Unfortunately, Shiro does not currently support this out of the box. So,
you will need to write your own filter.
Fortunately, the filter is fairly simple to right. Simply copying the
RolesAuthorizationFilter and modifying it slightly we get something like
this:
public class AnyRoleAuthorizationFilter extends AuthorizationFilter {
@SuppressWarnings({"unchecked"})
public boolean isAccessAllowed(ServletRequest request,
ServletResponse response, Object mappedValue) throws IOException {
Subject subject = getSubject(request, response);
String[] rolesArray = (String[]) mappedValue;
if (rolesArray == null || rolesArray.length == 0) {
//no roles specified, so nothing to check - allow access.
return true;
}
Set<String> roles = CollectionUtils.asSet(rolesArray);
for(String role: roles) {
if(subject.hasRole(role) {
return true;
}
}
return false;
}
}
To include this in your shiro.ini:
[main]
...
anyRole = com.example.AnyRoleAuthorizationFilter
[urls]
/protected/** =
ssl,authc,anyRole["net.dupage88.role.staff,net.dupage88.role.student"]
Hope that helps,
Jared
On Mon 01 Oct 2012 11:09:27 AM CDT, Charles Syperski wrote:
>
> I have a URL that am I attempting to configure which like this:
>
> /protected/** =
> ssl,authc,roles["net.dupage88.role.staff,net.dupage88.role.student"]
>
> This currently requires membership of both net.dupage88.role.staff and
> net.dupage88.role.student.
>
> What I want to do is allow access if the user is authc and has the
> role net.dupage88.role.staff OR net.dupage88.role.student, is this
> possible? The groups are mutually exclusive, so they will be member
> of just one of the two. If so, how do I setup it up in the ini?
>
> So logically I want (ssl && authc && ( net.dupage88.role.staff ||
> net.dupage88.role.student ) )
>
> If it isn't possible do I need to create my own filter for this? I
> would like to avoid this because it is less flexible, but I that is
> what I need please let me know.
>
> Thanks for the awesome framework and any help you can provide.
>
> Thanks,
> Chuck
