> Maybe we should provide both options. At the url configuration level
> as already mentioned, and maybe each filter also has the ability to
> decide. But given this is boilerplate, maybe it could be written in
> the top-level PathMatchingFilter (from which all other Shiro filters
> extend). That way an end user can use what they prefer or what the
> situation deems most appropriate. Thoughts?
Seems reasonable, although imagine you could have confusing looking
rules if methods are specified on the URL and the filter. But that
would be plainly pathological.
> How about:
>
> /rest/**[GET,POST,...] = foo, bar, baz
The only thing I don't like about this format is that the methods
dominate the URL, so the latter isn't easy to read and compare to
other URLs. But I'm OK with it.
BTW, this seems to have been raised before:
https://issues.apache.org/jira/browse/SHIRO-107
That's been closed, but I take it the implementation was the
HttpMethodPermissionFilter.
Peter
