You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@isis.apache.org by da...@apache.org on 2013/08/15 19:59:20 UTC

svn commit: r1514413 - /isis/site/trunk/content/components/security/shiro/format-of-permissions.md

Author: danhaywood
Date: Thu Aug 15 17:59:20 2013
New Revision: 1514413

URL: http://svn.apache.org/r1514413
Log:
shiro realm mappings

Added:
    isis/site/trunk/content/components/security/shiro/format-of-permissions.md

Added: isis/site/trunk/content/components/security/shiro/format-of-permissions.md
URL: http://svn.apache.org/viewvc/isis/site/trunk/content/components/security/shiro/format-of-permissions.md?rev=1514413&view=auto
==============================================================================
--- isis/site/trunk/content/components/security/shiro/format-of-permissions.md (added)
+++ isis/site/trunk/content/components/security/shiro/format-of-permissions.md Thu Aug 15 17:59:20 2013
@@ -0,0 +1,34 @@
+Title: Format of Permissions
+
+Shiro converts permission strings (as found in `WEB-INF/shiro.ini`) internally into `WildcardPermission` instances, with allow a permissions to be organized hierarchical and with wildcarding.  
+
+This meets Isis' requirements well; we define the permission strings as follows:
+
+<pre>
+packageName:ClassName:memberName:r,w
+</pre>
+
+where:
+
+* `memberName` is the property, collection or action name.
+* `r` indicates that the member is visible
+* `w` indicates that the member is usable (editable or invokable)
+
+Because these are wildcards, a '*' can be used at any level.  Additionally, missing levels assume wildcards.
+
+Thus:
+
+<pre>
+com.mycompany.myapp:Customer:firstName:r,w   # view or edit customer's firstName
+com.mycompany.myapp:Customer:lastName:r      # view customer's lastName only
+com.mycompany.myapp:Customer:placeOrder:*    # view and invoke placeOrder action
+com.mycompany.myapp:Customer:placeOrder      # ditto
+com.mycompany.myapp:Customer:*:r             # view all customer class members
+com.mycompany.myapp:*:*:r                    # view-only access for all classes in myapp package
+com.mycompany.myapp:*:*:*                    # view/edit for all classes in myapp package
+com.mycompany.myapp:*:*                      # ditto
+com.mycompany.myapp:*                        # ditto
+com.mycompany.myapp                          # ditto
+*                                            # view/edit access to everything
+</pre>
+