[jira] [Commented] (SHIRO-534) Provide better documentation around permissions

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (SHIRO-534) Provide better documentation around permissions

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/SHIRO-534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15995839#comment-15995839 ]

Kamal commented on SHIRO-534:
-----------------------------

[~bdemers]
Sorry for the very late reply, but after putting my Shiro work on hold, I am looking into it again.

Am I correct in saying that when I define string permissions, I need to define not just the specific permissions but the non-specific permissions?

For example:-
{code}
authzInfo.addStringPermission("PRODMA:READ:*");
authzInfo.addStringPermission("PRODMA:*:*");
{code}

I think it is specified here:-

http://shiro.apache.org/permissions.html#implication-not-equality

I guess what is missing is an example of how to setup permissions.

Thanks.

Kamal.





> Provide better documentation around permissions
> -----------------------------------------------
>
>                 Key: SHIRO-534
>                 URL: https://issues.apache.org/jira/browse/SHIRO-534
>             Project: Shiro
>          Issue Type: Documentation
>          Components: Documentation
>            Reporter: Kamal
>              Labels: documentation
>
> I was playing around with custom realms and I setup the following AuthorizingRealm:-
> {code}
> public class TestRealm extends AuthorizingRealm
> {
>     @Override
>     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken inToken) throws AuthenticationException
>     {
>         UsernamePasswordToken upToken = (UsernamePasswordToken) inToken;
>         if (upToken.getUsername().equals("Kamal") || upToken.getUsername().equals("NotKamal"))
>             return new SimpleAuthenticationInfo(upToken.getUsername(), upToken.getPassword(), getName());
>         return null;
>     }
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection inPrincipals)
>     {
>         String username = (String) inPrincipals.fromRealm(getName()).iterator().next();
>         SimpleAuthorizationInfo authzInfo = new SimpleAuthorizationInfo();
>         authzInfo.addRole("User");
>         if (username.equals("Kamal"))
>         {
>             authzInfo.addStringPermission("PRODMA:READ:AU");
>             authzInfo.addStringPermission("PRODMA:WRITE:AU");
>             authzInfo.addStringPermission("PRODMA:READ:KB");
>             authzInfo.addStringPermission("PRODMA:WRITE:KB");
>             authzInfo.addStringPermission("SUPPMA:READ:KB");
>         }
>         else
>         {
>             authzInfo.addStringPermission("PRODMA:READ,WRITE,*:AU,*");
>         }
>         return authzInfo;
>     }
> }
> {code}
> I then setup the following resource (I am using Guice + Jersey):-
> {code}
> @Path("/{client}/shiroResource")
> public class ShiroResource
> {
>     private static final Logger LOG = LoggerFactory.getLogger(ShiroResource.class);
>     private HttpSession mSession;
>     @Inject
>     public ShiroResource(HttpSession inSession)
>     {
>         mSession = inSession;
>     }
>     @POST
>     @Path("requiresProdma.do")
>     @Produces(MediaType.APPLICATION_JSON)
>     @Consumes(MediaType.APPLICATION_JSON)
>     @RequiresPermissions({ "PRODMA:*:*" })
>     public String prodmaRequired()
>     {
>         return "Success";
>     }
>     @GET
>     @Path("requiresSuppma.do")
>     @Produces(MediaType.APPLICATION_JSON)
>     @Consumes(MediaType.APPLICATION_JSON)
>     @RequiresPermissions("PRODMA:*")
>     public String suppmaRequired()
>     {
>         return "Success";
>     }
> }
> {code}
> Now, if I login as NotKamal I have access to ShiroResource,suppmaRequired, but if I login as Kamal, I won't.  It took me a while to work out that I needed to specify the permission string like this:-
> {code}            authzInfo.addStringPermission("PRODMA:READ,WRITE,*:AU,*");
> {code}
> i feel that this is a bit unintuitive, but I guess it is what it is.  Can we provide better examples of setting up a custom realm with permissions?  Preferably one which supports custom wildcards.
> Thanks.
> Kamal.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)