Hi, I have written a new shiro filter HttpMethodAndPathPermissionFilter that extends HttpMethodPermissionFilter. What this allows for is dynamic construction of permissions based on the path components or the URL path in a REST API request, in addition to the HTTP method as the current "rest" filter does. For example, if you have the following:
[main] . . . rest_path = com.aol.advertising.cl.shiro.HttpMethodAndPathPermissionFilter [urls] /v1/** = ssl, noSessionCreation, authcBasic, rest_path[$2:$3] then a call to GET /v1/collection/ibm requires the permission collection:ibm:read and a call to PUT /v1/selection/xerox/ requires the permission selection:xerox:update This is most useful when a part of the path refers to some variable like client id or something that is not predicatble enough to configure explicity in advance. I have kept it as a separate filter rather than just enhancing the existing HttpMethodPermissionFilter because the cost of expanding the $1 and $2 etc should only be paid where required. It seems to be working perfectly fine for us, would there be any interest in acceptiing this for inclusion in the shiro core? Thanks. ------------ Saad Mufti -- View this message in context: http://shiro-developer.582600.n2.nabble.com/New-Filter-Proposal-tp7578113.html Sent from the Shiro Developer mailing list archive at Nabble.com.
