Dear Shiroers,
I've commented my ticket as I noticed that also my implementation doesn't
really support all use cases. In fact it would be ideal to configure the filter
like in the example of SHIRO-107
(https://issues.apache.org/jira/browse/SHIRO-107):
/data/stocks/**:post = authc, roles[admin]
/data/stocks/** = authc
However, although the issue is marked as resolved it doesn't seem to be
possible to specify the filter as in the given example. Doing so will fail with
the following message:
There is no filter with name 'post = authc' to apply to chain
[/data/stocks/**] in the pool of available Filters. Ensure a filter with that
name/path has first been registered with the addFilter method(s).
Is there another way to specify the filter chain that resembles the same
behavior?
Regards
Daniel
On 19.09.2013, at 16:51, Daniel Bimschas wrote:
> Hmm. I'm not sure how to add you guys to the issue so please go ahead and
> watch it: https://issues.apache.org/jira/browse/SHIRO-459
>
> I'll now add the implementation and some comment on how to proceed...
>
> Cheers
> Daniel
>
> On 18.09.2013, at 20:39, Stephen McCants wrote:
>
>> Hi Daniel,
>>
>> I'd like to be copied on that Jira ticket as well.
>> Thanks!
>>
>> --Stephen
>>
>> On 9/18/2013 1:33 PM, Les Hazlewood wrote:
>>> Hi Daniel,
>>>
>>> Please attach it to a Jira issue so we can take a look at it - if it makes
>>> sense to add for general purpose use, we will!
>>>
>>> Thanks!
>>>
>>> --
>>> Les Hazlewood | @lhazlewood
>>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>>>
>>>
>>> On Wed, Sep 18, 2013 at 12:24 AM, Daniel Bimschas
>>> <[email protected]> wrote:
>>> Digging into the Shiro source codes I found that this feature is in fact
>>> not available in Shiro. I've now implemented my own custom filter
>>> (extending RolesAuthorizationFilter) that allows you to do exactly what I
>>> wanted. Configuration for the filter follows the following example:
>>>
>>> [main]
>>> myFilter=my.package.HttpMethodRolesAuthorizationFilter
>>> [urls]
>>> /rest = authcBasic,
>>> myFilter[PUT=SERVICE_PROVIDER&EXPERIMENTER,POST=EXPERIMENTER,DELETE=ADMINISTRATOR]
>>>
>>> So, in this example
>>>
>>> - a user must be authenticated to execute any operation
>>> - a user with both roles SERVICE_PROVIDER and EXPERIMENTER can send a PUT
>>> request,
>>> - a user with role EXPERIMENTER can send POST requests, and
>>> - a user with role ADMINISTRATOR can DELETE things
>>>
>>> I would be more than happy to contribute this little bit of code to the
>>> project in case you're interested!
>>>
>>> Best regards
>>> Daniel Bimschas
>>>
>>> On 16.09.2013, at 11:37, Daniel Bimschas wrote:
>>>
>>>> Dear Shiro gods!
>>>>
>>>> I'm struggling to figure out how I can do role-based authorization
>>>> depending on what HTTP method a request is using. I've posted this
>>>> question on StackOverflow as it seems nobody has been asking it before (at
>>>> least I couldn't find it with my search terms). I would be incredibly
>>>> happy if you could take a look!
>>>>
>>>> http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m
>>>>
>>>> Cheers
>>>> Daniel Bimschas
>>>
>>
>>
>> --
>> Stephen McCants
>> Senior Software Engineer
>> Healthcare Control Systems
>> 1-877-877-8795 x116
>>
>
> --
> Daniel Bimschas, M.Sc.
>
>
> UNIVERSITÄT ZU LÜBECK
> INSTITUT FÜR TELEMATIK
>
> Ratzeburger Allee 160
> 23538 Lübeck
>
> Tel +49 451 500 5392
> Fax +49 451 500 5382
> [email protected]
>
> https://www.itm.uni-luebeck.de/people/bimschas
>
--
Daniel Bimschas, M.Sc.
UNIVERSITÄT ZU LÜBECK
INSTITUT FÜR TELEMATIK
Ratzeburger Allee 160
23538 Lübeck
Tel +49 451 500 5392
Fax +49 451 500 5382
[email protected]
https://www.itm.uni-luebeck.de/people/bimschas
