If you haven't already take a look at wild card permissions: http://shiro.apache.org/permissions.html
For #3 and #4 In my mind roles and groups are used almost interchangeably. But if i had to split them up, I would say that a role is a collection of permissions, and a group is a collection of users. In this case a Role could be assigned to an individual user or a Group. A simple example might be an 'Administrator-role' would likely contain all permissions. An 'Administrator-group' would contain all your admin users. You would assign the 'Administrator-role' to the 'Administrator-group' (this would be done in a realm. As for your question about realms. Yes, in respects to only supporting 'read' operations, this is mainly because most applications have there own requirements, for example lots of applications store users in some other type of store (i.e. LDAP / AD) Does that answer your questions? On Fri, Feb 27, 2015 at 4:03 PM, Raghuram Devarakonda <[email protected]> wrote: > > Hi All, > > We currently use Spring security for authorization (ACL module in > particular) but there are some new use cases which may make the continued > use of Spring security infeasible. So I started looking for alternatives > and in that process, have run into Apache Shiro. I read the documentation > available on the Shiro site and I think I have some idea how it works. But > there are some questions that I would like to get some clarification on and > I would appreciate any help. > > Here are some authorization requirements from our application: > > 1) Support granular privileges (mapping to operations such as "read" and > "write"). Note that there are no resources at this point. These are just > possible operations. > > 2) A role is a combination of privileges, again without reference to any > resources. > > 3) Individual resources can be organized into resource groups where one > resource can belong to multiple resource groups. > > 4) Finally, roles can be assigned to users (or groups) for a given > resource or resource group. > > It seems to me that Shiro supports (1) and (2) but I am not clear about > the rest. > > Also, is it true that the application needs to take care of all "write" > operations as mentioned in one of the documents? Here is the relevant > snippet: > > "Currently all Realm implementations support ‘read’ operations for > acquiring authentication and authorization data to perform logins and > access control. ‘Write’ operations, like creating user accounts, groups > and roles, or associating users with roles groups and permissions, are not > supported. This is because the data model to support these operations > varies dramatically across applications and it would be difficult to > enforce a ‘write’ API on all Shiro users. " > > Thanks in advance, > Raghu > > > > > > > > > > > > > > > > > > >
