I am not sure I follow, granted my perception of the WildcardPermission is how I have used it.
I typically use something like: thing:foo:bar:read so I can use : thing:foo:*:read or thing:foo:* which will be true for permissions of thing:foo:bar:read, or thing:foo:read However in your case your saying a more specific permission grants access to a more general permission. Maybe this is the part that I do not understand. On Thu, Nov 11, 2010 at 9:34 AM, Philippe Laflamme <[email protected]>wrote: > > Hi, > > I've got a question regarding the current implementation of > WildcardPermission. > > Currently, the following holds true: > > thing:read:foo implies thing:read:foo:bar > > Which basically means that if you can "read" the "foo" "thing", you can > also > "read" the "bar" "thing" in the "foo" "thing". > > But the reverse statement does not hold true: > > thing:read:foo:bar does NOT imply thing:read:foo > > Meaning that if you can read "bar" you can't read "foo". > > Now, at first I thought that it made sense, but after thinking about it, I > can't figure out what's a valid use case for this. > > My reasoning is based on the fact that "bar" in this situation is something > that belongs to "foo" (otherwise, I would have a separate permission > domain, > ie: otherthing:read:bar). So if "bar" only exists if "foo" also does, what > is the valid use case of allowing access to "bar" but not to "foo"? > > Note that saying that the "longer" permission implies the "shorter" DOES > NOT > imply other longer permissions. That is, > > thing:read:foo:bar implies thing:read:foo --> true > thing:read:foo:bar implies thing:read:foo:foobar --> false > > Is my reasoning valid? > > I've created my own Permission implementation that does exactly that and it > behaves as expected (I can read foo, bar, but not foobar). I'm wondering > what is a valid use-case for NOT wanting this behaviour? > > Thanks! > Philippe > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Question-regarding-WildcardPermission-tp5728829p5728829.html > Sent from the Shiro User mailing list archive at Nabble.com. >
