ah, the question wasnt how to check, but how to configure.
I mean how do u abandon the shiro.ini roles & permissions mechanism for
TextConfigurationRealm etc and model it in spring instead.
I thought in a previous post you mentioned this should be done.
re the useage though I'm really keen for an aop solution, and an xml
element something like this:
<shiro:requires permissions="user:edit"/>
that I could just drop into any spring bean would be great. far better
for me than annotations.
Cheers
Jason.
Les Hazlewood wrote:
Hi Jason,
What do you mean by 'configure permissions' exactly? Typically
permission checks in standalone applications are done by explicitly
checking (subject.isPermitted(blah)) or using Shiro's
@RequiresPermissions annotation.
Regards,
Les
On Thu, Jan 21, 2010 at 8:13 PM, Jason Eacott <[email protected]> wrote:
thanks!
now how do I configure permissions etc in spring for a standalone app?
Les Hazlewood wrote:
The upcoming Shiro 1.0 release will have improved Spring application
support, especially for Spring web applications.
In Shiro-enabled Spring web apps today, there was often a hybrid
configuration - you would usually define an INI-based Shiro Filter in
web.xml and configure it via INI mechanisms. But often you would
configure the SecurityManager and its dependencies (Realms, etc) in
applicationContext.xml. In Shiro 1.0, you will be able to configure
all of Shiro in your Spring files and only touch web.xml only when
setting up Shiro for the first time.
There are many benefits for Spring users when configuring Shiro
entirely in Spring instead of in web.xml:
1) Shiro configuration can live along side where you configure the
rest of your application - no need to flip back between web.xml and
spring files when making configuration changes.
2) Shiro configuration can leverage Spring-specific configuration
benefits, such as PropertyPlaceholderConfigurer for properties based
configuration at startup, spring-managed lifecycles (init-method,
destroy-method), circular dependency checks, and more.
3) Custom javax.servlet.Filters that you could use in Shiro's powerful
url-pattern-based filter chain definitions can also be defined in
Spring and acquired automatically at startup.
The current documentation for all of this is located here:
http://cwiki.apache.org/confluence/display/SHIRO/Spring
Please feel free to review and offer suggestions/improvements. The
mechanisms documented (using Spring's DelegatingFilterProxy and the
new ShiroFilterFactoryBean) have been tested and the two spring web
sample applications have been updated to use this approach.
Early adopters are encouraged to use this newer support before 1.0 is
released as there probably won't be any significant changes to this
mechanism before then. (SecurityManager configuration might be
simplified via a Spring FactoryBean as well, but that won't affect web
configuration).
Please give it a try and let us know what you think!
Best,
Les
