Let me try to clear things up a bit. I do have a completely working Shiro-based authentication / authorization system. It works fantastic. What I need is to check whether a particular URL is authorized, not whether a user is authorized within a role. Thank you!
On Jan 22, 2012, at 4:45 PM, jeffp wrote: > You probably want to implement a typical RBAC type model and map your Users > to Roles and Roles to Permissions. > > Then in your custom Realm implementation override > doGetAuthorizationInfo(...), resolve the Roles/Permissions for the current > user and return to Shiro. > > SimpleAuthorizationInfo authInfo = new > SimpleAuthorizationInfo(acl.getRoles()); > authInfo.addStringPermissions(acl.getPermissions()); > return authInfo; > > Check out the http://shiro.apache.org/java-authorization-guide.html > Authorization Guide and read up on Permissions as there's where you'll gain > the capability you want. Permissions can be fairly fine grain. > > In your code you can then do something like this: > if ( SecurityUtils.getSubject().isPermitted( permission ) ) { > // allow something > } > > The Shiro TagLibs also support the same permissions. > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/How-to-find-out-it-a-URL-is-authorized-tp7212711p7214278.html > Sent from the Shiro User mailing list archive at Nabble.com. >
