I'm probably not the best person to answer this, because I'm pretty much a
shiro amatuer myself. But this is what I'm doing, based on advice I got
about 8-9 months ago on this list. You can probably search for other
threads from me and locate the original discussion.
Note the code below has been simplified for clarity and has not been tested.
Here is my Realm:
@Service
public class SprtzRealm extends AuthorizingRealm {
protected MemberService memberService = null;
public SprtzRealm() {
setName("SprtzRealm");
setCredentialsMatcher(new Sha256CredentialsMatcher());
}
@Autowired
public void setMemberService(MemberService memberService) {
this.memberService = memberService;
}
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
authcToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
Member member = memberService.findMember(token.getUsername());
if (member != null && member.isValidated()) {
return new SimpleAuthenticationInfo(member.getId(),
member.getPassword(), getName());
} else {
return null;
}
}
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
principals) {
Long memberId = (Long)
principals.fromRealm(getName()).iterator().next();
Member member = memberService.getMember(memberId);
if (member != null) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// Allow member to edit themselves
info.addStringPermission("member:edit:"+memberId);
// Allow member to edit projects that they own or are admins of
for (ProjectParticipant pp : member.getProjectParticipations())
{
if (pp.isOwner() || pp.isAdmin()) {
info.addStringPermission("project:edit:"+pp.getProjectc().getId());
info.addStringPermission("project:delete:"+pp.getProject().getId());
}
}
// Add other permissions here... (view projects, etc.)
return info;
} else {
return null;
}
}
@Override
public void clearCachedAuthorizationInfo(PrincipalCollection principals)
{
super.clearCachedAuthorizationInfo(principals);
}
}
In my service layer, when a new project is created:
public void createProject(Project project) {
log.debug("Creating project: "+project);
if (project.getCreated() == null) {
project.setCreated(new Date());
}
projectDao.save(project);
Member member = memberService.getCurrentMember();
log.debug("Adding project particaption to member for: "+project);
ProjectParticipant p= new ProjectParticipant();
p.setCreated(new Date());
p.setMember(member);
p.setProject(project);
p.setOwner(true);
member.addProjectParticipation(p);
memberService.updateMember(member);
// Clear and refresh Shiro permissions
realm.clearCachedAuthorizationInfo(SecurityUtils.getSubject().getPrincipals());
}
So basically, I create shiro permissions based on data that is extracted
from my POJOs. If I change the data stored in the POJOs (like added a new
project to a member), I simply tell my Realm to clear its cache and reload
the data. That last line does this.
I hope this helps!
Tauren
On Thu, Jan 14, 2010 at 7:42 AM, oliverw <[email protected]> wrote:
>
> I'm using the Shiro Grails Plugin and would like to implement the following
> in my application:
>
> 1. Certain actions of the user accumulate points for him and at certain
> thresholds this will yield the user new (shiro) permissions.
> 2. The extended permission set should be effective immediately without
> forcing the user to logout and back in
> 3. Ideally the permissions should be altered by an admin user using some
> administration tool for a logged in user and become effective immediately.
>
> I have implemented all of this but the part where the shiro session of an
> arbitrary user is updated. Any suggestions?
> --
> View this message in context:
> http://n2.nabble.com/Elevating-permissions-without-requiring-the-user-to-logoff-logon-tp4393371p4393371.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
