Hi Fernando,
Usually permissions are best represented as simple strings. You can
implement the permission interface if you want, but this is usually
done for special reasons or maybe to increase performance (at the
added cost of maintaining more code yourself).
You typically want to think of these things by breaking them down into
a statement:
"someone" wants to "do something" with a "resource" (or "domain"). In
your case, that might translate to:
The current Subject (someone) wants to register (do something) for a
type of event (domain). In shiro's WildcardPermission string format,
that would translate to a permission:
"event:register"
Then you would perform a security check at runtime:
if ( subject.isPermitted("event:register") ) {
//they're allowed to register for any event
//show the register button.
}
Or, if you want to check if they are only allowed to register for a
particular event, say, event with ID 23973, you perform this check:
if ( subject.isPermitted("event:register:23973") ) {
//they're allowed to register for this specific event
//so show the register button.
}
These calls would eventually make their way down to your Realm, and
check the AuthorizationInfo that you returned in your
doGetAuthorizationInfo implementation (if you subclass
AuthorizingRealm). Your implementation can return permissions for
that user in any way your data model supports (e.g. a user has roles,
a role has permissions, so a user 'has' all the permissions in all of
their roles, etc).
Does this help?
Regards,
Les
On Thu, Mar 18, 2010 at 11:48 AM, Fernando Wermus
<[email protected]> wrote:
> Hi all,
> I would like to explain my scenario and find the best way to apply
> shiro in it for the best fit.
>
>
> I have a user that could register to a periodical event and there is a
> registration object to do it.
> I have a link in a web page for user registration on my webapp. This link
> has a condition that will enable or disable it,
>
> (!registration.isRegistered(user))
>
> What means is if the user is already registered, disable the link (business
> authorization)
> As he is watching the event, he has acquired the following role
> suscriptor (he has the right to register in the event because he is a
> suscriptor of that kind of events)
> which has the following permision
> registration:register
> My question is the following,
> Where do I evaluate this condition?
> I imagine something as the following
>
> import org.apache.shiro.authz.Permission;
>
> public class RegistrationPermission implements Permission {
>
> private name;
>
> public RegistrationPermission(String name){
>
> this.name=name;
>
> }
>
> @Override
>
> public boolean implies(Permission arg0) {
>
> return false;
>
> }
>
> public boolean isVisible(Object object){
>
> User user=WicketSession.getUser();
>
> Registration registration=(Registration)object;
>
> return (!registration.isRegistered(user);
>
> }
>
> }
>
> But the problem here is that instead of doing
> subject.isPermitted(unRegistrationPermission);
> I should do
> if (unRegistrationPermission.isVisible(WicketSession.getShownObject())){
> ......
> }
> I hope to have been clear enough
> thanks in advance
>
> Fernando Wermus.
>
> www.linkedin.com/in/fernandowermus
>
