>-----Original Message----- >From: Ronny Roeller [mailto:[email protected]] >Sent: Thursday, December 15, 2011 6:04 PM >To: [email protected] >Subject: Authorization for REST API > >Hi, > >I want to add fine-granular authorization for calls to the REST API. For >example: a) users can read all fields of their own profile but only a >subset of fields in other profiles, or b) only administrators are allowed >to create new groups, etc. > >I thought of setting up Shiro after the AuthenticationServletFilter found a >SecurityToken, and then to verify the permissions in my PersonService >class. Does that make sense? What would be the proper way of authorizing >REST requests in Shindig?
Makes sense to me. That sounds pretty similar to what we've done with our Shindig SPI implementations in Apache Rave except we're not using Shiro for any of it. In our case we're pulling all the context we need about the request (owner/viewer/application/...) from the security token and making our authorization decisions based on that. You can have a look at our appdata implementation to see what we're doing if you think it might help: http://svn.apache.org/repos/asf/incubator/rave/trunk/rave-shindig/src/main/java/org/apache/rave/opensocial/service/impl/DefaultAppDataService.java > >Many thanks, >Ronny
