Hello,
thanks for Shiro project, I've only started using it today and I have already
configured all the web login-redirection for my app and successfully
implemented a custom Realm for authentication. But now I'm stuck :)
My problem lies in my custom Authorization. A typical security check of my app
would involve something like:
* currentUser.isPermitted("forum:readTopic:123"))
When I perform such a check I do see my doGetAuthorizationInfo being called,
however I do not understand how can I perform my business checks using the
PrincipalCollection passed, since it only contains information pertaining to
the Principal and not the actual permisssion check itself. I understand that a
possible way to implement this is to get the user information from the
Principal and return all assigned permissions to it from my back-end, however
in my application this would be an overkill as we are talking about thousands
of users possibly having access to thousands of resources (not because of a
role they belong to, but because such permissions have been manually assigned
to them). Not to mention that such permissions change dynamically as domain
objects are created, deleted, modified, etc.
What I would, ideally, wanted to see in some part of my custom Realm is a place
to actually read the "forum:readTopic:123" argument, so that I can inquiry my
back-end specifically as "is user {currentUser} allowed to {readTopic} on
domain {forum} for {123} topic id?". This of course would be handled by my own
custom code (that knows how to talk to my back-end).
Thanks in advance for your insight.
-n-
