> 1. Can I perform only authorization through Shiro. We have a different
> mechanism for authentication. How?
Yes, you can do this. Shiro was designed early on to keep
authorization and authentication concerns related, but not tightly
coupled. As long as you know an identity (either assumed or
authenticated), you can perform an access control check.
For example, if you want to see if the jsmith user has a role or is
permitted to do something:
Principals p = new SimplePrincipalCollection("jsmith", "myRealm");
Subject subject = new
Subject.Builder(securityManager).principals(p).buildSubject();
This creates a Subject with the specified principals (identifying
attributes) that is unauthenticated (not logged in). But because an
identity is known, you can still do things like:
subject.hasRole("someRole");
subject.isPermitted("document:12345:read");
etc.
This is in fact how Shiro's remember me works - a remembered subject
has a known identity, but it is not authenticated - so you can still
perform access control checks, but a check for
subject.isAuthenticated() would return false (as expected).
> 2. We're also roles in a multi hierarchy organization. For example, if I am
> an admin at the department org level, I have admin privileges for all the
> orgs below, but not orgs above. How would I use Shiro to suppor this?
The cleanest/best way to do this is to assign permissions to your
various roles. Then, by transitive association, your users 'have' or
are 'granted' all the permissions across all of those roles.
If you assign a permission to a role at the department org level, and
your user account is granted that role, then by association, your user
has that permission. Then you can do checks like:
String permission = //some permission only granted at the department org level
if (subject.isPermitted(permission)) {
//do department org only stuff
}
This is so much cleaner than doing things like:
if (subject.hasRole("admin") && !subject.hasRole("subadmin") ||
subject.hasRole("somethingElse") ...)
type of logic.
This is an area where Shiro really shines (clean access control via
permissions) - I only recommend role checks for very simple
applications.
HTH,
Les
