Thank you Kalle for very fast response.
I think about negated expressions functionality in the view of user.
If my foo controller has actions
index,list,edit,create,save,update,search,delete, bulkDelete ....
and my user want to deny only delete and bulkDelete actions
the syntax should be "foo:!delete,bulkDelete
I think the exclamation notation is more suitable than bracket in my previous
post
because it's more shorter and has the same meaning in programming language.
This is my suggestion
If the expression part starts with ! means that the subsequent actions (in that
part) are all negative
for example
"foo:!delete,bulkDelete" means both of delete and bulkDelete action is denied
in this expression but the rest is allowed (This is my suggestion)
"foo:delete,bulkDelete" means only delete and bulkDelete actions are allowed
but the rest is denied. (This was implemented)
I think the negative notation "foo:!delete,bulkDelete" sometime is more secured
than
"foo: index,list,edit,create,save,update,search" because it's shorter.
And in my experience - my customer always want to deny a few actions.
Imagine about the controller that has more 10 actions.
I know the view of you that declarative expression is more secured.
if I add more actions to my controller class in the future and I don't want
the existing defined permissions to access that actions - this will be the
problem.
By the way, if my application is never changed (feature freeze), the real user
(Customer)
would like to compose the permission by himself so the longer expression would
be the problem
and inconvenience.
Hus.
On 9/17/2010 1:37 PM, Kalle Korhonen wrote:
This is somewhat related to the Logical.NOT discussion we had on the
dev list a while back (see
http://www.mail-archive.com/[email protected]/msg01488.html).
For background, I implemented ability to apply security annotations to
classes and Logical.AND and Logical.OR but no Logical.NOT as part of
https://issues.apache.org/jira/browse/SHIRO-175. In your case, the
requirement to change the permissions at runtime makes this even more
complicated. We may or may not add a more complex security expression
syntax later but I don't see this happening before 1.1.0. You can take
consolation with the fact that explicitly specifying all required
expressions is the more secure way of configuring permissions. I
heavily doubt the bracket notation would be enough for expressing
negated expressions, but we'd very be interested in seeing more
complete related proposals.
Kalle
On Thu, Sep 16, 2010 at 11:02 PM, Hussachai<[email protected]> wrote:
I use shiro plugin for grails and allow user to add permission at runtime.
My controller has many actions such as
index,list,edit,create,save,update,search,delete ....
Suppose that controller name is "foo"
The permission string for simple foo controller is
foo:*
means everybody which has this permission can access all actions of foo
controller.
but if I want to deny only delete actions I must compose the permission
string
like this foo:index,list,edit,create,save,update,search
This work out but the permission string is very long, if my controller has
the actions more than this.
It would be better if there are the syntax like this foo:[delete]
add square bracket or something like that to deny only delete action but
allow the rest.
Thank you in advance.
