Ah, no 'news' is not an instance in this example. It is more the data type (aka 'domain') of the thing being protected.
In other words, you might have a permission string like: user:edit:12345 This could be read as: "The ability to 'edit' the 'user' instance with identifier '12345'". Similarly, the referenced news permission string could be read as: "The ability to 'view' any 'news' article". Because an ID is not specified on 'news:view', most people interpret this to mean that the permission means to view *any* or *all* news articles. Finally, note that this is all just a convention - When using String permissions, Shiro has no knowledge of your 'user' objects or 'view' actions. Shiro is just doing simple wildcard String checking on each token in the string: it compares what has been assigned to an account with what is being checked at runtime. That means my user permission example above could have just as easily written as this: user:12345:edit But there is one important difference here: The more tokens in the string, the more 'specific' or 'narrow' the check becomes. Shiro starts evaluating tokens from left to right, and if any one of them fail a match, the check stops and the result is false (they don't have the permission). You can take this matching logic and create tokenized permission strings in any manner you like. Maybe your permission strings have 5 tokens instead of 3 - it is up to you. However, most people just tend to think of dataType:action:instanceId (or even dataType:instanceId:action) because it tends to match our mental models and application requirements. For those that might come across this thread in the future, the following might be useful as well: http://shiro.apache.org/permissions.html Finally, I should add that this is just Shiro's default String-based permission behavior. You can define your own Permission objects if you want type safety, or even change how string permissions work altogether by writing a custom PermissionResolver. HTH! -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 PMC Chair, Apache Shiro: http://shiro.apache.org Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk On Thu, Oct 18, 2012 at 8:42 PM, nhhockeyplayer <[email protected]> wrote: > Hi Folks, > > I am weeding out my oversights of shiro concepts... and one last thing is > holding me down. > > I waded thru alot of the docs... and I like the way it is configurable. > > One thing tripping me up conceptually is the reference to news > > I see it used in the following capacities... > > /perms/view/** = perms[news:view] > /perms/edit/** = perms[news:edit] > > configuration.add(factory.createChain("/perms/view/**").add(factory.perms(), > "news:view";).build()); > configuration.add(factory.createChain("/perms/edit/**").add(factory.perms(), > "news:edit";).build()); > > /news/view/** = perms[news:view] > > I might have skimmed across some doc that said news might be an instance? > Maybe? or a type? > > If anyone could set me straight I would be greatful. > > Thanks > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/understanding-permissions-string-tp7577885.html > Sent from the Shiro User mailing list archive at Nabble.com.
