You probably want to implement a typical RBAC type model and map your Users
to Roles and Roles to Permissions.
Then in your custom Realm implementation override
doGetAuthorizationInfo(...), resolve the Roles/Permissions for the current
user and return to Shiro.
SimpleAuthorizationInfo authInfo = new
SimpleAuthorizationInfo(acl.getRoles());
authInfo.addStringPermissions(acl.getPermissions());
return authInfo;
Check out the http://shiro.apache.org/java-authorization-guide.html
Authorization Guide and read up on Permissions as there's where you'll gain
the capability you want. Permissions can be fairly fine grain.
In your code you can then do something like this:
if ( SecurityUtils.getSubject().isPermitted( permission ) ) {
// allow something
}
The Shiro TagLibs also support the same permissions.
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/How-to-find-out-it-a-URL-is-authorized-tp7212711p7214278.html
Sent from the Shiro User mailing list archive at Nabble.com.
