I agree - the default for morst secure apps should be deny all unless allowed. This is safer in that it often catches unexpected holes that you had no idea would be open otherwise.
Shiro's behavior is already to deny access to everything unless explicitly granted access, but yes, it does require the declaration of an annotation or URL chain to trigger the checking behavior. We'd probably just need to add some AOP support to prevent all invocations unless there is the presence of an annotation. You're right in that it wouldn't incur a performance hit - you'd only actually do the role/permission check if you come across an annotation and just deny everything else. I think the existing RequiresRoles/RequiresPermissions annotations would work fine in this context. It would probably just be a configuration issue to turn on or off the 'deny all if not annotated' behavior. Les On Tue, Feb 23, 2010 at 9:51 AM, Kalle Korhonen <[email protected]> wrote: > But I've often thought that the whole security should be based on > allowing nothing until you explicitly do so. If we had a set of > @AllowRole, @AllowPermission,... it'd simple to deny access to any > resources that didn't have the annotation without incurring a > performance hit. Just a thought at this point... > > Kalle > > > On Tue, Feb 23, 2010 at 6:32 AM, Brian Demers <[email protected]> wrote: >> I see how they would be handy some times, but.... we try to avoid them like >> the plague ;) >> >> On Tue, Feb 23, 2010 at 9:27 AM, Les Hazlewood <[email protected]> >> wrote: >>> >>> No, 'negative' permissions are not supported out of the box due to the >>> complexity and performance hit it would probably incur. You're more >>> than welcome to open a feature request in Jira however. >>> >>> Regards, >>> >>> Les >>> >>> On Mon, Feb 22, 2010 at 7:41 PM, jobiwan11 <[email protected]> >>> wrote: >>> > >>> > If you have a permission like "printer:print:*" is there a way to say >>> > you're >>> > not allowed to print to "lpd7" without getting rid of the >>> > "printer:print:*" >>> > and listing out individual permissions per printer? >>> > Thanks, >>> > --jim >>> > -- >>> > View this message in context: >>> > http://n2.nabble.com/permission-everything-but-this-item-tp4616037p4616037.html >>> > Sent from the Shiro User mailing list archive at Nabble.com. >>> > >> >> >
