This is somewhat related to the Logical.NOT discussion we had on the dev list a while back (see http://www.mail-archive.com/[email protected]/msg01488.html). For background, I implemented ability to apply security annotations to classes and Logical.AND and Logical.OR but no Logical.NOT as part of https://issues.apache.org/jira/browse/SHIRO-175. In your case, the requirement to change the permissions at runtime makes this even more complicated. We may or may not add a more complex security expression syntax later but I don't see this happening before 1.1.0. You can take consolation with the fact that explicitly specifying all required expressions is the more secure way of configuring permissions. I heavily doubt the bracket notation would be enough for expressing negated expressions, but we'd very be interested in seeing more complete related proposals.
Kalle On Thu, Sep 16, 2010 at 11:02 PM, Hussachai <[email protected]> wrote: > I use shiro plugin for grails and allow user to add permission at runtime. > My controller has many actions such as > index,list,edit,create,save,update,search,delete .... > Suppose that controller name is "foo" > The permission string for simple foo controller is > foo:* > means everybody which has this permission can access all actions of foo > controller. > but if I want to deny only delete actions I must compose the permission > string > like this foo:index,list,edit,create,save,update,search > This work out but the permission string is very long, if my controller has > the actions more than this. > It would be better if there are the syntax like this foo:[delete] > add square bracket or something like that to deny only delete action but > allow the rest. > Thank you in advance. >
