I'm hoping someone can help me with some conceptual problems I'm
having on how to best use shiro roles and permissions. As an example,
assume I have the following entities:
User
String username
Set<Project> projects
Project
String name
Set<User> users;
Maybe the following roles are available:
Superuser -- gives full read/write access to all projects
Administrator -- gives full read/write access to a project's features
Manager -- gives read/write access to most features, read only to a few
Scheduler -- read/write only for scheduling resources (rooms, equipment, etc.)
Member -- project team member can read many things and write few
Watcher -- can read some info about project, but can't change it.
Watcher can't see member list.
A user can belong to multiple projects, and can have different
roles/permissions in each project.
A user can have multiple roles in the same project (i.e. can be both a
member and a scheduler).
So it seems that I mainly need to use permissions, not roles. So that
I can do something like:
if ( currentUser.isPermitted( "project:schedule:world_domination" ) ) {
log.info("You are permitted to 'schedule' the 'project' with name
(id) 'world_domination'. ");
} else {
log.info("Sorry, you aren't allowed to 'schedule' the
'world_domination' 'project'!");
}
So given this, I would need entities like this:
User
String username
Set<Project> projects
Set<Role> roles
Set<String> permissions
Project
String name
Set<User> users;
Role
String name
Set<String> permissions
However, it doesn't really seem like I'd be using the Role feature
much. Is this correct? It seems like instead User.permissions would
be full of values like:
project.admin.build_fort
project.schedule.world_domination
project.member.world_domination
project.watch.paint_house
I can see using Roles for things like:
-- display a Schedule Projects button if I'm a member of the Scheduler role.
-- note that I should see this button if I have either Scheduler or
Admin role for any project
But what I'm getting confused on is how to integrate this with
Hibernate queries. For instance:
select list of projects where I have any role
-- query should return all projects listed in the 3rd term of any
permission I have, where the first term is 'project'
select list of projects where I am a scheduler or a manager
-- query should return all projects listed in the 3rd term of any
permission I have where the 2nd term is 'schedule' or 'manage' and the
first term is 'project'
select list of users that belong to project world_domination
-- query should return all users with any permission that contains
'world_domination' in the 3rd term and 'project' in the 1st term.
-- however, the query needs to also make sure that I have a
permission with 'world_domination' in the 3rd term, 'project' in the
1st term, and that I have a value other/greater than 'watch' in the
2nd term (since watchers can't see a project's members)
select list of users that belong to project paint_house
-- same as previous, but this time I should get no results since I
am a watcher of paint_house, so can't see members
Should I be using a Permission entity instead of a string? Will Shiro
support this? This way it's easier to build hibernate queries and
mappings. Take for instance:
User
String username
Set<Permission> permissions;
Permission
String entityType;
String roleName;
String instanceName;
But now I'm starting to feel like I won't even be using Shiro. I'm
basically building permissions and roles into my application. I mean,
with this design, I could get a list of all of permitted entities just
via a hibernate query. I wouldn't need to make a shiro call. Thus I'm
confused.
Can someone tell me if I'm on the right track here? Or should I be
looking at a different design?
Thanks!
Tauren
