

For the rest resources I expose in my application, I'd like to have
different permissions based on the id of the resource.

Example: 
for the resource /store/books/123:
* user1 can update it (i.e run the request PUT /store/books/123 with
success)
* user2 cannot (i.e get a 403 when running PUT /store/books/123)

First, I try to use HttpMethodPermissionFilter.
But with it, I don't have access to the id of the resource.
If my ini configuration is:
/store/books/**   rest[books]
I only get permissions like books:read or books:update.
But what I'd like is: books:read:123

So I was thinking to use regex to extract the part of the url I'm interessed
in.
Example with this configuration:
/store/books/(.*)    rest[books]
The filter could extract the group(s) defined in the url, and add them to
the permission.

What do you think?
Do you see another solution to do that?

Thanks for your help
Nicolas

PS: I already write the code to do this. The only difficult part is that the
PatternMatcher we want to use (here RegExPatternMatcher) is not easily
injectable into the different filter or chain resolver. If asked I'll start
another thread about this 

--
View this message in context: http://shiro-developer.582600.n2.nabble.com/Rest-resource-authorisation-tp6998028p6998028.html
Sent from the Shiro Developer mailing list archive at Nabble.com.

Re: Rest resource authorisation

Posted by Les Hazlewood <lh...@apache.org>.

Hi Nicolas,

I think your approach is sound - a regular expression matcher would
certainly work!

Les

On Tue, Nov 15, 2011 at 1:34 PM, ngriso <ni...@gmail.com> wrote:
> Hi,
>
> For the rest resources I expose in my application, I'd like to have
> different permissions based on the id of the resource.
>
> Example:
> for the resource /store/books/123:
> * user1 can update it (i.e run the request PUT /store/books/123 with
> success)
> * user2 cannot (i.e get a 403 when running PUT /store/books/123)
>
> First, I try to use HttpMethodPermissionFilter.
> But with it, I don't have access to the id of the resource.
> If my ini configuration is:
> /store/books/**   rest[books]
> I only get permissions like books:read or books:update.
> But what I'd like is: books:read:123
>
> So I was thinking to use regex to extract the part of the url I'm interessed
> in.
> Example with this configuration:
> /store/books/(.*)    rest[books]
> The filter could extract the group(s) defined in the url, and add them to
> the permission.
>
> What do you think?
> Do you see another solution to do that?
>
> Thanks for your help
> Nicolas
>
> PS: I already write the code to do this. The only difficult part is that the
> PatternMatcher we want to use (here RegExPatternMatcher) is not easily
> injectable into the different filter or chain resolver. If asked I'll start
> another thread about this
>
> --
> View this message in context: http://shiro-developer.582600.n2.nabble.com/Rest-resource-authorisation-tp6998028p6998028.html
> Sent from the Shiro Developer mailing list archive at Nabble.com.