You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by pashazz <pz...@gmail.com> on 2019/12/25 16:03:32 UTC

Using Shiro for permission-based resource lookup

My Spring  application has various types of resources that some users
have permission to read, update, delete, etc. I will use Stormtrooper
example from Shiro documentation to illustrate my goals.

As far as I'm concerned Shiro has item-level permissions in form
"domain:action:item_id"). So, GET controller method would be rewritten
as:

@GetMapping(path = "/{id}")
public Stormtrooper getTrooper(@PathVariable("id") String id) throws
NotFoundException {
            // Instance-based annotations are not supported, so we use
direct check instead:
    SecurityUtils.getSubject().checkPermission(String.format("troopers:read:%s",
id));
    Stormtrooper stormtrooper = trooperDao.getStormtrooper(id);
    if (stormtrooper == null) {
        throw new NotFoundException(id);
    }
    return stormtrooper;
}



Now I would like to implement a method that lists all Stormtroopers
for a given User. I can't use @RequiresPermission("troopers:read")  as
there may be users who can only read some stormtroopers, not all of
them.


I need some mechanism to obtain all objects of a given type that are
permitted to read. Given a permission wildcard, say "troopers:read:*"
I want to get all permissions that satisfy and then ask DAO for these
objects and return them as a collection.

How can I achieve that?

Thanks in advance.

Re: Using Shiro for permission-based resource lookup

Posted by Brian Demers <br...@gmail.com>.

This _could_ be application-specific, depending on how your data is stored
(i.e. somehow push that logic into your database).
That said, you _could_ just iterate over a collection and filter out items
the user does not have access to. (`subject.isPermitted(...)` in place of
`checkPermission`

I mention pushing this into your datastore because filtering all the items
in memory may not scale for you, and gets more complicated if you need to
paginate your results.

On Wed, Dec 25, 2019 at 11:03 AM pashazz <pz...@gmail.com> wrote:

> My Spring  application has various types of resources that some users
> have permission to read, update, delete, etc. I will use Stormtrooper
> example from Shiro documentation to illustrate my goals.
>
> As far as I'm concerned Shiro has item-level permissions in form
> "domain:action:item_id"). So, GET controller method would be rewritten
> as:
>
> @GetMapping(path = "/{id}")
> public Stormtrooper getTrooper(@PathVariable("id") String id) throws
> NotFoundException {
>             // Instance-based annotations are not supported, so we use
> direct check instead:
>
> SecurityUtils.getSubject().checkPermission(String.format("troopers:read:%s",
> id));
>     Stormtrooper stormtrooper = trooperDao.getStormtrooper(id);
>     if (stormtrooper == null) {
>         throw new NotFoundException(id);
>     }
>     return stormtrooper;
> }
>
>
>
> Now I would like to implement a method that lists all Stormtroopers
> for a given User. I can't use @RequiresPermission("troopers:read")  as
> there may be users who can only read some stormtroopers, not all of
> them.
>
>
> I need some mechanism to obtain all objects of a given type that are
> permitted to read. Given a permission wildcard, say "troopers:read:*"
> I want to get all permissions that satisfy and then ask DAO for these
> objects and return them as a collection.
>
> How can I achieve that?
>
> Thanks in advance.
>