hmm, thanks for the info -
Our orgs are structure more like this -
Company -
Department -
Group -
A user who has Role:Admin at the company level has all the permissions to
perform actions across all the users in the company. A user who has
Role:Admin at the department level has all the permissions to perform
actions across all the users in the company. We did this because our
product can be used for n level hierarchies. Also, its supposed to make
configuring the permissions easier.
Part of the reason we want to use Shiro is that we don't want to stupid
stuff. If this is stupid, let me know :)
Can we do something like this -
Return role names with orgs appended to the user. Then is a user had Admin
role for Company the roles returned are
CompanyId:Admin
DepartmentId:Admin
Then when we look at permissions and roles, we also append our orgId onto
the roleName. So, if I am modifying information for a user in group A, then
we check if the user has Admin privileges at the group level.
thanks
Amish
On Fri, Jun 7, 2013 at 10:36 AM, Les Hazlewood <[email protected]>wrote:
> > 1. Can I perform only authorization through Shiro. We have a different
> > mechanism for authentication. How?
>
> Yes, you can do this. Shiro was designed early on to keep
> authorization and authentication concerns related, but not tightly
> coupled. As long as you know an identity (either assumed or
> authenticated), you can perform an access control check.
>
> For example, if you want to see if the jsmith user has a role or is
> permitted to do something:
>
> Principals p = new SimplePrincipalCollection("jsmith", "myRealm");
> Subject subject = new
> Subject.Builder(securityManager).principals(p).buildSubject();
>
> This creates a Subject with the specified principals (identifying
> attributes) that is unauthenticated (not logged in). But because an
> identity is known, you can still do things like:
>
> subject.hasRole("someRole");
> subject.isPermitted("document:12345:read");
> etc.
>
> This is in fact how Shiro's remember me works - a remembered subject
> has a known identity, but it is not authenticated - so you can still
> perform access control checks, but a check for
> subject.isAuthenticated() would return false (as expected).
>
> > 2. We're also roles in a multi hierarchy organization. For example, if I
> am
> > an admin at the department org level, I have admin privileges for all the
> > orgs below, but not orgs above. How would I use Shiro to suppor this?
>
> The cleanest/best way to do this is to assign permissions to your
> various roles. Then, by transitive association, your users 'have' or
> are 'granted' all the permissions across all of those roles.
>
> If you assign a permission to a role at the department org level, and
> your user account is granted that role, then by association, your user
> has that permission. Then you can do checks like:
>
> String permission = //some permission only granted at the department org
> level
> if (subject.isPermitted(permission)) {
> //do department org only stuff
> }
>
> This is so much cleaner than doing things like:
>
> if (subject.hasRole("admin") && !subject.hasRole("subadmin") ||
> subject.hasRole("somethingElse") ...)
>
> type of logic.
>
> This is an area where Shiro really shines (clean access control via
> permissions) - I only recommend role checks for very simple
> applications.
>
> HTH,
>
> Les
>
