Hi,
This is posible and I have done it.
But you can't use annotations. You have to manually check for the users
permisions using User.isPermited(requidedPermission);
For example:
f(SecurityUtils.getSubject().isPermitted(requiiredPermission)){
//do stuff here
}else{
throw new UnauthorizedException ();
}
Where requiredPermission must be the permission asociated to access record
XYZ or QRS in your example. You will have to look it up Dinamically.
Hope it helps,
Tomas Lund Petersen
On Wed, Sep 9, 2015 at 11:49 AM, Mark <[email protected]> wrote:
> Thanks for the information. Would it be possible to set a Subject's
> record access at runtime? I'm envisioning the following scenario:
>
> User A, who is in Group 1 creates a record (XYZ) and only wants to have
> full access for themself.
> User B, who is also in Group 1 tries to access record XYZ. User B should
> be denied.
>
> User C, who is in Group 1 creates a Record (QRS) wants everyone in their
> group to read the record.
> User D, who is in Group 1 wants to read record QRS. User D should be able
> to read record QRS but not make changes.
>
> This feels like it should be similar to UNIX file permissions, but I don't
> know how to enforce all this at runtime in Shiro. The first scenario would
> make the record XYZ have permission of 600, while the permissions on
> record QRS would be 660. Maybe I just need a custom class that can
> translate this in Shiro. If so, would this require a custom
> PermissionResolver?
>
>
>
>
> On Wed, Sep 9, 2015 at 2:48 AM, scSynergy <[email protected]>
> wrote:
>
>> You can verify whether a user / role has access to the record by including
>> these lines at the very beginning of the method which retrieves it from
>> your
>> database:
>> Set<WildcardPermission> permissions = new HashSet<>();
>> permissions.add(new WildcardPermission("record:read:user"));
>> permissions.add(new WildcardPermission("record:write:user"));
>> SecurityUtils.getSubject().checkPermission(permissions);
>> // retrieve stuff from database
>>
>> The checkPermission method will continue on normally when the subject has
>> the needed permissions and throw an UnauthorizedException if not.
>>
>> You can also use annotations like
>> @RequiresPermissions({"record:read:user",
>> "record:write:user"}) but then you cannot define the needed permissions
>> dynamically because annotations require constant values - this is *not* a
>> limitation of Shiro but of annotations.
>>
>> Have a look at the API to get an idea of what Shiro supports
>> https://shiro.apache.org/static/1.2.3/apidocs/ .
>>
>>
>>
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/Dynamic-Authorization-tp7580696p7580697.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>
