I did succeed in implementing my own Permission class and making my use-case work, so thanks a lot for Shiro's flexibility. In that respect, it's really nicely done. I did have to copy/paste some WildcardPermission code which I would rather not. It may need some additional protected methods; I'll try to make a patch.
I realize now that "bubbling-up" permissions is not appropriate in all situations. I'd like to get some input on how I can implement my use-case with Shiro. The main issue I have is that in order to access finer-grained permissions, I first need to test the coarser-grained ones. Using a file-system as an analogy (/a/b/c): to reach the 'c' folder, I have to read 'a', 'b' first. But I want to manage permissions at the "c" level, meaning I want to grant access to "c" which would then imply access to "a" and "b". I now realize that some permissions shouldn't bubble up. For example, if I grant write to 'c', I don't want that to mean write to 'b' and 'a' as well. That said, I would want it to mean read 'b' and 'a' since the user would need to "reach" 'c' in order to write to it. So in Shiro terms, I guess what I'm saying is: fs:read:a:b:c implies fs:read:a:b and fs:read:a fs:write:a:b:c implies fs:read:a:b and fs:read:a more generally fs:*:a:b:c implies fs:read:a:b and fs:read:a The system would allow read on "parent" entities when you have any permission on one of its child. It bubbles up, but "downgrades" the permission. Obviously, this is very different from WildcardPermissions and is very specific to my use-case... Any thoughts on this from anyone? -- View this message in context: http://shiro-user.582556.n2.nabble.com/Question-regarding-WildcardPermission-tp5728829p5730302.html Sent from the Shiro User mailing list archive at Nabble.com.
