[jira] [Created] (SHIRO-459) Support role-based authorization depending on HTTP request method

Thu, 19 Sep 2013 07:50:52 -0700 

Daniel Bimschas created SHIRO-459:
-------------------------------------

             Summary: Support role-based authorization depending on HTTP 
request method
                 Key: SHIRO-459
                 URL: https://issues.apache.org/jira/browse/SHIRO-459
             Project: Shiro
          Issue Type: New Feature
          Components: Authorization (access control) 
    Affects Versions: 1.2.2
            Reporter: Daniel Bimschas
            Priority: Minor


Below is a copy+paste from the Shiro users mailing list:

=====================

Dear Shiro gods!

I'm struggling to figure out how I can do role-based authorization depending on 
what HTTP method a request is using. I've posted this question on StackOverflow 
as it seems nobody has been asking it before (at least I couldn't find it with 
my search terms). I would be incredibly happy if you could take a look!

http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m

Cheers
Daniel Bimschas

=============================

Then, in a second mail I proposed a solution to the issue:

=============================

Digging into the Shiro source codes I found that this feature is in fact not 
available in Shiro. I've now implemented my own custom filter (extending 
RolesAuthorizationFilter) that allows you to do exactly what I wanted. 
Configuration for the filter follows the following example:

[main]
 myFilter=my.package.HttpMethodRolesAuthorizationFilter
[urls]
 /rest = authcBasic, 
myFilter[PUT=SERVICE_PROVIDER&EXPERIMENTER,POST=EXPERIMENTER,DELETE=ADMINISTRATOR]

So, in this example

- a user must be authenticated to execute any operation
- a user with both roles SERVICE_PROVIDER and EXPERIMENTER can send a PUT 
request,
- a user with role EXPERIMENTER can send POST requests, and
- a user with role ADMINISTRATOR can DELETE things

I would be more than happy to contribute this little bit of code to the project 
in case you're interested!

=============================

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to