Hi, I want to add fine-granular authorization for calls to the REST API. For example: a) users can read all fields of their own profile but only a subset of fields in other profiles, or b) only administrators are allowed to create new groups, etc.
I thought of setting up Shiro after the AuthenticationServletFilter found a SecurityToken, and then to verify the permissions in my PersonService class. Does that make sense? What would be the proper way of authorizing REST requests in Shindig? Many thanks, Ronny
