My Spring application has various types of resources that some users
have permission to read, update, delete, etc. I will use Stormtrooper
example from Shiro documentation to illustrate my goals.
As far as I'm concerned Shiro has item-level permissions in form
"domain:action:item_id"). So, GET controller method would be rewritten
as:
@GetMapping(path = "/{id}")
public Stormtrooper getTrooper(@PathVariable("id") String id) throws
NotFoundException {
// Instance-based annotations are not supported, so we use
direct check instead:
SecurityUtils.getSubject().checkPermission(String.format("troopers:read:%s",
id));
Stormtrooper stormtrooper = trooperDao.getStormtrooper(id);
if (stormtrooper == null) {
throw new NotFoundException(id);
}
return stormtrooper;
}
Now I would like to implement a method that lists all Stormtroopers
for a given User. I can't use @RequiresPermission("troopers:read") as
there may be users who can only read some stormtroopers, not all of
them.
I need some mechanism to obtain all objects of a given type that are
permitted to read. Given a permission wildcard, say "troopers:read:*"
I want to get all permissions that satisfy and then ask DAO for these
objects and return them as a collection.
How can I achieve that?
Thanks in advance.
