Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-534

Provide better documentation around permissions

    XMLWordPrintableJSON

Details

    • Documentation
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • Documentation

    Description

      I was playing around with custom realms and I setup the following AuthorizingRealm:-

      public class TestRealm extends AuthorizingRealm
{

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken inToken) throws AuthenticationException
    {
        UsernamePasswordToken upToken = (UsernamePasswordToken) inToken;

        if (upToken.getUsername().equals("Kamal") || upToken.getUsername().equals("NotKamal"))
            return new SimpleAuthenticationInfo(upToken.getUsername(), upToken.getPassword(), getName());

        return null;
    }

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection inPrincipals)
    {
        String username = (String) inPrincipals.fromRealm(getName()).iterator().next();
        SimpleAuthorizationInfo authzInfo = new SimpleAuthorizationInfo();
        authzInfo.addRole("User");

        if (username.equals("Kamal"))
        {
            authzInfo.addStringPermission("PRODMA:READ:AU");
            authzInfo.addStringPermission("PRODMA:WRITE:AU");
            authzInfo.addStringPermission("PRODMA:READ:KB");
            authzInfo.addStringPermission("PRODMA:WRITE:KB");
            authzInfo.addStringPermission("SUPPMA:READ:KB");
        }
        else
        {
            authzInfo.addStringPermission("PRODMA:READ,WRITE,*:AU,*");
        }

        return authzInfo;
    }
}

      I then setup the following resource (I am using Guice + Jersey):-

      @Path("/{client}/shiroResource")
public class ShiroResource
{
    private static final Logger LOG = LoggerFactory.getLogger(ShiroResource.class);
    private HttpSession mSession;

    @Inject
    public ShiroResource(HttpSession inSession)
    {
        mSession = inSession;
    }

    @POST
    @Path("requiresProdma.do")
    @Produces(MediaType.APPLICATION_JSON)
    @Consumes(MediaType.APPLICATION_JSON)
    @RequiresPermissions({ "PRODMA:*:*" })
    public String prodmaRequired()
    {
        return "Success";
    }

    @GET
    @Path("requiresSuppma.do")
    @Produces(MediaType.APPLICATION_JSON)
    @Consumes(MediaType.APPLICATION_JSON)
    @RequiresPermissions("PRODMA:*")
    public String suppmaRequired()
    {
        return "Success";
    }
}

      Now, if I login as NotKamal I have access to ShiroResource,suppmaRequired, but if I login as Kamal, I won't. It took me a while to work out that I needed to specify the permission string like this:-

                  authzInfo.addStringPermission("PRODMA:READ,WRITE,*:AU,*");

      i feel that this is a bit unintuitive, but I guess it is what it is. Can we provide better examples of setting up a custom realm with permissions? Preferably one which supports custom wildcards.

      Thanks.

      Kamal.

      Attachments

        Activity

          People

            Unassigned Unassigned
            kamal.bhatt@gmail.com Kamal
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: