Hi, For the rest resources I expose in my application, I'd like to have different permissions based on the id of the resource.
Example: for the resource /store/books/123: * user1 can update it (i.e run the request PUT /store/books/123 with success) * user2 cannot (i.e get a 403 when running PUT /store/books/123) First, I try to use HttpMethodPermissionFilter. But with it, I don't have access to the id of the resource. If my ini configuration is: /store/books/** rest[books] I only get permissions like books:read or books:update. But what I'd like is: books:read:123 So I was thinking to use regex to extract the part of the url I'm interessed in. Example with this configuration: /store/books/(.*) rest[books] The filter could extract the group(s) defined in the url, and add them to the permission. What do you think? Do you see another solution to do that? Thanks for your help Nicolas PS: I already write the code to do this. The only difficult part is that the PatternMatcher we want to use (here RegExPatternMatcher) is not easily injectable into the different filter or chain resolver. If asked I'll start another thread about this -- View this message in context: http://shiro-developer.582600.n2.nabble.com/Rest-resource-authorisation-tp6998028p6998028.html Sent from the Shiro Developer mailing list archive at Nabble.com.
