Re: Dynamic Authorization

Thu, 10 Sep 2015 00:16:11 -0700 

"I can get the list of groups(roles) for the user and could use that to
populate the GroupPermission object, but there's no access info in LDAP for
the user so I don't know where/how to insert the access that a user needs to
complete this task."

You might be able to use a RolePermissionResolver to retrieve permissions
from some other data store (other LDAP branch or database) and map them to
the roles from the LDAP - here is an example I wrote for Active Directory (I
do not know whether LDAP realms can use RolePermissionResolvers):

rolePermissionResolver =
de.scsynergy.shiro.ActiveDirectoryRolePermissionResolver
rolePermissionResolver.tenantId = something
activeDirectoryRealm.rolePermissionResolver = $rolePermissionResolver

-------------------------------------------------------------------------------------------------------------------------

package de.scsynergy.elementary.qi.shiro;

import de.scsynergy.elementary.qi.Compendium;
import de.scsynergy.elementary.qi.QiFacade;
import de.scsynergy.elementary.qi.Role;
import java.util.ArrayList;
import java.util.Collection;
import javax.inject.Inject;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.permission.RolePermissionResolver;
import org.ops4j.pax.shiro.cdi.ShiroIni;

/**
 *
 * @author rf
 */
@ShiroIni
public class ActiveDirectoryRolePermissionResolver implements
RolePermissionResolver {

    @Inject
    private Compendium compendium;
    @Inject
    private QiFacade facade;
    private String tenantidentifier = null;

    public ActiveDirectoryRolePermissionResolver() {
    }

    @Override
    public Collection<Permission> resolvePermissionsInRole(String
roleString) {
        Collection<Permission> permissions = new ArrayList<>();
        if (this.tenantidentifier != null) {
            Role role = facade.getNamedRole(roleString,
compendium.getTenantId(), compendium.getUser());
            if (role != null) {
                permissions.addAll(role.getPermissions());
            }
        }
        return permissions;
    }

    public String getIdentifier() {
        return tenantidentifier;
    }

    public void setIdentifier(String tenantidentifier) {
        this.tenantidentifier = tenantidentifier;
    }
}




--
View this message in context: 
http://shiro-user.582556.n2.nabble.com/Dynamic-Authorization-tp7580696p7580723.html
Sent from the Shiro User mailing list archive at Nabble.com.

Reply via email to