Hi Les,
Thanks a lot for quick response. It clarified many of my questions and gave
a great over-view (big picture).
I looked at the examples including "spring-hibernate". Unless I missed
something I didn't find Restful Authorization sample.
I would like to build a permission with 3 parts
(WSPathName:action:(optional)id)
Example: User Web Service (path=user extract from the URI) may look like
user:read:1
Role Web Service may look like role:create
I noticed 2 issues with HttpMethodPermissionFilter
1. following configuration in shiro.ini rejects all service calls.
/service/** = authc, rest
However following configuration works. which suggests [optional_config]
is mandatory. Looks like a bug. I am on version 1.0
/service/** = authc, rest[test]
2. By default HttpMethodPermissionFilter could only take optional hard coded
param to add to action.
To accomplish what I want I decided to extend HttpMethodPermissionFilter and
overwrite methods to build the permission string.
For current implementation, I plan to store permissions in database.
I myRealm, I overwrote doGetAuthorizationInfo().
Here I read permissions from db for the current user and then
SimpleAuthorizationInfo authInfo = new SimpleAuthorizationInfo(roles);
authInfo.setStringPermissions(permissions);
return authInfo;
Is this the right way?
Am I duplicating shiro functionality?
Any thoughts/comments/inputs?
Jiggy.
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/How-to-implement-Authorization-on-Rest-Jersey-Services-using-HttpMethodPermissionFilter-tp5659200p5661022.html
Sent from the Shiro User mailing list archive at Nabble.com.
