Hi Mike, Glad to help! And welcome!
> Thanks for the quick reply Les. This sort of thing makes feel good about > picking Shiro as the security framework for our project. I hope you enjoy it - the community is pretty strong and is continuing to grow, and we'll probably (hopefully!) graduate to an Apache Top Level Project (TLP) at the next September Apache board meeting. > We are using Jersey, but the annotations are in fact JSR-spec. I need to > build something rather quickly I will likely use the > HttpMethodPermissionFilter (or maybe the AspectJ implementation that is > currently there) in the short term (very short). However, longer-term it > would be great to have the JSR-311 annotation support. Could you please create a Jira issue for this? New features will almost definitely get lost unless they're tracked. One difficulty that I see with this is that there are many ways of implementing this - AspectJ, Spring AOP, JBoss AOP, etc. We'd have to talk through on the dev list how to accomplish it. Please feel free to sign up for the dev list if you'd like to help us. > As for HttpMethodPermissionFilter: > The Shiro documentation does mention that it has item level permissions, but > I don't see how that can be used by HttpMethodPermissionFilter (or with AOP > for that matter). Am I missing something? The HttpMethodPermissionFilter doesn't support instance-level permissions at the moment, because it doesn't know where in the request URL to parse the id. Some work would be needed to support this, but it shouldn't be hard. You could probably subclass HttpMethodPermissionFilter to do it easily. If you can make this work for any app, please consider contributing back any fixes as a patch and we'll be able to include it in an upcoming release. Best regards, Les
