Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-459

Support role-based authorization depending on HTTP request method

    XMLWordPrintableJSON

Details

    Description

      Below is a copy+paste from the Shiro users mailing list:

      =====================

      Dear Shiro gods!

      I'm struggling to figure out how I can do role-based authorization depending on what HTTP method a request is using. I've posted this question on StackOverflow as it seems nobody has been asking it before (at least I couldn't find it with my search terms). I would be incredibly happy if you could take a look!

      http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m

      Cheers
      Daniel Bimschas

      =============================

      Then, in a second mail I proposed a solution to the issue:

      =============================

      Digging into the Shiro source codes I found that this feature is in fact not available in Shiro. I've now implemented my own custom filter (extending RolesAuthorizationFilter) that allows you to do exactly what I wanted. Configuration for the filter follows the following example:

      [main]
      myFilter=my.package.HttpMethodRolesAuthorizationFilter
      [urls]
      /rest = authcBasic, myFilter[PUT=SERVICE_PROVIDER&EXPERIMENTER,POST=EXPERIMENTER,DELETE=ADMINISTRATOR]

      So, in this example

      • a user must be authenticated to execute any operation
      • a user with both roles SERVICE_PROVIDER and EXPERIMENTER can send a PUT request,
      • a user with role EXPERIMENTER can send POST requests, and
      • a user with role ADMINISTRATOR can DELETE things

      I would be more than happy to contribute this little bit of code to the project in case you're interested!

      =============================

      Attachments

        Activity

          People

            Unassigned Unassigned
            danbim Daniel Bimschas
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: