[
https://issues.apache.org/jira/browse/SHIRO-534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15996830#comment-15996830
]
Brian Demers commented on SHIRO-534:
------------------------------------
[~kamal.bh...@gmail.com]
You can just assign the more _general_ permission string to your user/role. (if
that is what you are after)
For example 'PRODMA:*' implies 'PRODMA:*:*' which also implies 'PRODMA:READ:*'
This would of course also grant the user any other permission like:
'PRODMA:WRITE:*'
> Provide better documentation around permissions
> -----------------------------------------------
>
> Key: SHIRO-534
> URL: https://issues.apache.org/jira/browse/SHIRO-534
> Project: Shiro
> Issue Type: Documentation
> Components: Documentation
> Reporter: Kamal
> Labels: documentation
>
> I was playing around with custom realms and I setup the following
> AuthorizingRealm:-
> {code}
> public class TestRealm extends AuthorizingRealm
> {
> @Override
> protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
> inToken) throws AuthenticationException
> {
> UsernamePasswordToken upToken = (UsernamePasswordToken) inToken;
> if (upToken.getUsername().equals("Kamal") ||
> upToken.getUsername().equals("NotKamal"))
> return new SimpleAuthenticationInfo(upToken.getUsername(),
> upToken.getPassword(), getName());
> return null;
> }
> @Override
> protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
> inPrincipals)
> {
> String username = (String)
> inPrincipals.fromRealm(getName()).iterator().next();
> SimpleAuthorizationInfo authzInfo = new SimpleAuthorizationInfo();
> authzInfo.addRole("User");
> if (username.equals("Kamal"))
> {
> authzInfo.addStringPermission("PRODMA:READ:AU");
> authzInfo.addStringPermission("PRODMA:WRITE:AU");
> authzInfo.addStringPermission("PRODMA:READ:KB");
> authzInfo.addStringPermission("PRODMA:WRITE:KB");
> authzInfo.addStringPermission("SUPPMA:READ:KB");
> }
> else
> {
> authzInfo.addStringPermission("PRODMA:READ,WRITE,*:AU,*");
> }
> return authzInfo;
> }
> }
> {code}
> I then setup the following resource (I am using Guice + Jersey):-
> {code}
> @Path("/{client}/shiroResource")
> public class ShiroResource
> {
> private static final Logger LOG =
> LoggerFactory.getLogger(ShiroResource.class);
> private HttpSession mSession;
> @Inject
> public ShiroResource(HttpSession inSession)
> {
> mSession = inSession;
> }
> @POST
> @Path("requiresProdma.do")
> @Produces(MediaType.APPLICATION_JSON)
> @Consumes(MediaType.APPLICATION_JSON)
> @RequiresPermissions({ "PRODMA:*:*" })
> public String prodmaRequired()
> {
> return "Success";
> }
> @GET
> @Path("requiresSuppma.do")
> @Produces(MediaType.APPLICATION_JSON)
> @Consumes(MediaType.APPLICATION_JSON)
> @RequiresPermissions("PRODMA:*")
> public String suppmaRequired()
> {
> return "Success";
> }
> }
> {code}
> Now, if I login as NotKamal I have access to ShiroResource,suppmaRequired,
> but if I login as Kamal, I won't. It took me a while to work out that I
> needed to specify the permission string like this:-
> {code} authzInfo.addStringPermission("PRODMA:READ,WRITE,*:AU,*");
> {code}
> i feel that this is a bit unintuitive, but I guess it is what it is. Can we
> provide better examples of setting up a custom realm with permissions?
> Preferably one which supports custom wildcards.
> Thanks.
> Kamal.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
