I think I have it figured out. I don't actually assign permissions to the user. I take the permissions assigned to the record and then test the user access against the record permissions.
Thanks!! On Wed, Sep 9, 2015 at 11:39 AM, Mark <[email protected]> wrote: > I am not interested in using annotations, so we don't need to worry about > that. > > The part I don't understand here is, how can you assign permissions to a > Subject dynamically? > > > > On Wed, Sep 9, 2015 at 11:12 AM, Tomas Lund Petersen < > [email protected]> wrote: > >> Hi, >> This is posible and I have done it. >> But you can't use annotations. You have to manually check for the users >> permisions using User.isPermited(requidedPermission); >> For example: >> f(SecurityUtils.getSubject().isPermitted(requiiredPermission)){ >> //do stuff here >> }else{ >> throw new UnauthorizedException (); >> } >> Where requiredPermission must be the permission asociated to access >> record XYZ or QRS in your example. You will have to look it up Dinamically. >> Hope it helps, >> Tomas Lund Petersen >> >> On Wed, Sep 9, 2015 at 11:49 AM, Mark <[email protected]> wrote: >> >>> Thanks for the information. Would it be possible to set a Subject's >>> record access at runtime? I'm envisioning the following scenario: >>> >>> User A, who is in Group 1 creates a record (XYZ) and only wants to have >>> full access for themself. >>> User B, who is also in Group 1 tries to access record XYZ. User B >>> should be denied. >>> >>> User C, who is in Group 1 creates a Record (QRS) wants everyone in their >>> group to read the record. >>> User D, who is in Group 1 wants to read record QRS. User D should be >>> able to read record QRS but not make changes. >>> >>> This feels like it should be similar to UNIX file permissions, but I >>> don't know how to enforce all this at runtime in Shiro. The first scenario >>> would make the record XYZ have permission of 600, while the permissions on >>> record QRS would be 660. Maybe I just need a custom class that can >>> translate this in Shiro. If so, would this require a custom >>> PermissionResolver? >>> >>> >>> >>> >>> On Wed, Sep 9, 2015 at 2:48 AM, scSynergy <[email protected]> >>> wrote: >>> >>>> You can verify whether a user / role has access to the record by >>>> including >>>> these lines at the very beginning of the method which retrieves it from >>>> your >>>> database: >>>> Set<WildcardPermission> permissions = new HashSet<>(); >>>> permissions.add(new WildcardPermission("record:read:user")); >>>> permissions.add(new WildcardPermission("record:write:user")); >>>> SecurityUtils.getSubject().checkPermission(permissions); >>>> // retrieve stuff from database >>>> >>>> The checkPermission method will continue on normally when the subject >>>> has >>>> the needed permissions and throw an UnauthorizedException if not. >>>> >>>> You can also use annotations like >>>> @RequiresPermissions({"record:read:user", >>>> "record:write:user"}) but then you cannot define the needed permissions >>>> dynamically because annotations require constant values - this is *not* >>>> a >>>> limitation of Shiro but of annotations. >>>> >>>> Have a look at the API to get an idea of what Shiro supports >>>> https://shiro.apache.org/static/1.2.3/apidocs/ . >>>> >>>> >>>> >>>> -- >>>> View this message in context: >>>> http://shiro-user.582556.n2.nabble.com/Dynamic-Authorization-tp7580696p7580697.html >>>> Sent from the Shiro User mailing list archive at Nabble.com. >>>> >>> >>> >> >
