You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@isis.apache.org by David Tildesley <da...@yahoo.co.nz> on 2013/07/08 10:32:30 UTC
ISIS/Shiro security mappings.
I've been playing around with the role based permission mapping.
I've noticed that you can have only one of these entries per realm:
realm.groupToRolesMappings = ...
and
realm.roleToPermissionsMappings = ...
Which forces you to put everything on one line for each of the above (is there some limit to the size of this line?) which makes it very difficult to maintain.
If you repeat the entries above then it's "last one wins".
Have I got this right?
If so, could be an improvement to allow the mappings to spread over multiple entries?
i.e.
realm.roleToPermissionsMappings = ...
realm.roleToPermissionsMappings = ...
realm.roleToPermissionsMappings = ...
realm.roleToPermissionsMappings = ...
realm.roleToPermissionsMappings = ...
Regards,
David.
Re: ISIS/Shiro security mappings.
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
I've now added this to the website [1].
Thanks once more
Dan
[1]
http://isis.apache.org/components/security/shiro/shiro-realm-mappings.html
On 8 July 2013 23:21, Dan Haywood <da...@haywood-associates.co.uk> wrote:
> Thanks for looking into this further, David.
>
> I'll add a page to our website to describe this "feature".
>
> Cheers
> Dan
>
>
>
> On 8 July 2013 23:17, David Tildesley <da...@yahoo.co.nz> wrote:
>
>> This is a Shiro "feature" and the only solution to this is to use '\' to
>> separate the mappings onto separate lines in the file so that it is at
>> least maintainable. Use this technique for both group to roles mapping and
>> role to permission mapping. If you use the '\' after the "," that separates
>> the key:value pairs it is more readable.
>>
>> N.B. you can't use a [roles] section because that triggers Shiro to use
>> the simple "INI" realm and not your defined realm (in most cases you are
>> going to use an LDAP realm in an enterprise environment and the "simple"
>> realm in Shiro isn't much use beyond prototyping work).
>>
>> David.
>>
>>
>>
>> ________________________________
>> From: David Tildesley <da...@yahoo.co.nz>
>> To: "users@isis.apache.org" <us...@isis.apache.org>
>> Sent: Monday, 8 July 2013 8:32 PM
>> Subject: ISIS/Shiro security mappings.
>>
>>
>>
>>
>> I've been playing around with the role based permission mapping.
>>
>> I've noticed that you can have only one of these entries per realm:
>>
>>
>> realm.groupToRolesMappings = ...
>>
>> and
>>
>> realm.roleToPermissionsMappings = ...
>>
>> Which forces you to put everything on one line for each of the above (is
>> there some limit to the size of this line?) which makes it very difficult
>> to maintain.
>>
>> If you repeat the entries above then it's "last one wins".
>>
>> Have I got this right?
>>
>> If so, could be an improvement to allow the mappings to spread over
>> multiple entries?
>>
>> i.e.
>>
>>
>> realm.roleToPermissionsMappings = ...
>> realm.roleToPermissionsMappings = ...
>> realm.roleToPermissionsMappings = ...
>> realm.roleToPermissionsMappings = ...
>> realm.roleToPermissionsMappings = ...
>>
>> Regards,
>> David.
>>
>
>
Re: ISIS/Shiro security mappings.
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
Thanks for looking into this further, David.
I'll add a page to our website to describe this "feature".
Cheers
Dan
On 8 July 2013 23:17, David Tildesley <da...@yahoo.co.nz> wrote:
> This is a Shiro "feature" and the only solution to this is to use '\' to
> separate the mappings onto separate lines in the file so that it is at
> least maintainable. Use this technique for both group to roles mapping and
> role to permission mapping. If you use the '\' after the "," that separates
> the key:value pairs it is more readable.
>
> N.B. you can't use a [roles] section because that triggers Shiro to use
> the simple "INI" realm and not your defined realm (in most cases you are
> going to use an LDAP realm in an enterprise environment and the "simple"
> realm in Shiro isn't much use beyond prototyping work).
>
> David.
>
>
>
> ________________________________
> From: David Tildesley <da...@yahoo.co.nz>
> To: "users@isis.apache.org" <us...@isis.apache.org>
> Sent: Monday, 8 July 2013 8:32 PM
> Subject: ISIS/Shiro security mappings.
>
>
>
>
> I've been playing around with the role based permission mapping.
>
> I've noticed that you can have only one of these entries per realm:
>
>
> realm.groupToRolesMappings = ...
>
> and
>
> realm.roleToPermissionsMappings = ...
>
> Which forces you to put everything on one line for each of the above (is
> there some limit to the size of this line?) which makes it very difficult
> to maintain.
>
> If you repeat the entries above then it's "last one wins".
>
> Have I got this right?
>
> If so, could be an improvement to allow the mappings to spread over
> multiple entries?
>
> i.e.
>
>
> realm.roleToPermissionsMappings = ...
> realm.roleToPermissionsMappings = ...
> realm.roleToPermissionsMappings = ...
> realm.roleToPermissionsMappings = ...
> realm.roleToPermissionsMappings = ...
>
> Regards,
> David.
>
Re: ISIS/Shiro security mappings.
Posted by David Tildesley <da...@yahoo.co.nz>.
This is a Shiro "feature" and the only solution to this is to use '\' to separate the mappings onto separate lines in the file so that it is at least maintainable. Use this technique for both group to roles mapping and role to permission mapping. If you use the '\' after the "," that separates the key:value pairs it is more readable.
N.B. you can't use a [roles] section because that triggers Shiro to use the simple "INI" realm and not your defined realm (in most cases you are going to use an LDAP realm in an enterprise environment and the "simple" realm in Shiro isn't much use beyond prototyping work).
David.
________________________________
From: David Tildesley <da...@yahoo.co.nz>
To: "users@isis.apache.org" <us...@isis.apache.org>
Sent: Monday, 8 July 2013 8:32 PM
Subject: ISIS/Shiro security mappings.
I've been playing around with the role based permission mapping.
I've noticed that you can have only one of these entries per realm:
realm.groupToRolesMappings = ...
and
realm.roleToPermissionsMappings = ...
Which forces you to put everything on one line for each of the above (is there some limit to the size of this line?) which makes it very difficult to maintain.
If you repeat the entries above then it's "last one wins".
Have I got this right?
If so, could be an improvement to allow the mappings to spread over multiple entries?
i.e.
realm.roleToPermissionsMappings = ...
realm.roleToPermissionsMappings = ...
realm.roleToPermissionsMappings = ...
realm.roleToPermissionsMappings = ...
realm.roleToPermissionsMappings = ...
Regards,
David.