Thanks for the information. Would it be possible to set a Subject's record access at runtime? I'm envisioning the following scenario:
User A, who is in Group 1 creates a record (XYZ) and only wants to have full access for themself. User B, who is also in Group 1 tries to access record XYZ. User B should be denied. User C, who is in Group 1 creates a Record (QRS) wants everyone in their group to read the record. User D, who is in Group 1 wants to read record QRS. User D should be able to read record QRS but not make changes. This feels like it should be similar to UNIX file permissions, but I don't know how to enforce all this at runtime in Shiro. The first scenario would make the record XYZ have permission of 600, while the permissions on record QRS would be 660. Maybe I just need a custom class that can translate this in Shiro. If so, would this require a custom PermissionResolver? On Wed, Sep 9, 2015 at 2:48 AM, scSynergy <[email protected]> wrote: > You can verify whether a user / role has access to the record by including > these lines at the very beginning of the method which retrieves it from > your > database: > Set<WildcardPermission> permissions = new HashSet<>(); > permissions.add(new WildcardPermission("record:read:user")); > permissions.add(new WildcardPermission("record:write:user")); > SecurityUtils.getSubject().checkPermission(permissions); > // retrieve stuff from database > > The checkPermission method will continue on normally when the subject has > the needed permissions and throw an UnauthorizedException if not. > > You can also use annotations like @RequiresPermissions({"record:read:user", > "record:write:user"}) but then you cannot define the needed permissions > dynamically because annotations require constant values - this is *not* a > limitation of Shiro but of annotations. > > Have a look at the API to get an idea of what Shiro supports > https://shiro.apache.org/static/1.2.3/apidocs/ . > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Dynamic-Authorization-tp7580696p7580697.html > Sent from the Shiro User mailing list archive at Nabble.com. >
