You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by emaayan <el...@gmail.com> on 2011/07/10 06:51:59 UTC
is checking premission implicitly check roles as well?
i'm trying to figure out if by only checking permission
(checkPermission/hasPermission, and not using hasRole) shiro willl inspect
roles which contain said permissions so i won't to do it myself.
also is there a way / pattern , to have servlet filter inspect incoming
request and have the request name be as resource to checked for permission
and if not throw an 401 error?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/is-checking-premission-implicitly-check-roles-as-well-tp6567107p6567107.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: is checking premission implicitly check roles as well?
Posted by emaayan <el...@gmail.com>.
actually i was thinking alone the lines of this: (i hope you can see images)
only instead of GROUP_REF IN AUTH_GROUP_ROLES i'll use actuall String group
name, this is becouse our it department suddenly thinks placing user group
mapping in active directory is a good idea (as i did).
so in order to avoid locking myself to active directly i thought i would 2
phase process where i would obtain a user data from active directory AND
objtain it's groups (by a provider which either get it from ad or from the
db) then i would proceed to query my own application schema for the rest of
permission resources.
now one thing that worries is the permission "overriding" stuff, a manger
may decide to grant a specif user elevated roles in though he's not in a
group that has such permissions, then i would need to start adding
priorities for role assignments
On Mon, Jul 11, 2011 at 5:25 PM, Brian Demers [via Shiro User] <
ml-node+6571082-1884453731-229522@n2.nabble.com> wrote:
>
>
> On Sun, Jul 10, 2011 at 12:51 AM, emaayan <[hidden email]<http://user/SendEmail.jtp?type=node&node=6571082&i=0>
> > wrote:
>
>> i'm trying to figure out if by only checking permission
>> (checkPermission/hasPermission, and not using hasRole) shiro willl inspect
>> roles which contain said permissions so i won't to do it myself.
>>
>
> You could use a RolePermissionResolver to resolve permissions that are
> contained in a Role. For example if your realm connects to some directory
> that only maps users and groups/roles you can use a RolePermissionResolver
> at an application level to tie specific permissions to roles.
>
>
>>
>> also is there a way / pattern , to have servlet filter inspect incoming
>> request and have the request name be as resource to checked for permission
>> and if not throw an 401 error?
>>
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/is-checking-premission-implicitly-check-roles-as-well-tp6567107p6567107.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/is-checking-premission-implicitly-check-roles-as-well-tp6567107p6571082.html
> To unsubscribe from is checking premission implicitly check roles as
> well?, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=6567107&code=ZWxoLm1haWxnYXRlQGdtYWlsLmNvbXw2NTY3MTA3fDE4MDE1MDYyMA==>.
>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/is-checking-premission-implicitly-check-roles-as-well-tp6567107p6574103.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: is checking premission implicitly check roles as well?
Posted by Brian Demers <br...@gmail.com>.
On Sun, Jul 10, 2011 at 12:51 AM, emaayan <el...@gmail.com> wrote:
> i'm trying to figure out if by only checking permission
> (checkPermission/hasPermission, and not using hasRole) shiro willl inspect
> roles which contain said permissions so i won't to do it myself.
>
You could use a RolePermissionResolver to resolve permissions that are
contained in a Role. For example if your realm connects to some directory
that only maps users and groups/roles you can use a RolePermissionResolver
at an application level to tie specific permissions to roles.
>
> also is there a way / pattern , to have servlet filter inspect incoming
> request and have the request name be as resource to checked for permission
> and if not throw an 401 error?
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/is-checking-premission-implicitly-check-roles-as-well-tp6567107p6567107.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: is checking premission implicitly check roles as well?
Posted by Manoj Khangaonkar <kh...@gmail.com>.
On Sat, Jul 9, 2011 at 9:51 PM, emaayan <el...@gmail.com> wrote:
> i'm trying to figure out if by only checking permission
> (checkPermission/hasPermission, and not using hasRole) shiro willl inspect
> roles which contain said permissions so i won't to do it myself.
It depends on the realm implementation.
For it to work as you desire, the doGetAuthorizationInfo method of the
realm should return in AuthorizationInfo,
not only the permissions directly associated with the principal but
also the permissions associated with roles which are
associated with the principal
>
> also is there a way / pattern , to have servlet filter inspect incoming
> request and have the request name be as resource to checked for permission
> and if not throw an 401 error?
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/is-checking-premission-implicitly-check-roles-as-well-tp6567107p6567107.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
--
http://khangaonkar.blogspot.com/