[
https://issues.apache.org/jira/browse/SHIRO-459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771991#comment-13771991
]
Stephen McCants commented on SHIRO-459:
---------------------------------------
I also developed something similar independent from Daniel. It seems likely
that there are other people who could benefit from this being part of the Shiro
framework by default, so I'm voting and following this issue.
> Support role-based authorization depending on HTTP request method
> -----------------------------------------------------------------
>
> Key: SHIRO-459
> URL: https://issues.apache.org/jira/browse/SHIRO-459
> Project: Shiro
> Issue Type: New Feature
> Components: Authorization (access control)
> Affects Versions: 1.2.2
> Reporter: Daniel Bimschas
> Priority: Minor
> Labels: features, newbie
>
> Below is a copy+paste from the Shiro users mailing list:
> =====================
> Dear Shiro gods!
> I'm struggling to figure out how I can do role-based authorization depending
> on what HTTP method a request is using. I've posted this question on
> StackOverflow as it seems nobody has been asking it before (at least I
> couldn't find it with my search terms). I would be incredibly happy if you
> could take a look!
> http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m
> Cheers
> Daniel Bimschas
> =============================
> Then, in a second mail I proposed a solution to the issue:
> =============================
> Digging into the Shiro source codes I found that this feature is in fact not
> available in Shiro. I've now implemented my own custom filter (extending
> RolesAuthorizationFilter) that allows you to do exactly what I wanted.
> Configuration for the filter follows the following example:
> [main]
> myFilter=my.package.HttpMethodRolesAuthorizationFilter
> [urls]
> /rest = authcBasic,
> myFilter[PUT=SERVICE_PROVIDER&EXPERIMENTER,POST=EXPERIMENTER,DELETE=ADMINISTRATOR]
> So, in this example
> - a user must be authenticated to execute any operation
> - a user with both roles SERVICE_PROVIDER and EXPERIMENTER can send a PUT
> request,
> - a user with role EXPERIMENTER can send POST requests, and
> - a user with role ADMINISTRATOR can DELETE things
> I would be more than happy to contribute this little bit of code to the
> project in case you're interested!
> =============================
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
