Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-534

Provide better documentation around permissions

    Details

    • Type: Documentation
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Documentation
    • Labels:

      Description

      I was playing around with custom realms and I setup the following AuthorizingRealm:-

      public class TestRealm extends AuthorizingRealm
      {
      
          @Override
          protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken inToken) throws AuthenticationException
          {
              UsernamePasswordToken upToken = (UsernamePasswordToken) inToken;
      
              if (upToken.getUsername().equals("Kamal") || upToken.getUsername().equals("NotKamal"))
                  return new SimpleAuthenticationInfo(upToken.getUsername(), upToken.getPassword(), getName());
      
              return null;
          }
      
          @Override
          protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection inPrincipals)
          {
              String username = (String) inPrincipals.fromRealm(getName()).iterator().next();
              SimpleAuthorizationInfo authzInfo = new SimpleAuthorizationInfo();
              authzInfo.addRole("User");
      
              if (username.equals("Kamal"))
              {
                  authzInfo.addStringPermission("PRODMA:READ:AU");
                  authzInfo.addStringPermission("PRODMA:WRITE:AU");
                  authzInfo.addStringPermission("PRODMA:READ:KB");
                  authzInfo.addStringPermission("PRODMA:WRITE:KB");
                  authzInfo.addStringPermission("SUPPMA:READ:KB");
              }
              else
              {
                  authzInfo.addStringPermission("PRODMA:READ,WRITE,*:AU,*");
              }
      
              return authzInfo;
          }
      }
      

      I then setup the following resource (I am using Guice + Jersey):-

      @Path("/{client}/shiroResource")
      public class ShiroResource
      {
          private static final Logger LOG = LoggerFactory.getLogger(ShiroResource.class);
          private HttpSession mSession;
      
          @Inject
          public ShiroResource(HttpSession inSession)
          {
              mSession = inSession;
          }
      
          @POST
          @Path("requiresProdma.do")
          @Produces(MediaType.APPLICATION_JSON)
          @Consumes(MediaType.APPLICATION_JSON)
          @RequiresPermissions({ "PRODMA:*:*" })
          public String prodmaRequired()
          {
              return "Success";
          }
      
          @GET
          @Path("requiresSuppma.do")
          @Produces(MediaType.APPLICATION_JSON)
          @Consumes(MediaType.APPLICATION_JSON)
          @RequiresPermissions("PRODMA:*")
          public String suppmaRequired()
          {
              return "Success";
          }
      }
      

      Now, if I login as NotKamal I have access to ShiroResource,suppmaRequired, but if I login as Kamal, I won't. It took me a while to work out that I needed to specify the permission string like this:-

                  authzInfo.addStringPermission("PRODMA:READ,WRITE,*:AU,*");
      

      i feel that this is a bit unintuitive, but I guess it is what it is. Can we provide better examples of setting up a custom realm with permissions? Preferably one which supports custom wildcards.

      Thanks.

      Kamal.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              kamal.bhatt@gmail.com Kamal
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: